Dear Listers,
Dear Brain,Thanks for your detailed insights. I have added my comments on some of them to trigger further discussion with all of us listers i.e.:Public Awareness:There is definitely an urgent need to enhance public cognizance of the provisions and reach of the CMCA to this end how best can we achieve this i.e.:1. What strategies can be employed by both the government and private sector to effectively educate the Kenyan public on the specific activities that are considered cybercrimes under the Computer Misuse and Cybercrimes Act, and the penalties associated with these offenses?2. How can community-based organizations, schools, and mental health advocates collaborate to address the rise in cyberbullying and its severe consequences, such as mental health issues and suicide, by leveraging the provisions of the Computer Misuse and Cybercrimes Act?3. What role can social media platforms and influencers play in promoting awareness and understanding of Kenya's cybercrimes legislation, and how can this be done in a way that deters nefarious activities like cyber hacktivism, while fostering responsible online behavior?Impact on privacy rights:The two sections you have quoted for ease of reference of all listers are in the:First instance S. 53 on the interception of content data; and in theSecond instance S. 48 on search and seizure of stored computer data.As regards S. 53 you noted that the CMCA grants law enforcement broad powers to monitor and intercept communications, which could infringe on citizens' privacy rights. However, if you read the section in its entirety in subsection (2) it states the conditions to be met whilst making the application of such an order, and goes on in subsection (3)to clarify that courts cant grant such orders until the aforementioned conditions are met. S.53 goes on at subsection (4) to set a time limit for which such an order can be applicable and then goes on at subsection (5) to enumerate the conditions for extension of such a period.In cyberspace, the real-time collection of electronic evidence in accordance with all legal due processes is crucial because digital trails can quickly vanish, and attributing cybercrimes remains a significant challenge. However, when conducted within the bounds of legal protocols, this process should not infringe on privacy rights as enshrined in the Constitution, as it ensures that evidence is gathered with respect for individual freedoms, under judicial oversight, and with clear, justified cause.Which brings me to my question as regards S.53 ... can you and/or the Listers enumerate specific ways you feel these privacy rights can be better secured?As regards S.48 you noted that the ‘may’ in this section implies that it is optional for the officers to seek a court order or warrant. This interpretation is erroneous as search and seizure warrants are issued based on probable cause (the may), meaning there is a reasonable belief that evidence of a crime will be found, rather than absolute certainty, to prevent the destruction or concealment of crucial evidence. Section 48 enumerates the specific grounds under which courts of competent jurisdiction can issue those orders.Which brings me to my question as regards S.48 ... can you and/or the Listers enumerate specific ways you feel these grounds for granting such order can be better enhanced or do they suffice?Albeit I am not privy to the full particulars of the Gen Z specific cases, if the law enforcement officers acted contrary to the law as alleged, then it's not because the law permitted them to act in such a manner. But that's a whole other conversation - smile!
Restriction of Freedom of Expression:
Section 22 pertains to false publication, and was one of the sections the Bloggers Association & others had contested as regards CMCA and whose petition the courts dismissed in Feb 2020.
The Kenyan Constitution grants us the right to freedom of expression but limits this where it can negatively impact others, and/or put them in a position of danger as enumerated in Section 24 of the Constitution which is quoted in subsection (2) of S.22. As such it is arguable that definition, which you state is broad is indeed grounded in the Mother of All Kenyan Laws … The 2010 Constitution.
Nevertheless, how do you and/or other Listers think we can better enhance this section 22, with specific examples of how to?
Impact on Businesses and Individuals:
Cybersecurity, while a substantial financial outlay, is an indispensable investment safeguarding both socioeconomic prosperity and national security, necessitating a prioritization of the broader societal benefits over the immediate costs of compliance when formulating relevant legislation.
If cybercrime were a country it would be the world's third largest economy after the US & China. A couple of years ago an Interpol report noted that cybercrime cost Africa over USD 4 Billion, which is more than the GDP of 12 African nations and for some of them double their GDP. Kenya experiences the second highest cyber attacks on the African continent. So it's imperative we prioritize our cybersecurity posture and public awareness which, yes, is costly.
But your spot on, without financial or technical assistance, the burden of compliance may hinder the ability of smaller organizations to meet these stringent requirements, potentially leading to penalties or even forcing some out of business.
What are possible solutions:
The government could consider implementing support mechanisms, such as grants, subsidies, or public-private partnerships, to help alleviate the financial strain on smaller organizations. This would promote a more equitable landscape, ensuring that all critical infrastructure, regardless of the size of the organization, can meet the necessary cybersecurity standards without undue hardship.
Another approach could involve scaling the requirements based on the size or capacity of the organization, allowing smaller entities to comply at a level that is both manageable and effective.
I would love to hear your and other listers' suggestions as regards possible solutions so that we can effectively but more affordably secure our nation's cyberspace.
Conduciveness to Technological Advancement:
In your response you noted “that some sections of the CMCA might inadvertently stifle innovation by imposing regulations that are difficult for innovators or small organizations to navigate” Can you please list the sections you deem contentious for clarity of all of us listers? This will also enable us all to better understand why you think they have a potential for arbitrary enforcement, which will also create uncertainty for innovators.
You further stated that “The act does not mention anything on responsible disclosure that innovators and researchers may lean on when identifying potential issues that can be responsibly disclosed and as a result strengthen the security systems and infrastructure that may be exposed.” Can you please suggest what type of disclosures you think would better enhance the CMCA.
Stay happy,
Mutheu.
On Thu, Aug 15, 2024 at 5:34 PM Brian Nyali via KICTANet <kictanet@lists.kictanet.or.ke> wrote: Dear David,Please find my detailed response below:Section 1:Effectiveness in Preventing and Prosecuting Cybercrime
· Partially – The CMCA shows that the country has taken a step to put in place laws that criminalize cybercrime and allow prosecution of the same. It is dismally effective as a deterrent and as far as prosecution is concerned, I have yet to see effectiveness as it has mostly focused on social media-related issues on harassment and fake news, for other crimes the cases seem to be stuck in court for years which hardly makes it effective as a deterrent.
Provisions Hindering Effective Prosecution:
· Law enforcement at various stations in the country also need to be effectively trained on how to handle cybercrime-related incidents when individuals show up at police stations to either report or seek advice from the officers.
Public Awareness:
· Public Awareness is poorly done regarding the CMCA, a clear indication of this is on social media platforms where users have been subject to bullying, and others have called for the hacking of platforms all of which are crimes in the CMCA. The people don’t know what protections the CMCA offers
Section 2:
Impact on Privacy Rights:
- The CMCA grants law enforcement broad powers to monitor and intercept communications, which could infringe on citizens' privacy rights. It states that “Where a police officer or an authorised person has reasonable grounds to believe that the content of any specifically identified electronic communications is required for the purposes of a specific investigation in respect of an offence, the police officer or authorised person may apply to the court for an order” and in another section “ Where a police officer or an authorised person has reasonable grounds to believe that there may be in a specified computer system or part of it, computer data storage medium, program, data, that— (a) is reasonably required for the purpose of a criminal investigation or criminal proceedings which may be material as evidence; or (b) has been acquired by a person as a result of the commission of an offence, the police officer or the authorised person may apply to the court for issue of a warrant to enter any premises to access, search and similarly seize such data.” the ‘may’ in these section implies that it is optional for the officers to seek a court order or warrant.
- During the recent “Gen Z” protests, some of the arrested people had their devices confiscated for ‘further analysis’ despite being released unconditionally. In my understanding, police should be required to provide a clear and specific explanation for the arrest and the reasons for seizing a person’s device. This explanation should be given in writing and should include the alleged crime and the connection of the device to the investigation if not a court order for the seizure.
Restriction of Freedom of Expression:
- Section 22 focuses on false publication in terms of “false”, “misleading” or “fictitious” information, this should not be abused to deter people from expressing themselves by publishing information in the form of opinions or satire. The broad definition of "false publications" under the CMCA has seemingly been used by the government and politicians to silence bloggers, journalists and social media users on various platforms.
Section 5:
Impact on Businesses and Individuals:
· Impact on Businesses in Terms of Cybersecurity Practices and Investments- The CMCA’s requirements for critical information infrastructure are extensive such as the protection of, the storing of and archiving of data held by the critical information infrastructure; (c) cyber security incident management by the critical information infrastructure; (d) disaster contingency and recovery measures, which must be put in place by the critical information infrastructure; (e) minimum physical and technical security measures that must be implemented in order to protect the critical information infrastructure;
Such requirements although necessary can be deemed as unfair since there are significant costs for compliance, such as hiring skilled personnel, training, purchasing equipment, storage, and securing licenses among others. The Act mandates stringent measures, but without providing financial or technical support, this places a disproportionate burden on organizations, especially smaller ones.
Section 6:
Analysis of the Effectiveness of the CMCA in Embracing Emerging Technologies and the Associated Cyberthreats
Conduciveness to Technological Advancement:
Some sections of the CMCA might inadvertently stifle innovation by imposing regulations that are difficult for innovators or small organizations to navigate. The potential for arbitrary enforcement also creates uncertainty for innovators.
· The act does not mention anything on responsible disclosure that innovators and researchers may lean on when identifying potential issues that can be responsibly disclosed and as a result strengthen the security systems and infrastructure that may be exposed.
· The CMCA allows the government to declare certain infrastructure as critical, with heavy regulatory requirements for cybersecurity, data protection, and incident management. While necessary, the lack of financial or technical support makes it difficult for smaller outfits to comply. High compliance costs and stringent requirements could deter new entrants or smaller firms from innovating in certain sectors or causing disruption in others lest they are deemed as critical infrastructure, potentially leading to reduced competition and innovation.
Addressing Emerging Technologies (AI, Blockchain, IoT, Quantum Computing, Cryptocurrency):
- The CMCA does not specifically address newer technologies like AI, blockchain, IoT, quantum computing, or cryptocurrency, leaving regulatory grey areas that could be exploited.
Section 7: General Questions
Legal Uncertainties or Ambiguities in the Act:
- The word "may" implies that obtaining a court order or warrant is optional rather than mandatory. This leaves room for interpretation, which could lead to inconsistent enforcement. Some officers might proceed without a court order, while others might seek one, creating uncertainty for individuals and organizations about their rights and protections.
Capacity-Building Needs of Law Enforcement and Judiciary:
- Establish comprehensive training programs on digital forensics, cybercrime investigation, and evidence preservation. This could include mandatory courses for officers, specialized cybercrime units, and collaboration with cybersecurity experts.
- Increase recruitment and training of officers specifically for those handling cybercrime-related cases. Allocate resources to ensure that these units are adequately staffed and equipped to handle the growing number of cases.
- Consider the creation of a specialized cybercrime court to handle all cyber-related cases. Provide continuous training for judges and legal practitioners in this court to keep up with evolving technologies and cyber threats.
Robustness of Kenya’s Cybersecurity Infrastructure:
- Granted there have been significant improvements in Kenya’s cybersecurity posture, but the current state of Government and parastatal technology, resilience and infrastructure is significantly under-equipped and unable to address the challenges posed by rapidly advancing technologies and techniques in play by malicious actors.
Kind regards,Brian M. Nyali.______________________________On Thu, 15 Aug 2024 at 08:41, David Indeje via KICTANet <kictanet@lists.kictanet.or.ke> wrote: ______________________________Dear Listers,Day 3:
The CMCA has profound implications for businesses, individuals, and the digital economy in Kenya. Its effectiveness in balancing innovation with cybersecurity, addressing emerging technologies, and protecting individual rights is a subject of ongoing debate. Today, we encourage discussion on the challenges and opportunities presented by the CMCA and explore potential solutions to enhance its effectiveness in shaping a secure and vibrant digital future for Kenya.
Section 5: Impact on Businesses and Individuals.
- How has the CMCA impacted businesses in Kenya in terms of cybersecurity practices and investments?
- Do you believe the CMCA adequately protects the rights of individuals in the digital space?
- Have there been any unintended consequences of the CMCA on businesses or individuals?
- How has the CMCA affected the digital economy in Kenya?
Section 6: An analysis of the effectiveness of the CMCA to embrace emerging technologies and the cyberthreats they pose therein.
- How does the CMCA balance the need for innovation with cybersecurity?
- Does the Act create an environment conducive to technological advancement or are there any provisions that stifle innovation?
- How well does the CMCA address emerging technologies such as artificial intelligence, blockchain, Internet of Things (IoT), quantum computing and cryptocurrency? What can be done to enhance its ability to address these lacunas (if any).
- How can the legal framework provided by the CMCA be enhanced to regulate the use of emerging technologies, while protecting individual digital rights?
Section 7: General Questions.
- Are there any legal uncertainties or ambiguities in the Act that hinder its effectiveness?
- What are the capacity-building needs of law enforcement and the judiciary in addressing cybercrimes related to emerging technologies?
- Is the country’s cybersecurity infrastructure sufficiently robust to address the challenges posed by emerging technologies?
- Any other relevant comment that you may wish to include as regards the CMCA?
--Kind Regards,+254 (0) 711 385 945 | +254 (0) 734 024 856KICTANet portalsConnect With Us______________________________________ _________________
KICTANet mailing list -- kictanet@lists.kictanet.or.ke
To unsubscribe send an email to kictanet-leave@lists.kictanet.or.ke
Unsubscribe or change your options at: https://mm3-lists.kictanet.or.ke/mm/lists/kictanet.lists. kictanet.or.ke/
Mailing List Posts Online: https://posts.kictanet.or.ke/
Twitter: https://twitter.com/KICTANet/
Facebook: https://www.facebook.com/KICTANet/
Instagram: https://www.instagram.com/KICTANet/
LinkedIn: https://www.linkedin.com/company/kictanet/
YouTube: https://www.youtube.com/channel/ UCbcLVjnPtTGBEeYLGUb2Yow/
WhatsApp Channel: https://whatsapp.com/channel/0029VaQsX4w6mYPIctLsGh1K
KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation.
KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars
of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's
times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your
wares or qualifications.
PRIVACY POLICY: See https://mm3-lists.kictanet.or.ke/mm/lists/kictanet.lists. kictanet.or.ke/
KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform.
_________________
KICTANet mailing list -- kictanet@lists.kictanet.or.ke
To unsubscribe send an email to kictanet-leave@lists.kictanet.or.ke
Unsubscribe or change your options at: https://mm3-lists.kictanet.or.ke/mm/lists/kictanet.lists. kictanet.or.ke/
Mailing List Posts Online: https://posts.kictanet.or.ke/
Twitter: https://twitter.com/KICTANet/
Facebook: https://www.facebook.com/KICTANet/
Instagram: https://www.instagram.com/KICTANet/
LinkedIn: https://www.linkedin.com/company/kictanet/
YouTube: https://www.youtube.com/channel/ UCbcLVjnPtTGBEeYLGUb2Yow/
WhatsApp Channel: https://whatsapp.com/channel/0029VaQsX4w6mYPIctLsGh1K
KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation.
KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars
of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's
times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your
wares or qualifications.
PRIVACY POLICY: See https://mm3-lists.kictanet.or.ke/mm/lists/kictanet.lists. kictanet.or.ke/
KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform.