Dear Barrack, Thanks for your insights on the CMCA however, there is one I respectfully disagree with and that’s the one pertaining to incorporating emerging technologies in the CMCA. On this I believe we must adopt a forward-looking approach to effectively counter the rapidly evolving threat landscape. Waiting for technologies to mature before incorporating them into the legal framework is counterproductive as this will create a persistent legislative lag. Instead, legislation should employ broad, adaptable definitions to encompass “*emerging technologies”*, such as *"any technology capable of storing, processing, transmitting, or manipulating data or information."* We can also define a *"computer system"** to include "any device or network capable of storing, processing, or transmitting data" *as this will provide a flexible foundation to address novel technologies as they emerge. In my opinion this flexible approach will empower law enforcement, lawyers and the judiciary to adapt to future technological advancements without requiring constant legislative updates, ensuring the law remains relevant and effective in countering emerging cyber threats. Stay happy, Mutheu. On Thu, Aug 15, 2024 at 11:42 AM Barrack Otieno via KICTANet < kictanet@lists.kictanet.or.ke> wrote:

Dear David,

My responses inline:

On Thu, Aug 15, 2024 at 8:41 AM David Indeje via KICTANet < kictanet@lists.kictanet.or.ke> wrote:

...

Dear Listers,

*Day 3:*

The CMCA has profound implications for businesses, individuals, and the digital economy in Kenya. Its effectiveness in balancing innovation with cybersecurity, addressing emerging technologies, and protecting individual rights is a subject of ongoing debate. Today, we encourage discussion on the challenges and opportunities presented by the CMCA and explore potential solutions to enhance its effectiveness in shaping a secure and vibrant digital future for Kenya.

*Section 5: Impact on Businesses and Individuals.*

1. How has the CMCA impacted businesses in Kenya in terms of cybersecurity practices and investments?

*BO: CMCA has created more awareness on the rights and responsibilities of various actors (Companies and Individuals as they use Computers and Digital devices)*

...

1. Do you believe the CMCA adequately protects the rights of individuals in the digital space?

BO: CMCA is a good start, we can always improve on it.

...

1. Have there been any unintended consequences of the CMCA on businesses or individuals?

BO: Definitely. We have had a number of unsuccessful cases due to nascent

Jurisprudence in the subsector, i beleive we have an opportunity to close the gaps through discussions such as these. I also see an opportunity for more Capacity building at the Kenya School of Internet Governance.

...

1. How has the CMCA affected the digital economy in Kenya?

BO: It has contributed to reducing the trust deficit. I beleive there is

more awareness about Consequences of misusing dogital devices which encourages more citizens to have confidence in the digital space.

...

*Section 6: An analysis of the effectiveness of the CMCA to embrace emerging technologies and the cyberthreats they pose therein.*

1. How does the CMCA balance the need for innovation with cybersecurity?

BO: Evolution of technology will always outpace policy developement, consistent conversations among stakeholders contribute to the evolution of the CMCA and more awareness of actors not limited to the Judiciary about their roles and responsibilities.

...

1. Does the Act create an environment conducive to technological advancement or are there any provisions that stifle innovation?

BO: Nothing has come to my attention that shows that the act interferes

with innovation, it has actually been a catalyst. People are now aware of of Virtual Private Networks and other ways of masking their identity.

...

1. How well does the CMCA address emerging technologies such as artificial intelligence, blockchain, Internet of Things (IoT), quantum computing and cryptocurrency? What can be done to enhance its ability to address these lacunas (if any).

BO: CMCA was developed when some of these technologies were at nascent

stages. That said, I think there is room to improve it once we reach a level of maturity in using the mergent technologies. Otherwise some of them might be replaced by better ideas.

...

1. How can the legal framework provided by the CMCA be enhanced to regulate the use of emerging technologies, while protecting individual digital rights?

BO: The legal framework can be enhanced by subjecting it to

multistakeholder discussions such as these.

...

*Section 7: General Questions.*

1. Are there any legal uncertainties or ambiguities in the Act that hinder its effectiveness?

BO: The fact that very few cases have been prosecuted in a successful manner indicates that there are still gaps that need to be addressed.

...

1. What are the capacity-building needs of law enforcement and the judiciary in addressing cybercrimes related to emerging technologies?

BO: They need more awareness on Internet Governance. More specifically

the Legal Basket as described by Diplo Foundation

...

1. Is the country’s cybersecurity infrastructure sufficiently robust to address the challenges posed by emerging technologies?

BO: Cyber Security requires an ecosystem approach. I beleive the

Infrastructure is Robust. We need to focus more on people and securing processes.

...

1. Any other relevant comment that you may wish to include as regards the CMCA?

-- *Kind Regards,*

*David Indeje*

*@**KICTANet* <https://www.kictanet.or.ke/> * Communications *_____________________________________ +254 (0) 711 385 945 | +254 (0) 734 024 856 KICTANet portals Connect With Us <https://linktr.ee/Kictanet> ______________________________________

_______________________________________________ KICTANet mailing list -- kictanet@lists.kictanet.or.ke To unsubscribe send an email to kictanet-leave@lists.kictanet.or.ke Unsubscribe or change your options at: https://mm3-lists.kictanet.or.ke/mm/lists/kictanet.lists.kictanet.or.ke/

Mailing List Posts Online: https://posts.kictanet.or.ke/

Twitter: https://twitter.com/KICTANet/ Facebook: https://www.facebook.com/KICTANet/ Instagram: https://www.instagram.com/KICTANet/ LinkedIn: https://www.linkedin.com/company/kictanet/ YouTube: https://www.youtube.com/channel/UCbcLVjnPtTGBEeYLGUb2Yow/ WhatsApp Channel: https://whatsapp.com/channel/0029VaQsX4w6mYPIctLsGh1K

KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation. KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

PRIVACY POLICY: See https://mm3-lists.kictanet.or.ke/mm/lists/kictanet.lists.kictanet.or.ke/

KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform.

-- Barrack O. Otieno +254721325277 +254733206359 Skype: barrack.otieno PGP ID: 0x2611D86A

_______________________________________________ KICTANet mailing list -- kictanet@lists.kictanet.or.ke To unsubscribe send an email to kictanet-leave@lists.kictanet.or.ke Unsubscribe or change your options at: https://mm3-lists.kictanet.or.ke/mm/lists/kictanet.lists.kictanet.or.ke/

Mailing List Posts Online: https://posts.kictanet.or.ke/

Twitter: https://twitter.com/KICTANet/ Facebook: https://www.facebook.com/KICTANet/ Instagram: https://www.instagram.com/KICTANet/ LinkedIn: https://www.linkedin.com/company/kictanet/ YouTube: https://www.youtube.com/channel/UCbcLVjnPtTGBEeYLGUb2Yow/ WhatsApp Channel: https://whatsapp.com/channel/0029VaQsX4w6mYPIctLsGh1K

KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation. KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

PRIVACY POLICY: See https://mm3-lists.kictanet.or.ke/mm/lists/kictanet.lists.kictanet.or.ke/

KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform.

On 15/08/2024 12.54, Adam Lane via KICTANet wrote:

Hi David

In my engagements with policy makers I emphasize the need for the government to intentionally identify relevant cybersecurity standards (either international, local or international ones that are localized) and then implement them within government and encourage the rest of the industry in the country to also adopt and implement. These standards are a good benchmark to define “secure” (though one must never accept reaching a standard as the end goal and not get complacent) and can be specific to certain areas (such as cloud, telcom networks, software etc) or be about certain processes and can be tested and certified against. This can grow the cybersecurity ecosystem (labs, certifiers, standards consultants etc) and support talent training and development as well.

 

Such standards may not need to be legally required necessarily, but this would be a discussion worth having.

Probably more effort is required in keeping upto date with international standards and perhaps influencing their development. As an example, many of the laws are available as pdf only downloads from kenyalaw.org. County legislation is more difficult to obtain. Standards such as Akoma Ntoso [1] would make searching legislative documents much easier, and in particular improve hyperlinks in web versions. This would aid people doing dissemination work to be more effective. 1) https://en.wikipedia.org/wiki/Akoma_Ntoso

On 15/08/2024 20.49, Benson Muite via KICTANet wrote:

On 15/08/2024 12.54, Adam Lane via KICTANet wrote:

...

Hi David

In my engagements with policy makers I emphasize the need for the government to intentionally identify relevant cybersecurity standards (either international, local or international ones that are localized) and then implement them within government and encourage the rest of the industry in the country to also adopt and implement. These standards are a good benchmark to define “secure” (though one must never accept reaching a standard as the end goal and not get complacent) and can be specific to certain areas (such as cloud, telcom networks, software etc) or be about certain processes and can be tested and certified against. This can grow the cybersecurity ecosystem (labs, certifiers, standards consultants etc) and support talent training and development as well.

 

Such standards may not need to be legally required necessarily, but this would be a discussion worth having.

Probably more effort is required in keeping upto date with international standards and perhaps influencing their development. As an example, many of the laws are available as pdf only downloads from kenyalaw.org. County legislation is more difficult to obtain. Standards such as Akoma Ntoso [1] would make searching legislative documents much easier, and in particular improve hyperlinks in web versions. This would aid people doing dissemination work to be more effective.

1) https://en.wikipedia.org/wiki/Akoma_Ntoso

...

There are some efforts from South Africa in typesetting legal documents. These are being used in Kenya: https://laws.africa/case-studies/kenyalaw.html However, I cannot find the XML online, this would enable much easier creation of searchable webpages such as: https://bkmgit.codeberg.page/CMCA2018/ HTML is available for many bills though: http://kenyalaw.org:8181/exist/kenyalex/index.xql There seems to be an example of marking up parliamentary debate: https://docs.oasis-open.org/legaldocml/akn-core/v1.0/os/part2-specs/examples... which would also be very helpful for automated analysis, for example to get notifications whenever a particular representative makes a contribution to a debate

Dear Mutheu The Common Criteria (CC) should be considered and ISO27001 & 27017 & 27018 & 27701. Then there are some specific ones, like in the networks space, there is the Network Equipment Security Assurance Scheme/Security Assurance Specifications (NESAS/SCAS) and in the cloud space there is the CSA Cloud Controls Matrix (CCM). There are also others in various domains like payment card standards, health informatics standards etc. Regards Adam From: A Mutheu <mutheu@khimulu.com> Sent: Friday, 16 August 2024 12:43 To: Kenya's premier ICT Policy engagement platform <kictanet@lists.kictanet.or.ke> Cc: Adam Lane <adam.lane@huawei.com> Subject: Re: [kictanet] Re: Discussion: Shaping Kenya's Cybersecurity Ecosystem Dear Adam, Thanks for your insights, are there any specific standards from your experience in the sector you think should be considered? If so, do you have suggestions as regards specific international standards that can be studied, and then localized, if deemed relevant. Stay happy, Mutheu. [https://ci3.googleusercontent.com/mail-sig/AIorK4ycZElduDI_OCeFuCX6-aFKg4ENK...] On Thu, Aug 15, 2024 at 12:55 PM Adam Lane via KICTANet <kictanet@lists.kictanet.or.ke<mailto:kictanet@lists.kictanet.or.ke>> wrote: Hi David In my engagements with policy makers I emphasize the need for the government to intentionally identify relevant cybersecurity standards (either international, local or international ones that are localized) and then implement them within government and encourage the rest of the industry in the country to also adopt and implement. These standards are a good benchmark to define “secure” (though one must never accept reaching a standard as the end goal and not get complacent) and can be specific to certain areas (such as cloud, telcom networks, software etc) or be about certain processes and can be tested and certified against. This can grow the cybersecurity ecosystem (labs, certifiers, standards consultants etc) and support talent training and development as well. Such standards may not need to be legally required necessarily, but this would be a discussion worth having. Adam From: David Indeje via KICTANet <kictanet@lists.kictanet.or.ke<mailto:kictanet@lists.kictanet.or.ke>> Sent: Thursday, 15 August 2024 08:38 To: Adam Lane <adam.lane@huawei.com<mailto:adam.lane@huawei.com>> Cc: David Indeje <dindeje@kictanet.or.ke<mailto:dindeje@kictanet.or.ke>> Subject: [kictanet] Re: Discussion: Shaping Kenya's Cybersecurity Ecosystem Dear Listers, Day 3: The CMCA has profound implications for businesses, individuals, and the digital economy in Kenya. Its effectiveness in balancing innovation with cybersecurity, addressing emerging technologies, and protecting individual rights is a subject of ongoing debate. Today, we encourage discussion on the challenges and opportunities presented by the CMCA and explore potential solutions to enhance its effectiveness in shaping a secure and vibrant digital future for Kenya. Section 5: Impact on Businesses and Individuals. 1. How has the CMCA impacted businesses in Kenya in terms of cybersecurity practices and investments? 2. Do you believe the CMCA adequately protects the rights of individuals in the digital space? 3. Have there been any unintended consequences of the CMCA on businesses or individuals? 4. How has the CMCA affected the digital economy in Kenya? Section 6: An analysis of the effectiveness of the CMCA to embrace emerging technologies and the cyberthreats they pose therein. 1. How does the CMCA balance the need for innovation with cybersecurity? 2. Does the Act create an environment conducive to technological advancement or are there any provisions that stifle innovation? 3. How well does the CMCA address emerging technologies such as artificial intelligence, blockchain, Internet of Things (IoT), quantum computing and cryptocurrency? What can be done to enhance its ability to address these lacunas (if any). 4. How can the legal framework provided by the CMCA be enhanced to regulate the use of emerging technologies, while protecting individual digital rights? Section 7: General Questions. 1. Are there any legal uncertainties or ambiguities in the Act that hinder its effectiveness? 2. What are the capacity-building needs of law enforcement and the judiciary in addressing cybercrimes related to emerging technologies? 3. Is the country’s cybersecurity infrastructure sufficiently robust to address the challenges posed by emerging technologies? 4. Any other relevant comment that you may wish to include as regards the CMCA? -- Kind Regards, David Indeje @KICTANet<https://www.kictanet.or.ke/> Communications _____________________________________ [https://cytonn.sheerhr.com/signature/icon/ico-phone.png]+254 (0) 711 385 945 | +254 (0) 734 024 856 KICTANet portals Connect With Us<https://linktr.ee/Kictanet> ______________________________________ _______________________________________________ KICTANet mailing list -- kictanet@lists.kictanet.or.ke<mailto:kictanet@lists.kictanet.or.ke> To unsubscribe send an email to kictanet-leave@lists.kictanet.or.ke<mailto:kictanet-leave@lists.kictanet.or.ke> Unsubscribe or change your options at: https://mm3-lists.kictanet.or.ke/mm/lists/kictanet.lists.kictanet.or.ke/ Mailing List Posts Online: https://posts.kictanet.or.ke/ Twitter: https://twitter.com/KICTANet/ Facebook: https://www.facebook.com/KICTANet/ Instagram: https://www.instagram.com/KICTANet/ LinkedIn: https://www.linkedin.com/company/kictanet/ YouTube: https://www.youtube.com/channel/UCbcLVjnPtTGBEeYLGUb2Yow/ WhatsApp Channel: https://whatsapp.com/channel/0029VaQsX4w6mYPIctLsGh1K KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation. KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement. KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications. PRIVACY POLICY: See https://mm3-lists.kictanet.or.ke/mm/lists/kictanet.lists.kictanet.or.ke/ KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform.

Dear Brain, Thanks for your detailed insights. I have added my comments on some of them to trigger further discussion with all of us listers i.e.: *Public Awareness:* There is definitely an urgent need to enhance public cognizance of the provisions and reach of the CMCA to this end how best can we achieve this i.e.: 1. What strategies can be employed by both the government and private sector to effectively educate the Kenyan public on the specific activities that are considered cybercrimes under the Computer Misuse and Cybercrimes Act, and the penalties associated with these offenses? 2. How can community-based organizations, schools, and mental health advocates collaborate to address the rise in cyberbullying and its severe consequences, such as mental health issues and suicide, by leveraging the provisions of the Computer Misuse and Cybercrimes Act? 3. What role can social media platforms and influencers play in promoting awareness and understanding of Kenya's cybercrimes legislation, and how can this be done in a way that deters nefarious activities like cyber hacktivism, while fostering responsible online behavior? *Impact on privacy rights:* The two sections you have quoted for ease of reference of all listers are in the: *First instance S. 53 on the interception of content data*; and in the *Second instance S. 48 on search and seizure of stored computer data*. As regards S. 53 you noted that the CMCA grants law enforcement broad powers to monitor and intercept communications, which could infringe on citizens' privacy rights. However, if you read the section in its entirety in subsection (2) it states the conditions to be met whilst making the application of such an order, and goes on in subsection (3) to clarify that courts cant grant such orders until the aforementioned conditions are met. S.53 goes on at subsection (4) to set a time limit for which such an order can be applicable and then goes on at subsection (5) to enumerate the conditions for extension of such a period. In cyberspace, the real-time collection of electronic evidence in accordance with all legal due processes is crucial because digital trails can quickly vanish, and attributing cybercrimes remains a significant challenge. However, when conducted within the bounds of legal protocols, this process should not infringe on privacy rights as enshrined in the Constitution, as it ensures that evidence is gathered with respect for individual freedoms, under judicial oversight, and with clear, justified cause. *Which brings me to my question as regards S.53 ... can you and/or the Listers enumerate specific ways you feel these privacy rights can be better secured?* As regards S.48 you noted that the ‘may’ in this section implies that it is optional for the officers to seek a court order or warrant. This interpretation is erroneous as search and seizure warrants are issued based on probable cause (the may), meaning there is a reasonable belief that evidence of a crime will be found, rather than absolute certainty, to prevent the destruction or concealment of crucial evidence. Section 48 enumerates the specific grounds under which courts of competent jurisdiction can issue those orders. *Which brings me to my question as regards S.48 ... can you and/or the Listers enumerate specific ways you feel these grounds for granting such order can be better enhanced or do they suffice?* Albeit I am not privy to the full particulars of the Gen Z specific cases, if the law enforcement officers acted contrary to the law as alleged, then it's not because the law permitted them to act in such a manner. But that's a whole other conversation - smile! *Restriction of Freedom of Expression: * Section 22 pertains to false publication, and was one of the sections the Bloggers Association & others had contested as regards CMCA and whose petition the courts dismissed in Feb 2020. The Kenyan Constitution grants us the right to freedom of expression but limits this where it can negatively impact others, and/or put them in a position of danger as enumerated in Section 24 of the Constitution which is quoted in subsection (2) of S.22. As such it is arguable that definition, which you state is broad is indeed grounded in the Mother of All Kenyan Laws … The 2010 Constitution. *Nevertheless, how do you and/or other Listers think we can better enhance this section 22, with specific examples of how to?* *Impact on Businesses and Individuals: * Cybersecurity, while a substantial financial outlay, is an indispensable investment safeguarding both socioeconomic prosperity and national security, necessitating a prioritization of the broader societal benefits over the immediate costs of compliance when formulating relevant legislation. If cybercrime were a country it would be the world's third largest economy after the US & China. A couple of years ago an Interpol report noted that cybercrime cost Africa over USD 4 Billion, which is more than the GDP of 12 African nations and for some of them double their GDP. Kenya experiences the second highest cyber attacks on the African continent. So it's imperative we prioritize our cybersecurity posture and public awareness which, yes, is costly. But your spot on, without financial or technical assistance, the burden of compliance may hinder the ability of smaller organizations to meet these stringent requirements, potentially leading to penalties or even forcing some out of business. What are possible solutions: The government could consider implementing support mechanisms, such as grants, subsidies, or public-private partnerships, to help alleviate the financial strain on smaller organizations. This would promote a more equitable landscape, ensuring that all critical infrastructure, regardless of the size of the organization, can meet the necessary cybersecurity standards without undue hardship. Another approach could involve scaling the requirements based on the size or capacity of the organization, allowing smaller entities to comply at a level that is both manageable and effective. *I would love to hear your and other listers' suggestions as regards possible solutions so that we can effectively but more affordably secure our nation's cyberspace*. *Conduciveness to Technological Advancement: * In your response you noted “*that some sections of the CMCA might inadvertently stifle innovation by imposing regulations that are difficult for innovators or small organizations to navigate*” *Can you please list the sections you deem contentious for clarity of all of us listers? This will also enable us all to better understand why you think they have a potential for arbitrary enforcement, which will also create uncertainty for innovators.* You further stated that “*The act does not mention anything on responsible disclosure that innovators and researchers may lean on when identifying potential issues that can be responsibly disclosed and as a result strengthen the security systems and infrastructure that may be exposed.” **Can you please suggest what type of disclosures you think would better enhance the CMCA.* Stay happy, Mutheu. On Thu, Aug 15, 2024 at 5:34 PM Brian Nyali via KICTANet < kictanet@lists.kictanet.or.ke> wrote:

Dear David,

Please find my detailed response below:

*Section 1:*

*Effectiveness in Preventing and Prosecuting Cybercrime *

· Partially – The CMCA shows that the country has taken a step to put in place laws that criminalize cybercrime and allow prosecution of the same. It is dismally effective as a deterrent and as far as prosecution is concerned, I have yet to see effectiveness as it has mostly focused on social media-related issues on harassment and fake news, for other crimes the cases seem to be stuck in court for years which hardly makes it effective as a deterrent.

*Provisions Hindering Effective Prosecution:*

· Law enforcement at various stations in the country also need to be effectively trained on how to handle cybercrime-related incidents when individuals show up at police stations to either report or seek advice from the officers.

*Public Awareness:*

· Public Awareness is poorly done regarding the CMCA, a clear indication of this is on social media platforms where users have been subject to bullying, and others have called for the hacking of platforms all of which are crimes in the CMCA. The people don’t know what protections the CMCA offers

*Section 2: *

*Impact on Privacy Rights: *

- The CMCA grants law enforcement broad powers to monitor and intercept communications, which could infringe on citizens' privacy rights. It states that “Where a police officer or an authorised person has reasonable grounds to believe that the content of any specifically identified electronic communications is required for the purposes of a specific investigation in respect of an offence, the police officer or authorised person may apply to the court for an order” and in another section “ Where a police officer or an authorised person has reasonable grounds to believe that there may be in a specified computer system or part of it, computer data storage medium, program, data, that— (a) is reasonably required for the purpose of a criminal investigation or criminal proceedings which may be material as evidence; or (b) has been acquired by a person as a result of the commission of an offence, the police officer or the authorised person may apply to the court for issue of a warrant to enter any premises to access, search and similarly seize such data.” the ‘ *may*’ in these section implies that it is optional for the officers to seek a court order or warrant. - During the recent “Gen Z” protests, some of the arrested people had their devices confiscated for ‘further analysis’ despite being released unconditionally. In my understanding, police should be required to provide a clear and specific explanation for the arrest and the reasons for seizing a person’s device. This explanation should be given in writing and should include the alleged crime and the connection of the device to the investigation if not a court order for the seizure.

*Restriction of Freedom of Expression:*

- Section 22 focuses on false publication in terms of “false”, “misleading” or “fictitious” information, this should not be abused to deter people from expressing themselves by publishing information in the form of opinions or satire. The broad definition of "false publications" under the CMCA has seemingly been used by the government and politicians to silence bloggers, journalists and social media users on various platforms.

*Section 5: *

*Impact on Businesses and Individuals:*

· Impact on Businesses in Terms of Cybersecurity Practices and Investments- The CMCA’s requirements for critical information infrastructure are extensive such as the protection of, the storing of and archiving of data held by the critical information infrastructure; (c) cyber security incident management by the critical information infrastructure; (d) disaster contingency and recovery measures, which must be put in place by the critical information infrastructure; (e) minimum physical and technical security measures that must be implemented in order to protect the critical information infrastructure;

Such requirements although necessary can be deemed as unfair since there are significant costs for compliance, such as hiring skilled personnel, training, purchasing equipment, storage, and securing licenses among others. The Act mandates stringent measures, but without providing financial or technical support, this places a disproportionate burden on organizations, especially smaller ones.

*Section 6:*

*Analysis of the Effectiveness of the CMCA in Embracing Emerging Technologies and the Associated Cyberthreats*

*Conduciveness to Technological Advancement:*

Some sections of the CMCA might inadvertently stifle innovation by imposing regulations that are difficult for innovators or small organizations to navigate. The potential for arbitrary enforcement also creates uncertainty for innovators.

· The act does not mention anything on responsible disclosure that innovators and researchers may lean on when identifying potential issues that can be responsibly disclosed and as a result strengthen the security systems and infrastructure that may be exposed.

· The CMCA allows the government to declare certain infrastructure as critical, with heavy regulatory requirements for cybersecurity, data protection, and incident management. While necessary, the lack of financial or technical support makes it difficult for smaller outfits to comply. High compliance costs and stringent requirements could deter new entrants or smaller firms from innovating in certain sectors or causing disruption in others lest they are deemed as critical infrastructure, potentially leading to reduced competition and innovation.

*Addressing Emerging Technologies (AI, Blockchain, IoT, Quantum Computing, Cryptocurrency):*

- The CMCA does not specifically address newer technologies like AI, blockchain, IoT, quantum computing, or cryptocurrency, leaving regulatory grey areas that could be exploited.

*Section 7: General Questions*

*Legal Uncertainties or Ambiguities in the Act:*

- The word "may" implies that obtaining a court order or warrant is optional rather than mandatory. This leaves room for interpretation, which could lead to inconsistent enforcement. Some officers might proceed without a court order, while others might seek one, creating uncertainty for individuals and organizations about their rights and protections.

*Capacity-Building Needs of Law Enforcement and Judiciary:*

- Establish comprehensive training programs on digital forensics, cybercrime investigation, and evidence preservation. This could include mandatory courses for officers, specialized cybercrime units, and collaboration with cybersecurity experts. - Increase recruitment and training of officers specifically for those handling cybercrime-related cases. Allocate resources to ensure that these units are adequately staffed and equipped to handle the growing number of cases. - Consider the creation of a specialized cybercrime court to handle all cyber-related cases. Provide continuous training for judges and legal practitioners in this court to keep up with evolving technologies and cyber threats.

*Robustness of Kenya’s Cybersecurity Infrastructure:*

- Granted there have been significant improvements in Kenya’s cybersecurity posture, but the current state of Government and parastatal technology, resilience and infrastructure is significantly under-equipped and unable to address the challenges posed by rapidly advancing technologies and techniques in play by malicious actors.

*Kind regards,* *Brian M. Nyali.*

On Thu, 15 Aug 2024 at 08:41, David Indeje via KICTANet < kictanet@lists.kictanet.or.ke> wrote:

...

Dear Listers,

*Day 3:*

The CMCA has profound implications for businesses, individuals, and the digital economy in Kenya. Its effectiveness in balancing innovation with cybersecurity, addressing emerging technologies, and protecting individual rights is a subject of ongoing debate. Today, we encourage discussion on the challenges and opportunities presented by the CMCA and explore potential solutions to enhance its effectiveness in shaping a secure and vibrant digital future for Kenya.

*Section 5: Impact on Businesses and Individuals.*

1. How has the CMCA impacted businesses in Kenya in terms of cybersecurity practices and investments? 2. Do you believe the CMCA adequately protects the rights of individuals in the digital space? 3. Have there been any unintended consequences of the CMCA on businesses or individuals? 4. How has the CMCA affected the digital economy in Kenya?

*Section 6: An analysis of the effectiveness of the CMCA to embrace emerging technologies and the cyberthreats they pose therein.*

1. How does the CMCA balance the need for innovation with cybersecurity? 2. Does the Act create an environment conducive to technological advancement or are there any provisions that stifle innovation? 3. How well does the CMCA address emerging technologies such as artificial intelligence, blockchain, Internet of Things (IoT), quantum computing and cryptocurrency? What can be done to enhance its ability to address these lacunas (if any). 4. How can the legal framework provided by the CMCA be enhanced to regulate the use of emerging technologies, while protecting individual digital rights?

*Section 7: General Questions.*

1. Are there any legal uncertainties or ambiguities in the Act that hinder its effectiveness? 2. What are the capacity-building needs of law enforcement and the judiciary in addressing cybercrimes related to emerging technologies? 3. Is the country’s cybersecurity infrastructure sufficiently robust to address the challenges posed by emerging technologies? 4. Any other relevant comment that you may wish to include as regards the CMCA?

-- *Kind Regards,*

*David Indeje*

*@**KICTANet* <https://www.kictanet.or.ke/> * Communications *_____________________________________ +254 (0) 711 385 945 | +254 (0) 734 024 856 KICTANet portals Connect With Us <https://linktr.ee/Kictanet> ______________________________________

_______________________________________________ KICTANet mailing list -- kictanet@lists.kictanet.or.ke To unsubscribe send an email to kictanet-leave@lists.kictanet.or.ke Unsubscribe or change your options at: https://mm3-lists.kictanet.or.ke/mm/lists/kictanet.lists.kictanet.or.ke/

Mailing List Posts Online: https://posts.kictanet.or.ke/

Twitter: https://twitter.com/KICTANet/ Facebook: https://www.facebook.com/KICTANet/ Instagram: https://www.instagram.com/KICTANet/ LinkedIn: https://www.linkedin.com/company/kictanet/ YouTube: https://www.youtube.com/channel/UCbcLVjnPtTGBEeYLGUb2Yow/ WhatsApp Channel: https://whatsapp.com/channel/0029VaQsX4w6mYPIctLsGh1K

KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation. KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

PRIVACY POLICY: See https://mm3-lists.kictanet.or.ke/mm/lists/kictanet.lists.kictanet.or.ke/

KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform.

_______________________________________________ KICTANet mailing list -- kictanet@lists.kictanet.or.ke To unsubscribe send an email to kictanet-leave@lists.kictanet.or.ke Unsubscribe or change your options at: https://mm3-lists.kictanet.or.ke/mm/lists/kictanet.lists.kictanet.or.ke/

Mailing List Posts Online: https://posts.kictanet.or.ke/

Twitter: https://twitter.com/KICTANet/ Facebook: https://www.facebook.com/KICTANet/ Instagram: https://www.instagram.com/KICTANet/ LinkedIn: https://www.linkedin.com/company/kictanet/ YouTube: https://www.youtube.com/channel/UCbcLVjnPtTGBEeYLGUb2Yow/ WhatsApp Channel: https://whatsapp.com/channel/0029VaQsX4w6mYPIctLsGh1K

KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation. KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

PRIVACY POLICY: See https://mm3-lists.kictanet.or.ke/mm/lists/kictanet.lists.kictanet.or.ke/

KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform.

Dear Mildred, You have raised very valid points ... thank you ... as indeed cyberbullying is a pervasive social issue arising from the digital age's anonymity. While laws can punish egregious offenses, they cannot fully address the underlying moral decay at the heart of the problem. The faceless nature of the internet emboldens bullies, allowing them to inflict cruelty with impunity, that they would hesitate to exhibit in person. To foster a more ethical cyberspace, society must prioritize digital literacy education, that promotes online and indeed offline empathy and respect for others. We need to encourage open dialogue about online behavior, support victims without shame, and hold social media platforms accountable for their content moderation policies, which are crucial steps towards creating a kinder digital environment. Ultimately, combating cyberbullying requires a multi-faceted approach that addresses both the technological and human dimensions of the issue. As regards *Chapter 6 of the Constitution that pertains to the constitutional mandate for leadership and integrity for state officers*, and the escalating prevalence of cyberbullying, Kenya's leaders must exemplify ethical online conduct. Regrettably, many engage in/or perpetuate cyberbullying on various digital platforms, undermining their positions as role models. As custodians of the nation's values, they must recognize the immense influence they wield and conduct themselves accordingly. Conversely, numerous politicians, particularly women, endure severe cyberbullying, especially during election periods, marring our electoral process, and discouraging more women to stand for electoral positions. Cyberbullying among the political elite can be deterred through a multi-faceted approach that can include : 1. *Stricter Regulations and Enforcement:* Imposing stringent penalties for cyberbullying by public officials, including potential disqualification from office, can serve as a strong deterrent. 2. *Media Accountability:* Encouraging media outlets to hold politicians accountable for their online behavior and to refrain from amplifying cyberbullying content. 3. *Digital Literacy Training:* Mandatory digital literacy training for politicians to enhance their understanding of online etiquette and the potential consequences of their actions. 4. *Ethical Leadership:* Encouraging political parties to adopt ethical codes of conduct that explicitly condemn cyberbullying and to promote positive online engagement. Would love to think what you and the other Listers think. Stay happy, Mutheu. On Fri, Aug 16, 2024 at 3:00 PM Mildred Achoch <mildandred@gmail.com> wrote:

Dear Listers,

Regarding public awareness and mental health, I would like to add a social/soft skills angle. It is said, you cannot legislate morality. Cyberbullying is also a social issue. What causes it? What conditions allow it or perpetuate it? Chapter 6 of the constitution (Leadership and Integrity) can be a helpful guide.

Regards, Mildred Achoch.

On Friday, August 16, 2024, A Mutheu via KICTANet < kictanet@lists.kictanet.or.ke> wrote:

...

Dear Brain,

Thanks for your detailed insights. I have added my comments on some of them to trigger further discussion with all of us listers i.e.:

*Public Awareness:* There is definitely an urgent need to enhance public cognizance of the provisions and reach of the CMCA to this end how best can we achieve this i.e.: 1. What strategies can be employed by both the government and private sector to effectively educate the Kenyan public on the specific activities that are considered cybercrimes under the Computer Misuse and Cybercrimes Act, and the penalties associated with these offenses?

2. How can community-based organizations, schools, and mental health advocates collaborate to address the rise in cyberbullying and its severe consequences, such as mental health issues and suicide, by leveraging the provisions of the Computer Misuse and Cybercrimes Act?

3. What role can social media platforms and influencers play in promoting awareness and understanding of Kenya's cybercrimes legislation, and how can this be done in a way that deters nefarious activities like cyber hacktivism, while fostering responsible online behavior?

*Impact on privacy rights:* The two sections you have quoted for ease of reference of all listers are in the: *First instance S. 53 on the interception of content data*; and in the *Second instance S. 48 on search and seizure of stored computer data*.

As regards S. 53 you noted that the CMCA grants law enforcement broad powers to monitor and intercept communications, which could infringe on citizens' privacy rights. However, if you read the section in its entirety in subsection (2) it states the conditions to be met whilst making the application of such an order, and goes on in subsection (3) to clarify that courts cant grant such orders until the aforementioned conditions are met. S.53 goes on at subsection (4) to set a time limit for which such an order can be applicable and then goes on at subsection (5) to enumerate the conditions for extension of such a period.

In cyberspace, the real-time collection of electronic evidence in accordance with all legal due processes is crucial because digital trails can quickly vanish, and attributing cybercrimes remains a significant challenge. However, when conducted within the bounds of legal protocols, this process should not infringe on privacy rights as enshrined in the Constitution, as it ensures that evidence is gathered with respect for individual freedoms, under judicial oversight, and with clear, justified cause.

*Which brings me to my question as regards S.53 ... can you and/or the Listers enumerate specific ways you feel these privacy rights can be better secured?*

As regards S.48 you noted that the ‘may’ in this section implies that it is optional for the officers to seek a court order or warrant. This interpretation is erroneous as search and seizure warrants are issued based on probable cause (the may), meaning there is a reasonable belief that evidence of a crime will be found, rather than absolute certainty, to prevent the destruction or concealment of crucial evidence. Section 48 enumerates the specific grounds under which courts of competent jurisdiction can issue those orders.

*Which brings me to my question as regards S.48 ... can you and/or the Listers enumerate specific ways you feel these grounds for granting such order can be better enhanced or do they suffice?*

Albeit I am not privy to the full particulars of the Gen Z specific cases, if the law enforcement officers acted contrary to the law as alleged, then it's not because the law permitted them to act in such a manner. But that's a whole other conversation - smile!

*Restriction of Freedom of Expression: *

Section 22 pertains to false publication, and was one of the sections the Bloggers Association & others had contested as regards CMCA and whose petition the courts dismissed in Feb 2020.

The Kenyan Constitution grants us the right to freedom of expression but limits this where it can negatively impact others, and/or put them in a position of danger as enumerated in Section 24 of the Constitution which is quoted in subsection (2) of S.22. As such it is arguable that definition, which you state is broad is indeed grounded in the Mother of All Kenyan Laws … The 2010 Constitution.

*Nevertheless, how do you and/or other Listers think we can better enhance this section 22, with specific examples of how to?*

*Impact on Businesses and Individuals: *

Cybersecurity, while a substantial financial outlay, is an indispensable investment safeguarding both socioeconomic prosperity and national security, necessitating a prioritization of the broader societal benefits over the immediate costs of compliance when formulating relevant legislation.

If cybercrime were a country it would be the world's third largest economy after the US & China. A couple of years ago an Interpol report noted that cybercrime cost Africa over USD 4 Billion, which is more than the GDP of 12 African nations and for some of them double their GDP. Kenya experiences the second highest cyber attacks on the African continent. So it's imperative we prioritize our cybersecurity posture and public awareness which, yes, is costly.

But your spot on, without financial or technical assistance, the burden of compliance may hinder the ability of smaller organizations to meet these stringent requirements, potentially leading to penalties or even forcing some out of business.

What are possible solutions:

The government could consider implementing support mechanisms, such as grants, subsidies, or public-private partnerships, to help alleviate the financial strain on smaller organizations. This would promote a more equitable landscape, ensuring that all critical infrastructure, regardless of the size of the organization, can meet the necessary cybersecurity standards without undue hardship.

Another approach could involve scaling the requirements based on the size or capacity of the organization, allowing smaller entities to comply at a level that is both manageable and effective.

*I would love to hear your and other listers' suggestions as regards possible solutions so that we can effectively but more affordably secure our nation's cyberspace*.

*Conduciveness to Technological Advancement: *

In your response you noted “*that some sections of the CMCA might inadvertently stifle innovation by imposing regulations that are difficult for innovators or small organizations to navigate*” *Can you please list the sections you deem contentious for clarity of all of us listers? This will also enable us all to better understand why you think they have a potential for arbitrary enforcement, which will also create uncertainty for innovators.*

You further stated that “*The act does not mention anything on responsible disclosure that innovators and researchers may lean on when identifying potential issues that can be responsibly disclosed and as a result strengthen the security systems and infrastructure that may be exposed.” **Can you please suggest what type of disclosures you think would better enhance the CMCA.*

Stay happy,

Mutheu.

On Thu, Aug 15, 2024 at 5:34 PM Brian Nyali via KICTANet < kictanet@lists.kictanet.or.ke> wrote:

...

Dear David,

Please find my detailed response below:

*Section 1:*

*Effectiveness in Preventing and Prosecuting Cybercrime *

· Partially – The CMCA shows that the country has taken a step to put in place laws that criminalize cybercrime and allow prosecution of the same. It is dismally effective as a deterrent and as far as prosecution is concerned, I have yet to see effectiveness as it has mostly focused on social media-related issues on harassment and fake news, for other crimes the cases seem to be stuck in court for years which hardly makes it effective as a deterrent.

*Provisions Hindering Effective Prosecution:*

· Law enforcement at various stations in the country also need to be effectively trained on how to handle cybercrime-related incidents when individuals show up at police stations to either report or seek advice from the officers.

*Public Awareness:*

· Public Awareness is poorly done regarding the CMCA, a clear indication of this is on social media platforms where users have been subject to bullying, and others have called for the hacking of platforms all of which are crimes in the CMCA. The people don’t know what protections the CMCA offers

*Section 2: *

*Impact on Privacy Rights: *

- The CMCA grants law enforcement broad powers to monitor and intercept communications, which could infringe on citizens' privacy rights. It states that “Where a police officer or an authorised person has reasonable grounds to believe that the content of any specifically identified electronic communications is required for the purposes of a specific investigation in respect of an offence, the police officer or authorised person may apply to the court for an order” and in another section “ Where a police officer or an authorised person has reasonable grounds to believe that there may be in a specified computer system or part of it, computer data storage medium, program, data, that— (a) is reasonably required for the purpose of a criminal investigation or criminal proceedings which may be material as evidence; or (b) has been acquired by a person as a result of the commission of an offence, the police officer or the authorised person may apply to the court for issue of a warrant to enter any premises to access, search and similarly seize such data.” the ‘ *may*’ in these section implies that it is optional for the officers to seek a court order or warrant. - During the recent “Gen Z” protests, some of the arrested people had their devices confiscated for ‘further analysis’ despite being released unconditionally. In my understanding, police should be required to provide a clear and specific explanation for the arrest and the reasons for seizing a person’s device. This explanation should be given in writing and should include the alleged crime and the connection of the device to the investigation if not a court order for the seizure.

*Restriction of Freedom of Expression:*

- Section 22 focuses on false publication in terms of “false”, “misleading” or “fictitious” information, this should not be abused to deter people from expressing themselves by publishing information in the form of opinions or satire. The broad definition of "false publications" under the CMCA has seemingly been used by the government and politicians to silence bloggers, journalists and social media users on various platforms.

*Section 5: *

*Impact on Businesses and Individuals:*

· Impact on Businesses in Terms of Cybersecurity Practices and Investments- The CMCA’s requirements for critical information infrastructure are extensive such as the protection of, the storing of and archiving of data held by the critical information infrastructure; (c) cyber security incident management by the critical information infrastructure; (d) disaster contingency and recovery measures, which must be put in place by the critical information infrastructure; (e) minimum physical and technical security measures that must be implemented in order to protect the critical information infrastructure;

Such requirements although necessary can be deemed as unfair since there are significant costs for compliance, such as hiring skilled personnel, training, purchasing equipment, storage, and securing licenses among others. The Act mandates stringent measures, but without providing financial or technical support, this places a disproportionate burden on organizations, especially smaller ones.

*Section 6:*

*Analysis of the Effectiveness of the CMCA in Embracing Emerging Technologies and the Associated Cyberthreats*

*Conduciveness to Technological Advancement:*

Some sections of the CMCA might inadvertently stifle innovation by imposing regulations that are difficult for innovators or small organizations to navigate. The potential for arbitrary enforcement also creates uncertainty for innovators.

· The act does not mention anything on responsible disclosure that innovators and researchers may lean on when identifying potential issues that can be responsibly disclosed and as a result strengthen the security systems and infrastructure that may be exposed.

· The CMCA allows the government to declare certain infrastructure as critical, with heavy regulatory requirements for cybersecurity, data protection, and incident management. While necessary, the lack of financial or technical support makes it difficult for smaller outfits to comply. High compliance costs and stringent requirements could deter new entrants or smaller firms from innovating in certain sectors or causing disruption in others lest they are deemed as critical infrastructure, potentially leading to reduced competition and innovation.

*Addressing Emerging Technologies (AI, Blockchain, IoT, Quantum Computing, Cryptocurrency):*

- The CMCA does not specifically address newer technologies like AI, blockchain, IoT, quantum computing, or cryptocurrency, leaving regulatory grey areas that could be exploited.

*Section 7: General Questions*

*Legal Uncertainties or Ambiguities in the Act:*

- The word "may" implies that obtaining a court order or warrant is optional rather than mandatory. This leaves room for interpretation, which could lead to inconsistent enforcement. Some officers might proceed without a court order, while others might seek one, creating uncertainty for individuals and organizations about their rights and protections.

*Capacity-Building Needs of Law Enforcement and Judiciary:*

- Establish comprehensive training programs on digital forensics, cybercrime investigation, and evidence preservation. This could include mandatory courses for officers, specialized cybercrime units, and collaboration with cybersecurity experts. - Increase recruitment and training of officers specifically for those handling cybercrime-related cases. Allocate resources to ensure that these units are adequately staffed and equipped to handle the growing number of cases. - Consider the creation of a specialized cybercrime court to handle all cyber-related cases. Provide continuous training for judges and legal practitioners in this court to keep up with evolving technologies and cyber threats.

*Robustness of Kenya’s Cybersecurity Infrastructure:*

- Granted there have been significant improvements in Kenya’s cybersecurity posture, but the current state of Government and parastatal technology, resilience and infrastructure is significantly under-equipped and unable to address the challenges posed by rapidly advancing technologies and techniques in play by malicious actors.

*Kind regards,* *Brian M. Nyali.*

On Thu, 15 Aug 2024 at 08:41, David Indeje via KICTANet < kictanet@lists.kictanet.or.ke> wrote:

...

Dear Listers,

*Day 3:*

The CMCA has profound implications for businesses, individuals, and the digital economy in Kenya. Its effectiveness in balancing innovation with cybersecurity, addressing emerging technologies, and protecting individual rights is a subject of ongoing debate. Today, we encourage discussion on the challenges and opportunities presented by the CMCA and explore potential solutions to enhance its effectiveness in shaping a secure and vibrant digital future for Kenya.

*Section 5: Impact on Businesses and Individuals.*

1. How has the CMCA impacted businesses in Kenya in terms of cybersecurity practices and investments? 2. Do you believe the CMCA adequately protects the rights of individuals in the digital space? 3. Have there been any unintended consequences of the CMCA on businesses or individuals? 4. How has the CMCA affected the digital economy in Kenya?

*Section 6: An analysis of the effectiveness of the CMCA to embrace emerging technologies and the cyberthreats they pose therein.*

1. How does the CMCA balance the need for innovation with cybersecurity? 2. Does the Act create an environment conducive to technological advancement or are there any provisions that stifle innovation? 3. How well does the CMCA address emerging technologies such as artificial intelligence, blockchain, Internet of Things (IoT), quantum computing and cryptocurrency? What can be done to enhance its ability to address these lacunas (if any). 4. How can the legal framework provided by the CMCA be enhanced to regulate the use of emerging technologies, while protecting individual digital rights?

*Section 7: General Questions.*

1. Are there any legal uncertainties or ambiguities in the Act that hinder its effectiveness? 2. What are the capacity-building needs of law enforcement and the judiciary in addressing cybercrimes related to emerging technologies? 3. Is the country’s cybersecurity infrastructure sufficiently robust to address the challenges posed by emerging technologies? 4. Any other relevant comment that you may wish to include as regards the CMCA?

-- *Kind Regards,*

*David Indeje*

*@**KICTANet* <https://www.kictanet.or.ke/> * Communications *_____________________________________ +254 (0) 711 385 945 | +254 (0) 734 024 856 KICTANet portals Connect With Us <https://linktr.ee/Kictanet> ______________________________________

_______________________________________________ KICTANet mailing list -- kictanet@lists.kictanet.or.ke To unsubscribe send an email to kictanet-leave@lists.kictanet.or.ke Unsubscribe or change your options at: https://mm3-lists.kictanet.or.ke/mm/lists/kictanet.lists.kictanet.or.ke/

Mailing List Posts Online: https://posts.kictanet.or.ke/

Twitter: https://twitter.com/KICTANet/ Facebook: https://www.facebook.com/KICTANet/ Instagram: https://www.instagram.com/KICTANet/ LinkedIn: https://www.linkedin.com/company/kictanet/ YouTube: https://www.youtube.com/channel/UCbcLVjnPtTGBEeYLGUb2Yow/ WhatsApp Channel: https://whatsapp.com/channel/0029VaQsX4w6mYPIctLsGh1K

KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation. KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

PRIVACY POLICY: See https://mm3-lists.kictanet.or.ke/mm/lists/kictanet.lists.kictanet.or.ke/

KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform.

_______________________________________________ KICTANet mailing list -- kictanet@lists.kictanet.or.ke To unsubscribe send an email to kictanet-leave@lists.kictanet.or.ke Unsubscribe or change your options at: https://mm3-lists.kictanet.or.ke/mm/lists/kictanet.lists.kictanet.or.ke/

Mailing List Posts Online: https://posts.kictanet.or.ke/

Twitter: https://twitter.com/KICTANet/ Facebook: https://www.facebook.com/KICTANet/ Instagram: https://www.instagram.com/KICTANet/ LinkedIn: https://www.linkedin.com/company/kictanet/ YouTube: https://www.youtube.com/channel/UCbcLVjnPtTGBEeYLGUb2Yow/ WhatsApp Channel: https://whatsapp.com/channel/0029VaQsX4w6mYPIctLsGh1K

KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation. KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

PRIVACY POLICY: See https://mm3-lists.kictanet.or.ke/mm/lists/kictanet.lists.kictanet.or.ke/

KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform.

Dear Listers, This is a timely discussion indeed, but more importantly because it affords an opportunity into how we approach criminalization of cybercrimes/ cyber enabled crimes. Research is growing into cyber-criminology and cyber-delinquency which has been seen to *predominantly occur among youth* - due to various factors e.g. pre-disposition as digital natives - this is across the continent (Yahooboysim) and the globe. This begs the question, what is the penal philosophy informing criminalization of conduct in the cyberspace? The current model of sanctions and punishment appears to take a securitized approach which will mean that effective investigation and prosecution of such offenders translates to a majority being highly skilled youth behind bars. There is an ongoing penal reform process across the justice sector advocating for alternatives to prosecution, trial and imprisonment. This creates an opportunity to reconsider the penal regime in the CMCA.The anchorage of restorative justice mechanisms such as alternatives to prosecution (e.g. diversion programmes) affords offenders (potentially young people) a second chance to reform and utilize their skills to more beneficial initiatives. It also creates a chance to contribute to crime prevention efforts against cybercrime/ cyberenabled crimes. I shall be publishing more later in the year and this was just but a snippet on cyber-criminlogical perspectives when criminalizing conduct in the cyberspace. Happy to engage more on the same and good day to all! with kind regards, William On Fri, Aug 16, 2024 at 3:57 PM A Mutheu via KICTANet < kictanet@lists.kictanet.or.ke> wrote:

Dear Mildred,

You have raised very valid points ... thank you ... as indeed cyberbullying is a pervasive social issue arising from the digital age's anonymity. While laws can punish egregious offenses, they cannot fully address the underlying moral decay at the heart of the problem. The faceless nature of the internet emboldens bullies, allowing them to inflict cruelty with impunity, that they would hesitate to exhibit in person.

To foster a more ethical cyberspace, society must prioritize digital literacy education, that promotes online and indeed offline empathy and respect for others. We need to encourage open dialogue about online behavior, support victims without shame, and hold social media platforms accountable for their content moderation policies, which are crucial steps towards creating a kinder digital environment. Ultimately, combating cyberbullying requires a multi-faceted approach that addresses both the technological and human dimensions of the issue.

As regards *Chapter 6 of the Constitution that pertains to the constitutional mandate for leadership and integrity for state officers*, and the escalating prevalence of cyberbullying, Kenya's leaders must exemplify ethical online conduct. Regrettably, many engage in/or perpetuate cyberbullying on various digital platforms, undermining their positions as role models. As custodians of the nation's values, they must recognize the immense influence they wield and conduct themselves accordingly. Conversely, numerous politicians, particularly women, endure severe cyberbullying, especially during election periods, marring our electoral process, and discouraging more women to stand for electoral positions.

Cyberbullying among the political elite can be deterred through a multi-faceted approach that can include :

1. *Stricter Regulations and Enforcement:* Imposing stringent penalties for cyberbullying by public officials, including potential disqualification from office, can serve as a strong deterrent. 2. *Media Accountability:* Encouraging media outlets to hold politicians accountable for their online behavior and to refrain from amplifying cyberbullying content. 3. *Digital Literacy Training:* Mandatory digital literacy training for politicians to enhance their understanding of online etiquette and the potential consequences of their actions. 4. *Ethical Leadership:* Encouraging political parties to adopt ethical codes of conduct that explicitly condemn cyberbullying and to promote positive online engagement.

Would love to think what you and the other Listers think.

Stay happy, Mutheu.

On Fri, Aug 16, 2024 at 3:00 PM Mildred Achoch <mildandred@gmail.com> wrote:

...

Dear Listers,

Regarding public awareness and mental health, I would like to add a social/soft skills angle. It is said, you cannot legislate morality. Cyberbullying is also a social issue. What causes it? What conditions allow it or perpetuate it? Chapter 6 of the constitution (Leadership and Integrity) can be a helpful guide.

Regards, Mildred Achoch.

On Friday, August 16, 2024, A Mutheu via KICTANet < kictanet@lists.kictanet.or.ke> wrote:

...

Dear Brain,

Thanks for your detailed insights. I have added my comments on some of them to trigger further discussion with all of us listers i.e.:

*Public Awareness:* There is definitely an urgent need to enhance public cognizance of the provisions and reach of the CMCA to this end how best can we achieve this i.e.: 1. What strategies can be employed by both the government and private sector to effectively educate the Kenyan public on the specific activities that are considered cybercrimes under the Computer Misuse and Cybercrimes Act, and the penalties associated with these offenses?

2. How can community-based organizations, schools, and mental health advocates collaborate to address the rise in cyberbullying and its severe consequences, such as mental health issues and suicide, by leveraging the provisions of the Computer Misuse and Cybercrimes Act?

3. What role can social media platforms and influencers play in promoting awareness and understanding of Kenya's cybercrimes legislation, and how can this be done in a way that deters nefarious activities like cyber hacktivism, while fostering responsible online behavior?

*Impact on privacy rights:* The two sections you have quoted for ease of reference of all listers are in the: *First instance S. 53 on the interception of content data*; and in the *Second instance S. 48 on search and seizure of stored computer data*.

As regards S. 53 you noted that the CMCA grants law enforcement broad powers to monitor and intercept communications, which could infringe on citizens' privacy rights. However, if you read the section in its entirety in subsection (2) it states the conditions to be met whilst making the application of such an order, and goes on in subsection (3) to clarify that courts cant grant such orders until the aforementioned conditions are met. S.53 goes on at subsection (4) to set a time limit for which such an order can be applicable and then goes on at subsection (5) to enumerate the conditions for extension of such a period.

In cyberspace, the real-time collection of electronic evidence in accordance with all legal due processes is crucial because digital trails can quickly vanish, and attributing cybercrimes remains a significant challenge. However, when conducted within the bounds of legal protocols, this process should not infringe on privacy rights as enshrined in the Constitution, as it ensures that evidence is gathered with respect for individual freedoms, under judicial oversight, and with clear, justified cause.

*Which brings me to my question as regards S.53 ... can you and/or the Listers enumerate specific ways you feel these privacy rights can be better secured?*

As regards S.48 you noted that the ‘may’ in this section implies that it is optional for the officers to seek a court order or warrant. This interpretation is erroneous as search and seizure warrants are issued based on probable cause (the may), meaning there is a reasonable belief that evidence of a crime will be found, rather than absolute certainty, to prevent the destruction or concealment of crucial evidence. Section 48 enumerates the specific grounds under which courts of competent jurisdiction can issue those orders.

*Which brings me to my question as regards S.48 ... can you and/or the Listers enumerate specific ways you feel these grounds for granting such order can be better enhanced or do they suffice?*

Albeit I am not privy to the full particulars of the Gen Z specific cases, if the law enforcement officers acted contrary to the law as alleged, then it's not because the law permitted them to act in such a manner. But that's a whole other conversation - smile!

*Restriction of Freedom of Expression: *

Section 22 pertains to false publication, and was one of the sections the Bloggers Association & others had contested as regards CMCA and whose petition the courts dismissed in Feb 2020.

The Kenyan Constitution grants us the right to freedom of expression but limits this where it can negatively impact others, and/or put them in a position of danger as enumerated in Section 24 of the Constitution which is quoted in subsection (2) of S.22. As such it is arguable that definition, which you state is broad is indeed grounded in the Mother of All Kenyan Laws … The 2010 Constitution.

*Nevertheless, how do you and/or other Listers think we can better enhance this section 22, with specific examples of how to?*

*Impact on Businesses and Individuals: *

Cybersecurity, while a substantial financial outlay, is an indispensable investment safeguarding both socioeconomic prosperity and national security, necessitating a prioritization of the broader societal benefits over the immediate costs of compliance when formulating relevant legislation.

If cybercrime were a country it would be the world's third largest economy after the US & China. A couple of years ago an Interpol report noted that cybercrime cost Africa over USD 4 Billion, which is more than the GDP of 12 African nations and for some of them double their GDP. Kenya experiences the second highest cyber attacks on the African continent. So it's imperative we prioritize our cybersecurity posture and public awareness which, yes, is costly.

But your spot on, without financial or technical assistance, the burden of compliance may hinder the ability of smaller organizations to meet these stringent requirements, potentially leading to penalties or even forcing some out of business.

What are possible solutions:

The government could consider implementing support mechanisms, such as grants, subsidies, or public-private partnerships, to help alleviate the financial strain on smaller organizations. This would promote a more equitable landscape, ensuring that all critical infrastructure, regardless of the size of the organization, can meet the necessary cybersecurity standards without undue hardship.

Another approach could involve scaling the requirements based on the size or capacity of the organization, allowing smaller entities to comply at a level that is both manageable and effective.

*I would love to hear your and other listers' suggestions as regards possible solutions so that we can effectively but more affordably secure our nation's cyberspace*.

*Conduciveness to Technological Advancement: *

In your response you noted “*that some sections of the CMCA might inadvertently stifle innovation by imposing regulations that are difficult for innovators or small organizations to navigate*” *Can you please list the sections you deem contentious for clarity of all of us listers? This will also enable us all to better understand why you think they have a potential for arbitrary enforcement, which will also create uncertainty for innovators.*

You further stated that “*The act does not mention anything on responsible disclosure that innovators and researchers may lean on when identifying potential issues that can be responsibly disclosed and as a result strengthen the security systems and infrastructure that may be exposed.” **Can you please suggest what type of disclosures you think would better enhance the CMCA.*

Stay happy,

Mutheu.

On Thu, Aug 15, 2024 at 5:34 PM Brian Nyali via KICTANet < kictanet@lists.kictanet.or.ke> wrote:

...

Dear David,

Please find my detailed response below:

*Section 1:*

*Effectiveness in Preventing and Prosecuting Cybercrime *

· Partially – The CMCA shows that the country has taken a step to put in place laws that criminalize cybercrime and allow prosecution of the same. It is dismally effective as a deterrent and as far as prosecution is concerned, I have yet to see effectiveness as it has mostly focused on social media-related issues on harassment and fake news, for other crimes the cases seem to be stuck in court for years which hardly makes it effective as a deterrent.

*Provisions Hindering Effective Prosecution:*

· Law enforcement at various stations in the country also need to be effectively trained on how to handle cybercrime-related incidents when individuals show up at police stations to either report or seek advice from the officers.

*Public Awareness:*

· Public Awareness is poorly done regarding the CMCA, a clear indication of this is on social media platforms where users have been subject to bullying, and others have called for the hacking of platforms all of which are crimes in the CMCA. The people don’t know what protections the CMCA offers

*Section 2: *

*Impact on Privacy Rights: *

- The CMCA grants law enforcement broad powers to monitor and intercept communications, which could infringe on citizens' privacy rights. It states that “Where a police officer or an authorised person has reasonable grounds to believe that the content of any specifically identified electronic communications is required for the purposes of a specific investigation in respect of an offence, the police officer or authorised person may apply to the court for an order” and in another section “ Where a police officer or an authorised person has reasonable grounds to believe that there may be in a specified computer system or part of it, computer data storage medium, program, data, that— (a) is reasonably required for the purpose of a criminal investigation or criminal proceedings which may be material as evidence; or (b) has been acquired by a person as a result of the commission of an offence, the police officer or the authorised person may apply to the court for issue of a warrant to enter any premises to access, search and similarly seize such data.” the ‘ *may*’ in these section implies that it is optional for the officers to seek a court order or warrant. - During the recent “Gen Z” protests, some of the arrested people had their devices confiscated for ‘further analysis’ despite being released unconditionally. In my understanding, police should be required to provide a clear and specific explanation for the arrest and the reasons for seizing a person’s device. This explanation should be given in writing and should include the alleged crime and the connection of the device to the investigation if not a court order for the seizure.

*Restriction of Freedom of Expression:*

- Section 22 focuses on false publication in terms of “false”, “misleading” or “fictitious” information, this should not be abused to deter people from expressing themselves by publishing information in the form of opinions or satire. The broad definition of "false publications" under the CMCA has seemingly been used by the government and politicians to silence bloggers, journalists and social media users on various platforms.

*Section 5: *

*Impact on Businesses and Individuals:*

· Impact on Businesses in Terms of Cybersecurity Practices and Investments- The CMCA’s requirements for critical information infrastructure are extensive such as the protection of, the storing of and archiving of data held by the critical information infrastructure; (c) cyber security incident management by the critical information infrastructure; (d) disaster contingency and recovery measures, which must be put in place by the critical information infrastructure; (e) minimum physical and technical security measures that must be implemented in order to protect the critical information infrastructure;

Such requirements although necessary can be deemed as unfair since there are significant costs for compliance, such as hiring skilled personnel, training, purchasing equipment, storage, and securing licenses among others. The Act mandates stringent measures, but without providing financial or technical support, this places a disproportionate burden on organizations, especially smaller ones.

*Section 6:*

*Analysis of the Effectiveness of the CMCA in Embracing Emerging Technologies and the Associated Cyberthreats*

*Conduciveness to Technological Advancement:*

Some sections of the CMCA might inadvertently stifle innovation by imposing regulations that are difficult for innovators or small organizations to navigate. The potential for arbitrary enforcement also creates uncertainty for innovators.

· The act does not mention anything on responsible disclosure that innovators and researchers may lean on when identifying potential issues that can be responsibly disclosed and as a result strengthen the security systems and infrastructure that may be exposed.

· The CMCA allows the government to declare certain infrastructure as critical, with heavy regulatory requirements for cybersecurity, data protection, and incident management. While necessary, the lack of financial or technical support makes it difficult for smaller outfits to comply. High compliance costs and stringent requirements could deter new entrants or smaller firms from innovating in certain sectors or causing disruption in others lest they are deemed as critical infrastructure, potentially leading to reduced competition and innovation.

*Addressing Emerging Technologies (AI, Blockchain, IoT, Quantum Computing, Cryptocurrency):*

- The CMCA does not specifically address newer technologies like AI, blockchain, IoT, quantum computing, or cryptocurrency, leaving regulatory grey areas that could be exploited.

*Section 7: General Questions*

*Legal Uncertainties or Ambiguities in the Act:*

- The word "may" implies that obtaining a court order or warrant is optional rather than mandatory. This leaves room for interpretation, which could lead to inconsistent enforcement. Some officers might proceed without a court order, while others might seek one, creating uncertainty for individuals and organizations about their rights and protections.

*Capacity-Building Needs of Law Enforcement and Judiciary:*

- Establish comprehensive training programs on digital forensics, cybercrime investigation, and evidence preservation. This could include mandatory courses for officers, specialized cybercrime units, and collaboration with cybersecurity experts. - Increase recruitment and training of officers specifically for those handling cybercrime-related cases. Allocate resources to ensure that these units are adequately staffed and equipped to handle the growing number of cases. - Consider the creation of a specialized cybercrime court to handle all cyber-related cases. Provide continuous training for judges and legal practitioners in this court to keep up with evolving technologies and cyber threats.

*Robustness of Kenya’s Cybersecurity Infrastructure:*

- Granted there have been significant improvements in Kenya’s cybersecurity posture, but the current state of Government and parastatal technology, resilience and infrastructure is significantly under-equipped and unable to address the challenges posed by rapidly advancing technologies and techniques in play by malicious actors.

*Kind regards,* *Brian M. Nyali.*

On Thu, 15 Aug 2024 at 08:41, David Indeje via KICTANet < kictanet@lists.kictanet.or.ke> wrote:

...

Dear Listers,

*Day 3:*

The CMCA has profound implications for businesses, individuals, and the digital economy in Kenya. Its effectiveness in balancing innovation with cybersecurity, addressing emerging technologies, and protecting individual rights is a subject of ongoing debate. Today, we encourage discussion on the challenges and opportunities presented by the CMCA and explore potential solutions to enhance its effectiveness in shaping a secure and vibrant digital future for Kenya.

*Section 5: Impact on Businesses and Individuals.*

1. How has the CMCA impacted businesses in Kenya in terms of cybersecurity practices and investments? 2. Do you believe the CMCA adequately protects the rights of individuals in the digital space? 3. Have there been any unintended consequences of the CMCA on businesses or individuals? 4. How has the CMCA affected the digital economy in Kenya?

*Section 6: An analysis of the effectiveness of the CMCA to embrace emerging technologies and the cyberthreats they pose therein.*

1. How does the CMCA balance the need for innovation with cybersecurity? 2. Does the Act create an environment conducive to technological advancement or are there any provisions that stifle innovation? 3. How well does the CMCA address emerging technologies such as artificial intelligence, blockchain, Internet of Things (IoT), quantum computing and cryptocurrency? What can be done to enhance its ability to address these lacunas (if any). 4. How can the legal framework provided by the CMCA be enhanced to regulate the use of emerging technologies, while protecting individual digital rights?

*Section 7: General Questions.*

1. Are there any legal uncertainties or ambiguities in the Act that hinder its effectiveness? 2. What are the capacity-building needs of law enforcement and the judiciary in addressing cybercrimes related to emerging technologies? 3. Is the country’s cybersecurity infrastructure sufficiently robust to address the challenges posed by emerging technologies? 4. Any other relevant comment that you may wish to include as regards the CMCA?

-- *Kind Regards,*

*David Indeje*

*@**KICTANet* <https://www.kictanet.or.ke/> * Communications *_____________________________________ +254 (0) 711 385 945 | +254 (0) 734 024 856 KICTANet portals Connect With Us <https://linktr.ee/Kictanet> ______________________________________

_______________________________________________ KICTANet mailing list -- kictanet@lists.kictanet.or.ke To unsubscribe send an email to kictanet-leave@lists.kictanet.or.ke Unsubscribe or change your options at: https://mm3-lists.kictanet.or.ke/mm/lists/kictanet.lists.kictanet.or.ke/

Mailing List Posts Online: https://posts.kictanet.or.ke/

Twitter: https://twitter.com/KICTANet/ Facebook: https://www.facebook.com/KICTANet/ Instagram: https://www.instagram.com/KICTANet/ LinkedIn: https://www.linkedin.com/company/kictanet/ YouTube: https://www.youtube.com/channel/UCbcLVjnPtTGBEeYLGUb2Yow/ WhatsApp Channel: https://whatsapp.com/channel/0029VaQsX4w6mYPIctLsGh1K

KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation. KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

PRIVACY POLICY: See https://mm3-lists.kictanet.or.ke/mm/lists/kictanet.lists.kictanet.or.ke/

KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform.

_______________________________________________ KICTANet mailing list -- kictanet@lists.kictanet.or.ke To unsubscribe send an email to kictanet-leave@lists.kictanet.or.ke Unsubscribe or change your options at: https://mm3-lists.kictanet.or.ke/mm/lists/kictanet.lists.kictanet.or.ke/

Mailing List Posts Online: https://posts.kictanet.or.ke/

Twitter: https://twitter.com/KICTANet/ Facebook: https://www.facebook.com/KICTANet/ Instagram: https://www.instagram.com/KICTANet/ LinkedIn: https://www.linkedin.com/company/kictanet/ YouTube: https://www.youtube.com/channel/UCbcLVjnPtTGBEeYLGUb2Yow/ WhatsApp Channel: https://whatsapp.com/channel/0029VaQsX4w6mYPIctLsGh1K

KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation. KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

PRIVACY POLICY: See https://mm3-lists.kictanet.or.ke/mm/lists/kictanet.lists.kictanet.or.ke/

KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform.

_______________________________________________ KICTANet mailing list -- kictanet@lists.kictanet.or.ke To unsubscribe send an email to kictanet-leave@lists.kictanet.or.ke Unsubscribe or change your options at: https://mm3-lists.kictanet.or.ke/mm/lists/kictanet.lists.kictanet.or.ke/

Mailing List Posts Online: https://posts.kictanet.or.ke/

Twitter: https://twitter.com/KICTANet/ Facebook: https://www.facebook.com/KICTANet/ Instagram: https://www.instagram.com/KICTANet/ LinkedIn: https://www.linkedin.com/company/kictanet/ YouTube: https://www.youtube.com/channel/UCbcLVjnPtTGBEeYLGUb2Yow/ WhatsApp Channel: https://whatsapp.com/channel/0029VaQsX4w6mYPIctLsGh1K

KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation. KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

PRIVACY POLICY: See https://mm3-lists.kictanet.or.ke/mm/lists/kictanet.lists.kictanet.or.ke/

KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform.

Dear William, Thanks for your insights and looking forward to reading your publication when it's ready. You have raised pertinent issues i.e. approaching the criminalization of cybercrimes and cyber-enabled crimes requires a nuanced understanding of both the offenders and the environment in which these crimes occur. I concur that research into cyber-criminology and cyber-delinquency indicates that many offenders, particularly youth, are digital natives who may be predisposed to engaging in cybercrimes due to their familiarity with technology and the digital space. For instance, "Yahoo Boys" in West Africa, who engage in online fraud, often do so as a means of economic survival. I further agree that the current punitive approach, focused on securitization and imprisonment, risks incarcerating a large number of highly skilled young individuals, thus wasting potential talent that could be redirected towards positive contributions to society. Instead of purely punitive measures, a balanced penal philosophy that recognizes the socio-economic and psychological factors driving these behaviors is necessary. In my opinion a balanced penal philosophy that acknowledges the socio-economic and psychological factors driving youthful digital natives into cybercrime is essential, as it offers them the opportunity to turn their lives around by providing viable alternative livelihoods, thereby reducing their need to engage in criminal activities. It does not however mean that "hardcore" offenders should get off - smile! However, this context underscores the need for a penal reform process that integrates restorative justice mechanisms, particularly within the framework of laws like the Computer Misuse and Cybercrimes Act (CMCA). By incorporating alternatives to traditional prosecution—such as diversion programs—into the penal system, there is a potential to offer young offenders a second chance. These programs can redirect their technical skills toward more constructive endeavors, thereby aiding their rehabilitation and reducing recidivism. Moreover, such initiatives can significantly contribute to crime prevention by transforming former offenders into assets within cybersecurity, where their knowledge of cyber tactics could be repurposed to protect against future threats. I believe that a shift from punitive to restorative justice would align with broader justice sector reforms and offer a more sustainable and humane approach to addressing cybercrimes; however, to prevent serious criminal syndicates from exploiting these reforms, stringent measures must be put in place to differentiate between minor offenders and those involved in organized cybercrime, ensuring that the latter are subject to appropriate legal consequences. Stay happy, Mutheu On Tue, Aug 20, 2024 at 10:43 AM william mathenge < willbill.mathenge@gmail.com> wrote:

Dear Listers,

This is a timely discussion indeed, but more importantly because it affords an opportunity into how we approach criminalization of cybercrimes/ cyber enabled crimes.

Research is growing into cyber-criminology and cyber-delinquency which has been seen to *predominantly occur among youth* - due to various factors e.g. pre-disposition as digital natives - this is across the continent (Yahooboysim) and the globe. This begs the question, what is the penal philosophy informing criminalization of conduct in the cyberspace? The current model of sanctions and punishment appears to take a securitized approach which will mean that effective investigation and prosecution of such offenders translates to a majority being highly skilled youth behind bars.

There is an ongoing penal reform process across the justice sector advocating for alternatives to prosecution, trial and imprisonment. This creates an opportunity to reconsider the penal regime in the CMCA.The anchorage of restorative justice mechanisms such as alternatives to prosecution (e.g. diversion programmes) affords offenders (potentially young people) a second chance to reform and utilize their skills to more beneficial initiatives. It also creates a chance to contribute to crime prevention efforts against cybercrime/ cyberenabled crimes.

I shall be publishing more later in the year and this was just but a snippet on cyber-criminlogical perspectives when criminalizing conduct in the cyberspace. Happy to engage more on the same and good day to all!

with kind regards, William

On Fri, Aug 16, 2024 at 3:57 PM A Mutheu via KICTANet < kictanet@lists.kictanet.or.ke> wrote:

...

Dear Mildred,

You have raised very valid points ... thank you ... as indeed cyberbullying is a pervasive social issue arising from the digital age's anonymity. While laws can punish egregious offenses, they cannot fully address the underlying moral decay at the heart of the problem. The faceless nature of the internet emboldens bullies, allowing them to inflict cruelty with impunity, that they would hesitate to exhibit in person.

To foster a more ethical cyberspace, society must prioritize digital literacy education, that promotes online and indeed offline empathy and respect for others. We need to encourage open dialogue about online behavior, support victims without shame, and hold social media platforms accountable for their content moderation policies, which are crucial steps towards creating a kinder digital environment. Ultimately, combating cyberbullying requires a multi-faceted approach that addresses both the technological and human dimensions of the issue.

As regards *Chapter 6 of the Constitution that pertains to the constitutional mandate for leadership and integrity for state officers*, and the escalating prevalence of cyberbullying, Kenya's leaders must exemplify ethical online conduct. Regrettably, many engage in/or perpetuate cyberbullying on various digital platforms, undermining their positions as role models. As custodians of the nation's values, they must recognize the immense influence they wield and conduct themselves accordingly. Conversely, numerous politicians, particularly women, endure severe cyberbullying, especially during election periods, marring our electoral process, and discouraging more women to stand for electoral positions.

Cyberbullying among the political elite can be deterred through a multi-faceted approach that can include :

1. *Stricter Regulations and Enforcement:* Imposing stringent penalties for cyberbullying by public officials, including potential disqualification from office, can serve as a strong deterrent. 2. *Media Accountability:* Encouraging media outlets to hold politicians accountable for their online behavior and to refrain from amplifying cyberbullying content. 3. *Digital Literacy Training:* Mandatory digital literacy training for politicians to enhance their understanding of online etiquette and the potential consequences of their actions. 4. *Ethical Leadership:* Encouraging political parties to adopt ethical codes of conduct that explicitly condemn cyberbullying and to promote positive online engagement.

Would love to think what you and the other Listers think.

Stay happy, Mutheu.

On Fri, Aug 16, 2024 at 3:00 PM Mildred Achoch <mildandred@gmail.com> wrote:

...

Dear Listers,

Regarding public awareness and mental health, I would like to add a social/soft skills angle. It is said, you cannot legislate morality. Cyberbullying is also a social issue. What causes it? What conditions allow it or perpetuate it? Chapter 6 of the constitution (Leadership and Integrity) can be a helpful guide.

Regards, Mildred Achoch.

On Friday, August 16, 2024, A Mutheu via KICTANet < kictanet@lists.kictanet.or.ke> wrote:

...

Dear Brain,

Thanks for your detailed insights. I have added my comments on some of them to trigger further discussion with all of us listers i.e.:

*Public Awareness:* There is definitely an urgent need to enhance public cognizance of the provisions and reach of the CMCA to this end how best can we achieve this i.e.: 1. What strategies can be employed by both the government and private sector to effectively educate the Kenyan public on the specific activities that are considered cybercrimes under the Computer Misuse and Cybercrimes Act, and the penalties associated with these offenses?

2. How can community-based organizations, schools, and mental health advocates collaborate to address the rise in cyberbullying and its severe consequences, such as mental health issues and suicide, by leveraging the provisions of the Computer Misuse and Cybercrimes Act?

3. What role can social media platforms and influencers play in promoting awareness and understanding of Kenya's cybercrimes legislation, and how can this be done in a way that deters nefarious activities like cyber hacktivism, while fostering responsible online behavior?

*Impact on privacy rights:* The two sections you have quoted for ease of reference of all listers are in the: *First instance S. 53 on the interception of content data*; and in the *Second instance S. 48 on search and seizure of stored computer data* .

As regards S. 53 you noted that the CMCA grants law enforcement broad powers to monitor and intercept communications, which could infringe on citizens' privacy rights. However, if you read the section in its entirety in subsection (2) it states the conditions to be met whilst making the application of such an order, and goes on in subsection (3) to clarify that courts cant grant such orders until the aforementioned conditions are met. S.53 goes on at subsection (4) to set a time limit for which such an order can be applicable and then goes on at subsection (5) to enumerate the conditions for extension of such a period.

In cyberspace, the real-time collection of electronic evidence in accordance with all legal due processes is crucial because digital trails can quickly vanish, and attributing cybercrimes remains a significant challenge. However, when conducted within the bounds of legal protocols, this process should not infringe on privacy rights as enshrined in the Constitution, as it ensures that evidence is gathered with respect for individual freedoms, under judicial oversight, and with clear, justified cause.

*Which brings me to my question as regards S.53 ... can you and/or the Listers enumerate specific ways you feel these privacy rights can be better secured?*

As regards S.48 you noted that the ‘may’ in this section implies that it is optional for the officers to seek a court order or warrant. This interpretation is erroneous as search and seizure warrants are issued based on probable cause (the may), meaning there is a reasonable belief that evidence of a crime will be found, rather than absolute certainty, to prevent the destruction or concealment of crucial evidence. Section 48 enumerates the specific grounds under which courts of competent jurisdiction can issue those orders.

*Which brings me to my question as regards S.48 ... can you and/or the Listers enumerate specific ways you feel these grounds for granting such order can be better enhanced or do they suffice?*

Albeit I am not privy to the full particulars of the Gen Z specific cases, if the law enforcement officers acted contrary to the law as alleged, then it's not because the law permitted them to act in such a manner. But that's a whole other conversation - smile!

*Restriction of Freedom of Expression: *

Section 22 pertains to false publication, and was one of the sections the Bloggers Association & others had contested as regards CMCA and whose petition the courts dismissed in Feb 2020.

The Kenyan Constitution grants us the right to freedom of expression but limits this where it can negatively impact others, and/or put them in a position of danger as enumerated in Section 24 of the Constitution which is quoted in subsection (2) of S.22. As such it is arguable that definition, which you state is broad is indeed grounded in the Mother of All Kenyan Laws … The 2010 Constitution.

*Nevertheless, how do you and/or other Listers think we can better enhance this section 22, with specific examples of how to?*

*Impact on Businesses and Individuals: *

Cybersecurity, while a substantial financial outlay, is an indispensable investment safeguarding both socioeconomic prosperity and national security, necessitating a prioritization of the broader societal benefits over the immediate costs of compliance when formulating relevant legislation.

If cybercrime were a country it would be the world's third largest economy after the US & China. A couple of years ago an Interpol report noted that cybercrime cost Africa over USD 4 Billion, which is more than the GDP of 12 African nations and for some of them double their GDP. Kenya experiences the second highest cyber attacks on the African continent. So it's imperative we prioritize our cybersecurity posture and public awareness which, yes, is costly.

But your spot on, without financial or technical assistance, the burden of compliance may hinder the ability of smaller organizations to meet these stringent requirements, potentially leading to penalties or even forcing some out of business.

What are possible solutions:

The government could consider implementing support mechanisms, such as grants, subsidies, or public-private partnerships, to help alleviate the financial strain on smaller organizations. This would promote a more equitable landscape, ensuring that all critical infrastructure, regardless of the size of the organization, can meet the necessary cybersecurity standards without undue hardship.

Another approach could involve scaling the requirements based on the size or capacity of the organization, allowing smaller entities to comply at a level that is both manageable and effective.

*I would love to hear your and other listers' suggestions as regards possible solutions so that we can effectively but more affordably secure our nation's cyberspace*.

*Conduciveness to Technological Advancement: *

In your response you noted “*that some sections of the CMCA might inadvertently stifle innovation by imposing regulations that are difficult for innovators or small organizations to navigate*” *Can you please list the sections you deem contentious for clarity of all of us listers? This will also enable us all to better understand why you think they have a potential for arbitrary enforcement, which will also create uncertainty for innovators.*

You further stated that “*The act does not mention anything on responsible disclosure that innovators and researchers may lean on when identifying potential issues that can be responsibly disclosed and as a result strengthen the security systems and infrastructure that may be exposed.” **Can you please suggest what type of disclosures you think would better enhance the CMCA.*

Stay happy,

Mutheu.

On Thu, Aug 15, 2024 at 5:34 PM Brian Nyali via KICTANet < kictanet@lists.kictanet.or.ke> wrote:

...

Dear David,

Please find my detailed response below:

*Section 1:*

*Effectiveness in Preventing and Prosecuting Cybercrime *

· Partially – The CMCA shows that the country has taken a step to put in place laws that criminalize cybercrime and allow prosecution of the same. It is dismally effective as a deterrent and as far as prosecution is concerned, I have yet to see effectiveness as it has mostly focused on social media-related issues on harassment and fake news, for other crimes the cases seem to be stuck in court for years which hardly makes it effective as a deterrent.

*Provisions Hindering Effective Prosecution:*

· Law enforcement at various stations in the country also need to be effectively trained on how to handle cybercrime-related incidents when individuals show up at police stations to either report or seek advice from the officers.

*Public Awareness:*

· Public Awareness is poorly done regarding the CMCA, a clear indication of this is on social media platforms where users have been subject to bullying, and others have called for the hacking of platforms all of which are crimes in the CMCA. The people don’t know what protections the CMCA offers

*Section 2: *

*Impact on Privacy Rights: *

- The CMCA grants law enforcement broad powers to monitor and intercept communications, which could infringe on citizens' privacy rights. It states that “Where a police officer or an authorised person has reasonable grounds to believe that the content of any specifically identified electronic communications is required for the purposes of a specific investigation in respect of an offence, the police officer or authorised person may apply to the court for an order” and in another section “ Where a police officer or an authorised person has reasonable grounds to believe that there may be in a specified computer system or part of it, computer data storage medium, program, data, that— (a) is reasonably required for the purpose of a criminal investigation or criminal proceedings which may be material as evidence; or (b) has been acquired by a person as a result of the commission of an offence, the police officer or the authorised person may apply to the court for issue of a warrant to enter any premises to access, search and similarly seize such data.” the ‘ *may*’ in these section implies that it is optional for the officers to seek a court order or warrant. - During the recent “Gen Z” protests, some of the arrested people had their devices confiscated for ‘further analysis’ despite being released unconditionally. In my understanding, police should be required to provide a clear and specific explanation for the arrest and the reasons for seizing a person’s device. This explanation should be given in writing and should include the alleged crime and the connection of the device to the investigation if not a court order for the seizure.

*Restriction of Freedom of Expression:*

- Section 22 focuses on false publication in terms of “false”, “misleading” or “fictitious” information, this should not be abused to deter people from expressing themselves by publishing information in the form of opinions or satire. The broad definition of "false publications" under the CMCA has seemingly been used by the government and politicians to silence bloggers, journalists and social media users on various platforms.

*Section 5: *

*Impact on Businesses and Individuals:*

· Impact on Businesses in Terms of Cybersecurity Practices and Investments- The CMCA’s requirements for critical information infrastructure are extensive such as the protection of, the storing of and archiving of data held by the critical information infrastructure; (c) cyber security incident management by the critical information infrastructure; (d) disaster contingency and recovery measures, which must be put in place by the critical information infrastructure; (e) minimum physical and technical security measures that must be implemented in order to protect the critical information infrastructure;

Such requirements although necessary can be deemed as unfair since there are significant costs for compliance, such as hiring skilled personnel, training, purchasing equipment, storage, and securing licenses among others. The Act mandates stringent measures, but without providing financial or technical support, this places a disproportionate burden on organizations, especially smaller ones.

*Section 6:*

*Analysis of the Effectiveness of the CMCA in Embracing Emerging Technologies and the Associated Cyberthreats*

*Conduciveness to Technological Advancement:*

Some sections of the CMCA might inadvertently stifle innovation by imposing regulations that are difficult for innovators or small organizations to navigate. The potential for arbitrary enforcement also creates uncertainty for innovators.

· The act does not mention anything on responsible disclosure that innovators and researchers may lean on when identifying potential issues that can be responsibly disclosed and as a result strengthen the security systems and infrastructure that may be exposed.

· The CMCA allows the government to declare certain infrastructure as critical, with heavy regulatory requirements for cybersecurity, data protection, and incident management. While necessary, the lack of financial or technical support makes it difficult for smaller outfits to comply. High compliance costs and stringent requirements could deter new entrants or smaller firms from innovating in certain sectors or causing disruption in others lest they are deemed as critical infrastructure, potentially leading to reduced competition and innovation.

*Addressing Emerging Technologies (AI, Blockchain, IoT, Quantum Computing, Cryptocurrency):*

- The CMCA does not specifically address newer technologies like AI, blockchain, IoT, quantum computing, or cryptocurrency, leaving regulatory grey areas that could be exploited.

*Section 7: General Questions*

*Legal Uncertainties or Ambiguities in the Act:*

- The word "may" implies that obtaining a court order or warrant is optional rather than mandatory. This leaves room for interpretation, which could lead to inconsistent enforcement. Some officers might proceed without a court order, while others might seek one, creating uncertainty for individuals and organizations about their rights and protections.

*Capacity-Building Needs of Law Enforcement and Judiciary:*

- Establish comprehensive training programs on digital forensics, cybercrime investigation, and evidence preservation. This could include mandatory courses for officers, specialized cybercrime units, and collaboration with cybersecurity experts. - Increase recruitment and training of officers specifically for those handling cybercrime-related cases. Allocate resources to ensure that these units are adequately staffed and equipped to handle the growing number of cases. - Consider the creation of a specialized cybercrime court to handle all cyber-related cases. Provide continuous training for judges and legal practitioners in this court to keep up with evolving technologies and cyber threats.

*Robustness of Kenya’s Cybersecurity Infrastructure:*

- Granted there have been significant improvements in Kenya’s cybersecurity posture, but the current state of Government and parastatal technology, resilience and infrastructure is significantly under-equipped and unable to address the challenges posed by rapidly advancing technologies and techniques in play by malicious actors.

*Kind regards,* *Brian M. Nyali.*

On Thu, 15 Aug 2024 at 08:41, David Indeje via KICTANet < kictanet@lists.kictanet.or.ke> wrote:

...

Dear Listers,

*Day 3:*

The CMCA has profound implications for businesses, individuals, and the digital economy in Kenya. Its effectiveness in balancing innovation with cybersecurity, addressing emerging technologies, and protecting individual rights is a subject of ongoing debate. Today, we encourage discussion on the challenges and opportunities presented by the CMCA and explore potential solutions to enhance its effectiveness in shaping a secure and vibrant digital future for Kenya.

*Section 5: Impact on Businesses and Individuals.*

1. How has the CMCA impacted businesses in Kenya in terms of cybersecurity practices and investments? 2. Do you believe the CMCA adequately protects the rights of individuals in the digital space? 3. Have there been any unintended consequences of the CMCA on businesses or individuals? 4. How has the CMCA affected the digital economy in Kenya?

*Section 6: An analysis of the effectiveness of the CMCA to embrace emerging technologies and the cyberthreats they pose therein.*

1. How does the CMCA balance the need for innovation with cybersecurity? 2. Does the Act create an environment conducive to technological advancement or are there any provisions that stifle innovation? 3. How well does the CMCA address emerging technologies such as artificial intelligence, blockchain, Internet of Things (IoT), quantum computing and cryptocurrency? What can be done to enhance its ability to address these lacunas (if any). 4. How can the legal framework provided by the CMCA be enhanced to regulate the use of emerging technologies, while protecting individual digital rights?

*Section 7: General Questions.*

1. Are there any legal uncertainties or ambiguities in the Act that hinder its effectiveness? 2. What are the capacity-building needs of law enforcement and the judiciary in addressing cybercrimes related to emerging technologies? 3. Is the country’s cybersecurity infrastructure sufficiently robust to address the challenges posed by emerging technologies? 4. Any other relevant comment that you may wish to include as regards the CMCA?

-- *Kind Regards,*

*David Indeje*

*@**KICTANet* <https://www.kictanet.or.ke/> * Communications *_____________________________________ +254 (0) 711 385 945 | +254 (0) 734 024 856 KICTANet portals Connect With Us <https://linktr.ee/Kictanet> ______________________________________

_______________________________________________ KICTANet mailing list -- kictanet@lists.kictanet.or.ke To unsubscribe send an email to kictanet-leave@lists.kictanet.or.ke Unsubscribe or change your options at: https://mm3-lists.kictanet.or.ke/mm/lists/kictanet.lists.kictanet.or.ke/

Mailing List Posts Online: https://posts.kictanet.or.ke/

Twitter: https://twitter.com/KICTANet/ Facebook: https://www.facebook.com/KICTANet/ Instagram: https://www.instagram.com/KICTANet/ LinkedIn: https://www.linkedin.com/company/kictanet/ YouTube: https://www.youtube.com/channel/UCbcLVjnPtTGBEeYLGUb2Yow/ WhatsApp Channel: https://whatsapp.com/channel/0029VaQsX4w6mYPIctLsGh1K

KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation. KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

PRIVACY POLICY: See https://mm3-lists.kictanet.or.ke/mm/lists/kictanet.lists.kictanet.or.ke/

KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform.

_______________________________________________ KICTANet mailing list -- kictanet@lists.kictanet.or.ke To unsubscribe send an email to kictanet-leave@lists.kictanet.or.ke Unsubscribe or change your options at: https://mm3-lists.kictanet.or.ke/mm/lists/kictanet.lists.kictanet.or.ke/

Mailing List Posts Online: https://posts.kictanet.or.ke/

Twitter: https://twitter.com/KICTANet/ Facebook: https://www.facebook.com/KICTANet/ Instagram: https://www.instagram.com/KICTANet/ LinkedIn: https://www.linkedin.com/company/kictanet/ YouTube: https://www.youtube.com/channel/UCbcLVjnPtTGBEeYLGUb2Yow/ WhatsApp Channel: https://whatsapp.com/channel/0029VaQsX4w6mYPIctLsGh1K

KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation. KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

PRIVACY POLICY: See https://mm3-lists.kictanet.or.ke/mm/lists/kictanet.lists.kictanet.or.ke/

KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform.

_______________________________________________ KICTANet mailing list -- kictanet@lists.kictanet.or.ke To unsubscribe send an email to kictanet-leave@lists.kictanet.or.ke Unsubscribe or change your options at: https://mm3-lists.kictanet.or.ke/mm/lists/kictanet.lists.kictanet.or.ke/

Mailing List Posts Online: https://posts.kictanet.or.ke/

Twitter: https://twitter.com/KICTANet/ Facebook: https://www.facebook.com/KICTANet/ Instagram: https://www.instagram.com/KICTANet/ LinkedIn: https://www.linkedin.com/company/kictanet/ YouTube: https://www.youtube.com/channel/UCbcLVjnPtTGBEeYLGUb2Yow/ WhatsApp Channel: https://whatsapp.com/channel/0029VaQsX4w6mYPIctLsGh1K

KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation. KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

PRIVACY POLICY: See https://mm3-lists.kictanet.or.ke/mm/lists/kictanet.lists.kictanet.or.ke/

KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform.