In July 2014, ARTICLE 19 analysed the first draft of the Cybercrime and Computer related Crimes Bill in Kenya (‘Cybercrime Bill’). In particular, we examined the compatibility of the Bill against international and comparative standards for the protection of freedom of expression and the right to privacy.
The Cybercrime Bill is an initiative of the Office of the Director of Public Prosecutions (ODPP). It seeks to equip law enforcement agencies with the necessary legal and forensic tools to tackle cybercrime, which is said to have cost nearly KES 2 billion (USD 23 million) to the Kenyan economy in 2013. The Bill comes on the heels of a Cyber Security conference in June 2014 where the Telecommunications Service Providers Association of Kenya (TESPOK) and cyber security groups from Canada, Singapore, South Africa, India and USA discussed the role of the private sector in tackling cybercrime. The meeting recommended the adoption of a comprehensive cybercrime law in light of the perceived failings the existing legal framework in dealing with recent terrorist attacks.
Our analysis shows that the provisions dealing with ‘content-related’ offences in the draft Cybercrime Bill fall well below international standards on freedom of expression. In particular, the Bill provides for incredibly broad speech offences that could have a devastating effect for freedom of expression online in Kenya. It also provides for unduly broad offences against computers and other computer-related offences. By contrast, we conclude that the procedural safeguards to investigate and prosecute cybercrimes are generally adequate. Nonetheless, we offer recommendations in order to further improve them in line with international standards on freedom of expression and privacy.
Key Recommendations
- The definition of computer system should closely follow the definition contained in the Cybercrime Convention. In particular, the definition of computer system should make explicit reference to ‘automatic processing of data’;
- In the definition of ‘damage’, the word ‘serious’ should be inserted between ‘any’ and ‘impairment’ and between ‘any’ and ‘loss’;
- The words ‘threatens public health or public safety’ should be removed from the definition of ‘damage’ and replaced, if appropriate, with a more targeted definition of the kind of damage sought to be addressed by the computer offences contained in the Bill;
- A definition of ‘service provider’ should be added consistent with the equivalent definition contained in the Cybercrime Convention.
- Section 3 should be rephrased to criminalise the unauthorised access to computer data by infringing security measures with intent to obtain computer data or other dishonest intent.
- The reference to ‘any’ law in section 4 (1) should be removed and replaced with both specific and serious offences.
- Section 5 should introduce a requirement that the unauthorised modification of computer should cause serious harm to computer data or other particular interest in line with the recommendations of the Cybercrime Convention.
- Section 7 should be removed;
- In section 9, ‘knowingly’ should be replaced with ‘intentionally’;
- Section 9 should follow more closely the definition of ‘system interference’ under Article 5 of the Cybercrime convention in order the simplify the language of that section;
- Section 9 should include a requirement that any such interference must ‘seriously’ hinder the functioning of a computer system.
- ‘Knowingly’ should be replaced by ‘intentionally’ in section 10 (1).
- Section 11 should be entirely struck out.
- ‘Protected systems’ should be defined in the Bill along the lines of the definition contained in the US Computer Fraud and Abuse Act. Short of such clarification, serious consideration should be given to removing section 14 entirely.
- Section 16 as currently drafted should be struck out in its entirety. We recommend that the drafters of the Bill should refer to the COE Cybercrime Convention or the definition of child pornography laid down in the African Union Convention on Cyber Security and Personal Data Protection.
- Section 17 of the Bill concerning hate speech online should be struck out in its entirety.
- Section 18 of the Bill should be struck out in its entirety. Legislation against stalking and harassment should be dealt with by way of the general criminal law, rather than in the context of cybercrime.
- Section 35 (f), which deals with the extra-territorial application of Kenyan law to places where any result of the offence has an effect in Kenya, should be removed.
- Section 40, which introduces a general penalty, should be removed.