Are you about to send the sort of email that can incite communal violence?
Are you about to post a blog that can easily cause nation-wide confusion?
Are you about to hack into the Defence Headquarters computers?
Are you about to record your most intimate thoughts and experiences in an email? Before you do, think twice. Big Brother is watching. This time, he says for the good of the nation.
So are we becoming a North Korea?
Listen to Information and Communication PS Bitange Ndemo: “We had a lot of problems in 2007 and 2008 (during Kenya’s Post Election Violence that left about 1,000 people dead and thousands more internally displaced). It makes it imperative that we have a spyware that will assist in the fight against hate, spamming and online criminal activities. This year we have elections and we have begun to see Kenyans in the diaspora sending very offensive messages. I think everybody will understand that we have to be careful from day one, as we approach the elections”. That was a month ago.
Following Mr Ndemo’s frank statement the blogosphere and social media were alive with denunciations of the “spying” intent of the Communications Commission of Kenya, whose decision the PS was explaining.
Reactions were predictably furious.
“The government hasn’t fully considered its position here and is acting more out of ignorance and lack of respect for people’s privacy. What it uncovers will be more damaging to Kenya than anything else since it will explore people’s private conversations,” said Kiumbuku Muchuku.
“I don’t think the government knows what they are doing,” thought Patricia Atieno.
The controversy is centred on the issue of monitoring Internet traffic in the name of preventing cyber terrorism.
Cyber terrorism is commonly defined as “Internet attacks based on terrorist activities”.
It could be breaking into a network and stealing data, altering data or even preventing access to data, but with its infinite possibilities, the definition remains quite broad.
In a much narrower definition, cyber terrorism is an attack on networks and computer systems, with real world effects being the definite outcome. That is to cause harm to life, property and so on.
There have been numerous hackings in Kenya, mostly by foreigners, on different sites, including government and security agency sites.
Half the time, the hackings have been possible due to silly errors made by staff who had not bothered to secure the sites adequately.
The local “hacking” into the police website in January this year was made possible because of someone who left the machine accessible to just about anybody with the default password on.
Interestingly, the “hacking” was performed by a member of the internal technical team, not an outsider.
So this makes one wonder, why is the government keen on monitoring the Internet, inherently spying on others and what they are doing, when they have other less damaging solutions that would actually be more effective?
Many already believe that even before this becomes official, the CCK is already monitoring Internet traffic, but on a pilot basis with a select set of people.
It’s not the first time the CCK has been accused of monitoring private communication. There have been quiet rumours of monitored calls and text messages, but there has never been any proof.
Regardless of all that, the CCK will be in violation of two articles of the Constitution, meant to protect the citizens of this country and the media.
This big brother action violates the Privacy Act (Article 31), which guarantees the right to “privacy of their communication”.
In other words, everyone must be guaranteed privacy when they talk to others, regardless of the medium of communication and location within the boundaries of the country and with people outside of the country.
The Act means that whatever you say remains between you and the other person or people in the conversation.
It prevents others from listening in on your conversations — and others, in this case, includes the state and its representatives, be they intelligence officers, or just simple analysts.
With your privacy not guaranteed, and Kenya being Kenya, and with a lot of assumptions, people will very likely be arrested and prosecuted on the basis of simple association.
If anyone was to have even the most innocuous conversation with a suspected cyber terrorist, that person can be brought in for questioning, regardless of whether they are aware of the cyber terrorists real identity and intentions or not.
Then there is the Media Act (Article 34), which guarantees freedom of all forms of media, stating that the State has no right to control people in the media, or the media itself, or penalise someone for their opinions.
Social media, emails and blogs fall under this Article. With this explicitly expressed in the Constitution, the State hopes to use the Kenya Information and Communications Act, which allows it to deploy a national cyber security management framework to listen in.
Lawyer Paul Muite has however argued that “this Act is null and void since it contradicts the Constitution.”
The first question on everyone’s mind is simple: Is the CCK trustworthy enough to handle this, and ignore any other content?
What if the CCK were to stumble upon content that was non-related to cyber terrorism, but sensitive to parties associated with it?
The CCK is claiming that they are pre-empting cyber terrorism but that quagmire reminds one of the Coventry Blitz of 1940, where the British had intercepted German communication outlining the blitz.
Here blitz refers to Germany’s Second World War strategy of a quick and lightning attack.
However, British hands were tied. Had they acted, the Germans would have known that the British had intercepted their encoded messages and thus would have suspected the eventual invasion that led to the fall of the Third Reich, which, in turn, would have been unsuccessful.
The moral dilemma here carried an extremely high price: Coventry was bombed with devastating loss of life and property.
But time moves forward and not backwards, and if there is a lesson to be learnt, here, then the CCK should learn to turn to the judicial system to help them resolve isolated cases.
Kenya does not have 40 million cyber terrorists within its borders, but there may be a few individuals with malicious intent.
The State can easily request a specific provider, through a court order, to provide specific information if state security is threatened or after it has been compromised.
To “throw a net in the ocean hoping to catch something” is deemed as irresponsible and the CCK hasn’t proven that it can be trusted with this.
The timing is also suspicious; this is an election year. With election campaigns going hi-tech, there will be strategic content being sent back and forth between campaign managers, candidates, strategists and other key election people.
Elements in the CCK can therefore gain access to “campaign proprietary content” which they can then easily dispatch to opponents, thus leaking strategic information that could alter the outcome of an election.
With opponents having access to each other’s content, sabotage would eventually occur with some people gaining unfair advantage over others.
Also, big companies in Kenya have taken a huge step forward in securing their data and there are many leaves to be borrowed here.
There is a lot of corporate espionage happening in Kenya, just like in any other part of the world, developed or developing, with confidential information being leaked daily.
Espionage does not distinguish between wealthy and poor countries, or companies, but rather relies on obtaining information that could lead to unfair advantage.
Not too long ago, we saw espionage happening, and with it came damning repercussions.
The greatest leak of all time remains Wikileaks, which alarmingly showed how politicians and high level business people operated, exposing people’s opinions and positions on very serious and delicate matters.
Wikileaks taught the world that the suspicions they had were real, and in many cases, more real than they would have imagined.
Big businesses have therefore taken huge steps to counter espionage. While it has not been foolproof in many cases, they have employed forensic experts to help identify culprits and track data flow.
By understanding how to protect their assets, and by eliminating staff responsible for the crimes, they have ensured that we don’t get to see their linen being aired in public, dirty or not, and there are ongoing efforts to shore up security measures daily, something the State is capable of.
There are more effective, cheaper and easier solutions that are less damaging than the current proposed solution by the CCK.
It begins with the basics in security — protect yourself. If someone was to break into your house, your priority is to protect yourself, your family and your assets, and you do that by first ensuring that breaking in is difficult, if not impossible.
Therefore, you invest in burglar prevention equipment, alarms, and even security guards and you ensure that everything is in top shape always since there is no way of predicting when a crime will occur.
So, the lesson to the CCK and the Ministry of Information is simple; they need to first ensure that all electronic government assets are secure enough to thwart hacking attempts.
While advances in technology are improving, they are also bringing new problems, but more progressive countries are first ensuring that they have adequate internal security, and when they are hacked, they actually investigate and find the culprits.
The government needs to ensure that all their online assets are deployed with the very best security systems available to them.
They need to ensure that there isn’t that possibility of intrusion, and even if it existed that it can be prevented, and as a worst case scenario, the people responsible can actually be found and prosecuted.
This won’t happen by suspecting everyone.