Last week, the Computer and Cybercrime Bill was finally signed into law by the President and it immediately raised hell – as expected. The bill went through several changes, most of which were positive, but retained some contentious sections under the title “False Publications”.
Section 22(1), states as follows:
A person who intentionally publishes false, misleading or fictitious data or misinforms with intent that the data shall be considered or acted upon as authentic, with or without any financial gain, commits an offence and shall, on conviction, be liable to a fine not exceeding five million shillings or to imprisonment for a term not exceeding two years, or to both.
This section is widely considered to be bad because it can be interpreted as a direct attack on the freedoms of expression as guaranteed by Article 33 of the Constitution.
It gets uglier with Section 23, titled “Publication of False Information”, which states that:
A person who knowingly publishes information that is false in print, broadcast, data or over a computer system, that is calculated or results in panic, chaos, or violence among citizens of the Republic, or which is likely to discredit the reputation of a person commits an offence and shall on conviction, be liable to a fine not exceeding five million shillings or to imprisonment for a term not exceeding ten years, or to both.
Whereas the reading of the text shows an attempt to discipline the notoriously irresponsible social media space, most lawyers argue that such discipline should be handled under libel rather than criminal laws.
Criminalising libel is considered overkill, and may have a chilling effect on both freedoms of expression and media. It is on record that several groups are planning to go to courts to argue this out and so we will leave that debate for the courts to settle.
Nevertheless, the disproportionate focus on Section 22 and 23 means that the positive aspects of the Cybercrimes Act have not been given the publicity they deserve.
It is therefore only fair that we shed some light on some of the good aspects of this Act.
One obvious positive is that Kenya now has a cybercrimes law, an important milestone as it creates a predictable legislative and regulatory framework for our digital economy.
Together with the anticipated Data Protection Act, the Kenyan digital space would be better positioned to compete favourably for its share of the global investments directed towards the digital economy.
Digital economies come with their own unique challenges and risks. The new Act has now identified most of these risks in terms of offences and provided for their appropriate investigation, prosecution, sanctions and penalties.
Previously, law enforcement would not be able to appropriately charge cybercriminals for specific offences, simply because our penal code did not recognise such crimes.
These cybercriminals would then be charged with the “closest” offence that may have very little to do with the actual cybercrime committed. Eventually, the prosecution of such crimes would not be sustainable and more often than not, the criminals would walk away scot-free.
The new cybercrimes law, therefore, helps seal such loopholes by defining common computer-related offences like unauthorised interference, unauthorised interception, cyber-espionage and phishing attacks.
Of course there are still some challenges with regard to implementation, particularly with the requirement that internet service providers will be called upon to play a leading and critical role to keep the cyberspace safe.
Of concern is that the cost of such a role would be borne by the ISPs rather than the State agencies that would, subject to court orders, require ISPs to monitor suspicious traffic.
This may perhaps be resolved in future amendments, or in the short-term by publishing regulatory details of how the cost aspects would be shared or compensated.
One other positive feature in the Act is the formalisation of a national cybersecurity framework that would monitor current and emerging cyberthreats in order to better coordinate adequate and effective responses.
At the moment, the various cybercrime response units within the public and private sector are engaging out of goodwill and gentleman agreements that are too fragile to withstand State-sponsored cyberattacks from hostile nations.
The Act therefore provides a proper and obligatory framework for ensuring that the Kenyan State can deal decisively and effectively with persistent, State-sponsored attacks against our critical information infrastructure.
These are some of the benefits that the Cybercrimes Act brings on board — benefits that are unlikely to be debated as everyone focuses on how to protect bloggers.
Let us therefore not lose sight of the big picture, even as we await the courts to clear the air on the contentious issues in the Act.
Mr Walubengo is a lecturer at Multimedia University of Kenya, Faculty of Computing and IT. Email: [email protected], Twitter: @Jwalu