Court operations have been disrupted following the COVID-19 pandemic but the Judiciary has adopted various measures to ensure that citizens still have access to justice. In addition, the Business Laws (Amendment) Act 2020 gave legal basis for use of electronic documents and signatures. Therefore, there is need to rethink our practices on collection and storage of digital evidence.

Prior to COVID-19, digital evidence was sometimes rejected in legal matters for lack of integrity, and digital forensics had to be applied. For example in 2016, in the case of politicians referred to as Pangani six on charges of hate speech,  a video clip uploaded on You tube was rejected as evidence for lack of credibility as required by the Evidence Act. Other such instances where digital evidence has been struck out for lack of a certificate include: the Siaya 2013 gubernatorial election petition and the Kirinyaga 2017 gubernatorial election petition.

Contrastingly, the historical nullification of Kenya’s 2017 election demonstrated a strong acceptance of digital evidence by courts. By simply interrogating the new biometric voter identification kits and other digital evidence by forensic experts, the case was won on allegations of digital fraud. This case demonstrates how the amendments by the Security Law (Amendment) 2014 Act  on the admissibility of digital evidence, will serve its purpose only through building capacity and collaboration with forensic experts in prosecuting cases in technology law. Similarly, with developing new laws such as the Data Protection Act 2019 that confine the processing of personal data, a watertight checklist is to be adopted that creates certainty on the admissibility of digital evidence and its ethical parameters. Afterall, the requirement of certified digital evidence remains constant regardless of amendments.

Underscoring other gateways will aid the prosecution of cybercrimes such as money laundering using accurate digital forensic evidence.

Digital evidence and privacy of data 

Digital evidence is defined as digital material that is stored or transmitted digitally. This material contains probative information obtained from various sources such as computers, smartphones, wearables and routers that can be used in legal proceedings. Therefore, digital evidence can manifest in form of emails and text messages, databases, digital photographs, among others.

Most phone companies tend to be sources of digital evidence. Through  technologies such as geofencing – a process of mapping of phones within a targeted location using GPS, RFID or Wi-Fi,[1] a lot of personal information such as phone numbers and emails of customers reside in these companies. When seeking to obtain such information, the onus is on service providers to ensure confidentiality and data protection of the customer’s information. When considering digital evidence, the question of how it was obtained is key in determining its admissibility. Section 106B of the Evidence Act introduces a requirement of integrity and reliability by requiring evidence derived from a computer, to be from persons having legal control in the ordinary course of business.[2] Lawful control will mean that the essence of data protection and privacy is not violated in the first place.

Admissibility of digital evidence

The African Union Convention on Cyber Security & Personal Data  offers guidance on ascertaining lawful control of digital evidence. It provides that processing of personal data containing information on offences and convictions must be done so after authorization by a national data protection authority.[3] This will ensure that this processing is done within the safeguards of protecting of personal data under the Convention. For a request of authorization to be granted, the following information must be well established:

• Identity & address of the data controller.
• The purpose of processing data must be included.
• A nexus between other processing activities.
• The length the processed data was kept.
• The service that carried out the processing.
• The persons who had direct access to the registered data. Relatedly, the functions of this category of persons.
• The recipient’s authorized to receive data communication.
• The function of the person before which the right to access is to be exercised.
• Security measures to protect the processing of actions and of data.
• The use of a sub-contractor if any.
• Expected transfer of personal data to a third country that is not a member of the African Union, subject to reciprocity.

The investment of time in achieving authenticity, reliability, credibility, integrity, and relevance of evidence, will require strong collaboration with a digital forensic expert. This will ensure that various threats such as loss of data, error of data and interference of data does not challenge the admissibility of evidence. In addition, a chronological documentation of the chain of custody capturing the process of seizure, custody, control, transfer, analysis, and disposition of electronic evidence should be tabled. This report will enable a forensic investigator to verify whether the evidence offered in court is the same evidence collected or retrieved.

Conclusion

As digital evidence becomes more popular in Kenyan Courts, there is need for more awareness among court users and processing officials. Public awareness on privacy and data protection is particularly useful in ensuring that digital evidence is acquired fairly and its use does not overshadow other parties right  to privacy.

[1] These are tracking program apps installed into software.

[2] Section 106B, Evidence Act (No. 46 of 1963).

[3]Article 10(6), the African Union Convention on Cyber Security & Personal Data, 27 June 2014, AU/Decl. (XIV).

Image from Google Images