State Surveillance, Mixed Signals and Seven Years in Jail: Thoughts on Cybersecurity Regulations 2016 by Communications Authority
Late last year, the Communications Authority of Kenya (CA) published six Draft Kenya Information and Communications Regulations inviting stakeholders and members of the public to provide comments on these Regulations. One of these Regulations is the Kenya Information and Communications (Cyber-security) Regulations 2016 which are a new set of regulations developed following amendments to the Constitution in 2010 and the Kenya Information and Communications Act in 2013.
In an earlier blogpost here, CIPIT Director Isaac Rutenberg has already outlined some of the difficulties with a few of the proposed provisions in the draft Regulations that had been reported in the media. From the discussion of the draft below, one forms the general view that the Cybersecurity Regulations contain a number of technically impracticable provisions, unclear terms and contradictory obligations for service providers.
First and foremost the draft defines “cybercrime” to include “copyright-related offences”. This provision essentially amounts to adding a secondary layer of criminalisation for any infringement of copyright in addition of the provisions in the Copyright Act. In this case, the penalties prescribed in the draft are much tougher than those in both the Copyright Act and Kenya Information and Communications Act namely, imprisonment for a term not exceeding seven years or a fine not exceeding three million shillings or both.
The draft defines “service provider” so broadly that it could possibly include any person who sets up a public wireless hotspot using their mobile phone. This definition is significant since the draft requires that such service providers must identify users of their wireless hotspots and provide a system for user registration. Furthermore, operators of public wireless hotspots are required to: “install Closed Circuit TeleVision (CCTV) cameras to record the identify of its clients and “ensure that system logs are retained in their original for periods of not less than one (1) year from the date of the communication.” This appears to be a very problematic provision which may not work in the case of a public wireless hotspot.
In the case of cyber cafes, the above provision imposes an extra financial burden of installing CCTV cameras, storing a year’s worth of CCTV footage as data over and above the requirements for user identification and user registration. Some may argue that these provisions amount to the creation of an added layer of state surveillance since operators of cyber cafes and public wireless hotspots are required to “report any cyber-crime incidents to CA within 24-hours and as may be prescribed by CA”. More importantly, it is important to note that Kenya still does not have in place a legal framework for data protection.
The draft regulations contain a broad and unrealistic list of categories of data that service providers are required to retain including: “data necessary to trace and identify the source of a communication; data necessary to identify the destination of a communication; data necessary to identify the date, time and duration of a communication.” Furthermore, like in the case of operators of cyber cafes and public wireless hotspots, service providers are required to retain the data in its original form for a period of not less than one (1) year from the date of the communication. These provisions appear to be extremely cost prohibitive especially for small and medium sized businesses.
Furthermore, the draft regulations require that: “In order to enhance the security of e-Government services, every public body shall utilize the Dot KE country code Top Level Domain (ccTLD) for delivery of e-Government services.” No definition of “public body” has been provided but offices in the national or county governments as well as those in the public service are the most likely targets of this provision.
In total contradiction to the above obligations placed on service providers, the draft regulations provide as follows:
“14 (b) Subject to the other provisions of the Act and Regulations, a service provider shall not be under any obligation to-
(i) monitor the data which the service provider transmits or stores; or
(ii) actively seek facts or circumstances indicating an unlawful activity.”
Finally, one of the most controversial parts of the draft regulations is the last section on offences and penalties. In this regard, CA has been faulted for purporting to introduce new offences and penalties through subsidiary/delegated legislation. It is argued that Regulations made pursuant to an Act of Parliament cannot create any offences and penalties that do not exist in the empowering Act. In this case, it is argued that the above-mentioned penalty of imprisonment for a term not exceeding seven years or a fine not exceeding three million shillings or both ought to be derived from the Kenya Information and Communications Act.