Computer misuse in Kenya

An abstract

The Computer and Cybercrimes Bill (the "Bill") has been the subject of much public debate given the perceived impact it would have on Kenyan's use of the internet, the freedom of the press and civil society group’s ability to engage in political activism through social media.

Computer misuse covers computer viruses and any unauthorised access to computer material, as set out in the Computer Misuse Act 1990. This can include any device using software accessible online, for example: computers smartphones, games consoles and even smart TVs. It includes offences such as: the spreading of viruses.

Introduction

During the recent decade, which has been characterized by a dramatic increase in the sophistication of technology, the quantities, as well as the quality of cyber-attacks characterized by a vast computer misuse, have never been as noticeable. While we still are dealing with “regular” security breaches such as password fraud, it is expected that the complexity of attacks and their targets will change dramatically. Therefore, it is crucial to explore cyber security risks to be prepared for anything.

The sudden explosion in the use of information technology and tight constraints on the funding of policing is rife for the modern day threat of cyber security due to computer misuse which can have a debilitating effect on East African country’s ability to attract investment.

Computer Misuse:

The term “computer misuse” is technology-neutral. The definition does not refer to any particular method of communication. Also, the definition does not limit “computer misuse” solely to land based or long range activities. The definition we have proposed covers both the situation where an individual gains access to a computer from a distance as well as the situation where a person accesses a computer by making physical contact with the computer.

?Is Computer Misuse a problem?

Having explained what we mean by the term “computer misuse”, the next issue to be considered is whether computer misuse is a problem which deserves the attention of the criminal law. In my view, the answer is plainly “yes”, although the extent of the problem is often concealed. Often computer misuse will go undetected. In some situations, a company may decide, for publicity reasons, not to disclose that it has been subject to computer misuse.

Statement of the Problem

ICT professionals, bloggers, journalists and civil society came out strongly during the Bill's public participation phase to share their concerns about provisions they claim infringed on their constitutional rights and freedoms as well as to suggest constructive amendments such as the inclusion of offences such as cyber-squatting and phishing that were not part of the Bill of the time.

The National Assembly made various amendments to the Bill following the close of the round of public participation and consideration of proposals for amendments by the relevant departmental committees and the members of parliament in general. The Bill was passed and later assented into law as the Computer Misuse and Cybercrimes Act (the "Act") by the president of Kenya on the 16th of May, 2018.

The Act is an important milestone in countering cybercrime by:

• Providing for offences relating to computer systems and the establishment of the National Computer and Cybercrimes Co-ordination Committee;
• Protecting the confidentiality, integrity and availability of computer systems, programs and data;
• Facilitating timely and effective prevention, detection, investigation, prosecution and punishment of computer and cybercrimes; and
• Facilitating international cooperation in dealing with computer and cybercrime matters.

?

Misuse of computers and communications systems comes in several forms:

1)????Hacking: an unauthorised person uses a network, internet or modem connection to gain access past security passwords or other security to see data stored on another computer. Hackers sometimes use software hacking tools and often target, for example, particular sites on the internet.

2)????Data misuse and unauthorised transfer or copying: Copying and illegal transfer of data is very quick and easy using online computers and large storage devices such as hard disks, memory sticks and DVDs. Personal data, company research and written work, such as novels and textbooks, cannot be copied without the copyright holder's permission.

3)????Copying and distributing copyrighted software, music and film: This includes copying music and movies with computer equipment and distributing it on the internet without the copyright holder's permission.

4)????Email and chat room abuses: Internet services such as chat rooms and email have been the subject of many well-publicized cases of impersonation and deception where people who are online pretend to have a different identity. Chat rooms have been used to spread rumors about well-known personalities.

5)????Pornography: A lot of indecent material and pornography is available through the internet and can be stored in electronic form. There have been several cases of material, which is classified as illegal, or which shows illegal acts, being found stored on computers followed by prosecutions for possession of the material.

6)????Identity and financial abuses: This topic includes misuse of stolen or fictional credit card numbers to obtain goods or services on the internet, and use of computers in financial frauds. These can range from complex well thought out deceptions to simple uses such as printing counterfeit money with colour printers.

7)????Viruses: Viruses are relatively simple programs written by people and designed to cause nuisance or damage to computers or their files.

The National Assembly amended the Bill to include additional computer and cybercrime offences. Below we highlight some of these new offences:

• Cybersquatting: - This is the unauthorized and intentional use of a name, business name, trademark, domain name or other word or phrase that is registered, owned or in use by another person. The penalty for the commission of this offence is the imposition of a fine not exceeding two hundred thousand shillings, imprisonment for a term not exceeding two years or both.
• Phishing: - This is the creation or operation of a website or the sending of messages intended induce a person to disclose personal information. The penalty for the commission of this offence is a fine not exceeding three hundred thousand shillings, imprisonment for a term not exceeding three years or both.
• The wrongful distribution of obscene or intimate images: - This is the publication and dissemination of intimate or obscene pictures of another person. If found guilty of this offence one is liable to a fine not exceeding two hundred thousand shillings, imprisonment for a term not exceeding two years or both.
• Identity theft and impersonation: - This is the dishonest or fraudulent use of an electronic signature, password or the unique identification feature of another person. On conviction, one is liable to a fine not exceeding two hundred thousand, imprisonment for a term not exceeding three years or both.
• Failure by an employee to relinquish access codes: - Employees are required to relinquish all codes and rights upon termination of their employment. Failure to do so will invite a fine not exceeding two hundred thousand shillings, imprisonment for a term not exceeding two years or both.
• Reporting of cyber threats: - Operators of computer systems and networks are required to report to the NCCCC within 24 hours, incidences of attacks, intrusions and disruptions to the functioning of their computer systems or networks. In the report, the operators are required to provide details of the breach, estimates of the number of affected individuals, an assessment of the risk of harm and circumstances that may delay or prevent affected persons from being informed of the breach. Failure to report would lead to the imposition of a fine not exceeding two hundred thousand shillings, imprisonment for a term not exceeding two years or both.
• The interception of electronic messages or money transfers: - This is the unlawful destruction or termination of any electronic mail or process for the transfer of money or information. If found guilty of this offence one is liable to a fine not exceeding two hundred thousand shillings, imprisonment for a term not exceeding seven years or both.
• Cyberterrorism: - This is the accessing or the facilitation of access to a computer, a computer system or network for the purposes of committing a terrorist act. The penalty for the commission of this offence is a fine not exceeding five million shillings, imprisonment for a term not exceeding ten years or both.

?Objectives

Computer Security is about protecting your information from misuse, which is often the most valuable asset an institution owns. Therefore the following components must be observed and be protected.

(a) Confidentiality – any important data you have should only be accessible to people or by systems to who you have given permission;

(b) Integrity – the assets themselves and information they contain must continue to be complete, intact and uncorrupted and;

(c) Availability – all systems, services and information must be accessible when required by the business or its clients.

?Observation

Computer Misuse incidents have actually decreased in the last two years overall – especially crimes involving viruses being put on devices. 21% of computer virus incidents resulted in data being accessed or lost. As with fraud, older people aged over 75 were less likely to be victims of computer misuse Over 90% of people reported taking security measures to keep themselves safe online, which could explain the decrease in this type of crime.

Conclusion

The effort by the Government of Kenya to introduce stricter laws to equip organizations and persons to secure the data from the latest cyber threats is commendable. Successful cyber-attacks on government systems are still likely to occur despite the government efforts. This holds true for private companies as well.

It is advisable therefore that organizations become proactive about the security of their apps and data. Cyber criminals are always on the prowl and are becoming sophisticated in their approach to attack. For the same reason, companies should keep a regular check on their systems to identify any vulnerabilities and address the loopholes immediately.

It is important to strengthen the security front and be prepared for the worst attacks on financial assets or personal data since preparing for mild security breaches has not been effective yet with the increased sophistication of the current hacking technologies.

The research aim was achieved by showing the depth of the criminal justice system in both prevention and prosecution. The challenges involved in the effective functioning of the criminal justice system have laid the foundation for the definition of recommendations that can improve the system. It remains imperative that improved implementation of the system should be maintained in order to respond to the rapid changes in the perpetration of the crime.