A Few Things You Should Know about Kenya’s Cyber Policy Landscape

The term policy very likely puts off a lot of folks. It probably evokes images of old men in suits and spectacles droning on about something or other. I, on the other hand, am fascinated by (public) policy. The most basic definition of policy is “a course or principle of action adopted or proposed by a government, party, business, or individual.” Policies help in shaping laws and regulations that govern various actors in a jurisdiction.

In an increasingly interconnected world, there is an emerging realm of cyber policy that is exciting as it is challenging. Safety, security, privacy, autonomy, freedom of expression are some of the aspects that now need to be rethought in the context of the cyber space. If you currently conduct any activity online, it definitely matters how the space is regulated, and what plans are in place to uphold your fundamental rights, as well as technological innovations that you leverage for work or leisure.

So what is the government of Kenya envisioning as protections and measures to underpin fundamental rights and freedoms online for its citizens? Which actors are involved? What laws are in place, and which ones are needed?

Equally, which non-state actors are in the forefront of these deliberations? Who is articulating citizens’ concerns in shaping our cyber policies?

A few things you should know:

i)  laws, regulations and policies pertaining to cybersecurity in Kenya largely approach it from the perspective of curbing cybercrime, and to a much lesser extent safeguarding the rights of citizens as they translate to an increasingly interconnected and inescapable digital realm.

Some of the laws in place include the Kenya Information Communications Act (KICA), Chapter 411A and the the Computer and Cybercrimes Bill (2016).

ii)  there exists a Computer Incident Response Team Coordination Centre (KE-CIRT/CC), whose role is to facilitate coordination and collaboration in response to cybersecurity incidents. This is to whom you can report a vulnerability or cyber-related incident that harms you or others.

iii) Our constitution, in Article 31, guarantees the right to privacy, including the right to not have information relating to one’s family or private affairs unnecessarily revealed, and to not have the privacy of one’s communications infringed.

BUT

a crucial piece of legislation to enforce is yet to be adopted. The Data Protection Bill, 2013 was formulated to give effect to this constitutional provision. It articulates requirements for electronic personal information collection, storage, protection/security, access, disclosure, and misuse.

iv)  Cyber policy needs thinkers, lawyers, geeks…(trying very hard not to use the hackneyed term ‘capacity’, but there you have it). Unchartered territories, where issues like sovereignty, Internet jurisdiction, protection of freedoms online and offline, national security all make for very interesting questions with no easy answers. Kenya is a lighthouse country in the region, and her people are sharp thinkers and doers who should explore this space a bit more!

For other insights, check out the report here.

Alternatively, you can listen to this podcast summary of the report.

This report was commissioned by Global Partners Digital, in a series designed to help civil society actors navigate the cyber policy landscape in four countries: Chile, India, Indonesia, and Kenya. It was co-authored by Tyrus Kamau and Juliet Maina

The Future of Cyberspace in Kenya

(As first posted on Medium).

The Global Conference on Cyberspace, hosted by the Kingdom of the Netherlands on 16th and 17th April, 2015, was a very interesting one to have attended. The convening drew attendance from governments and private sector players; civil society were invited to the table, with a one and a half day pre-event that served as a capacity-building program, and an ‘unconference’ event where they could set the agenda, discuss further on issues that were brought up at the conference, or those not tackled altogether.

The themes under which the future of cyberspace was discussed, were freedom, security and growth. The three are interesting departure points to assess cyberspace considerations in each country. For instance, in Kenya, we continue to enjoy Internet freedom, something I contend is by default, not design, in that it hasn’t been a space that the government has attempted to regulate from the onset. That said, the freedom enjoyed as a result of minimal regulation also exposes individual users and institutions alike to any number of risks — data privacy violations, cyber fraud, to name a few. Kenya is currently awaiting two pieces of legislation: the Data Protection Bill and the Cybercrime and Computer Related Crimes Bill that will introduce measures to protect user privacy as well as provide legal options through which to address cybercrime grievances. Reviews of various versions of these bills have noted that there have been clauses that could undermine freedom of expression. It will be imperative for the Legislative processes to balance provisions on security, privacy and freedom on the Internet.

We will soon need to have a conversation on Net Neutrality in Kenya. India is currently engaging in a conversation on the issue, around the regulatory attempts that could undermine it. The Internet.org effort by Facebook and other tech companies, already on Kenya’s shores (in partnership with Airtel) has come under criticism, that it undermines the principle of network neutrality. The initiative, aimed at first time Internet users in the developing world, is already missing the mark, as the target group makes up for a very minimal percentage of its current users. (If you are an Internet.org user in Kenya, would love to hear your thoughts on the service!)

On security, insights from the 2014 Kenya Cyber Security Report indicate the growing risks that individuals and institutions are increasingly facing — ranging from malware, to fraud. User security in online banking systems locally has been found wanting (read from page 28 of the above report on this). Awareness of the risks posed in cyberspace is minimal, and measures to address and mitigate cyberspace risks, challenges and threats exist mostly on paper. For instance, Kenya has a national cybersecurity strategy penned by the ICT Ministry that outlines measures to be taken to secure the country’s cyberspace and ensure cyber resilience. Since 2012, Kenya has supposedly had a National Computer Incident Response Team Coordination Centre (KE-CIRT/CC), in accordance with ITU recommendations. The said centre is housed under the Communications Authority of Kenya. Its work and impact is unknown, though, you can supposedly report an incident or vulnerability. The importance of such a response mechanism has motivated individual efforts by IT security professionals to offer incident response, share information and raise awareness, in the glaring absence of institutional mechanisms within government. The Kenyan government was once again quick to sign up as a ‘founding member’ of the Global Forum on Cyber Expertise that was unveiled at the close of the conference. Will be watching with unabated breath to see the government’s contribution to this new body. We all remember the repeated defacing of the Kenya government institutions’ websites, as well as hacking of social media accounts…makes one wonder what all these strategies and institutions in place are up to. The same government could violate our constitutional right to privacy in the name of national security. (Let’s not forget the scandal that was the Chinese nationals arrested in Runda in December last year, and who as yet, haven’t been prosecuted for the lack of legislature to this effect.)

On growth, it was rightfully noted that “the Internet is rapidly becoming the most critical infrastructure for economies around the globe”. In Kenya, business and economic growth facilitated by the Internet has massive opportunities as well as challenges. Our Internet-based annual economic outputs are currently valued at approximately Kshs. 100 billion, the second highest in Africa. Impressive indeed. However, further growth and diversification of Internet and cyberspace-related economic activity is limited by lack of regulatory frameworks such as the aforementioned Data Protection Bill. Kenya was once poised to set up a Business Process Outsourcing (BPO) sector, greatly undermined as a result of a delayed process of enacting the Bill. Initiatives and investments such as Rockefeller’s Digital Jobs Africa bear massive potential, but challenges- including talent — need to be addressed carefully and strategically to ensure that the country can derive more economic growth and generate employment via cyberspace activities.

It’s not all up to government though. Training institutions (with their ever increasing ICT-oriented courses and curricula) need to churn out talent that can either be hired or that can be enterprising around the Internet economy. Civil society needs to align itself to the cyberspace, to keep government (and private sector) in check in their efforts, as many of them could undermine freedoms that have been hard-earned. Academia have their research and analytical work cut out for them. All have to work together to facilitate knowledge exchange and wholesomely contribute to a safe, free and secure cyberspace in Kenya.

A Side Note: other interesting observations from the conference.

From the onset, governments as represented by Ministers read out statements on their position and efforts on enhancing the cyberspace. It was particularly interesting to note the different angles from which various countries approached the discussion. MENA countries emphasized that countering terrorism in the cyberspace is their priority. China invited others to join them in their efforts, reiterating that they believe in the freedom, security and growth of the cyberspace (lots of eyes rolled). Sub-Saharan African countries — Uganda, Senegal and Ghana — read out their ministerial statements, in which they reiterated commitment to passing laws to address cyberspace related issues, with Senegal referring to the African Union Convention on Cyber Security and Personal Data Protection, recently adopted by the regional body as a guiding principle for their local efforts. There was the usual extending of a begging bowl; assistance from the Global North was sought.

It was noticeable that Kenya, Nigeria and South Africa weren’t as vocal/visible. The three countries are ‘leaders’ in Internet connectivity and have significantly large ICT sectors, one wonders where their ministers of ICT and/or Foreign Affairs were.

It was interesting how most discussions boiled down to matters of mass surveillance (many spirited attempts at justifying it from government types), privacy and security(whether one can exist without the other) in cyberspace.

On civil society participation, it was good to note involvement within the conference programme (e.g. Nnenna Nwakanma’s inclusion in the opening panel, where she fantastically represented civil society voice) and beaming their thoughts out loud via the Twittersphere. That said, I was rather disappointed by the low turnout at the unconference, given dissatisfaction expressed in the main conference discussions by civil society types in attendance. Some of the unconference sessions, however, were interesting, others altogether problematic. (In my view the framing around ‘the next (two) billion Internet users’ worries me…that’s for another day).

However, it was also notable that no civil society organisations were founding members of the Global Forum on Cyber Expertise…so much for a multi-stakeholder approach!