By Victor Kapiyo
On 9th August 2024, the National Assembly published the Computer Misuse and Cybercrime (Amendment) Bill, 2024, which proposes to amend the contentious Computer Misuse and Cybercrimes Act, 2018. The Private Members Bill proposed by Aden Daudi Mohamed seeks to introduce the following new clauses:
- Clause 2: Defines terms such as access, asset, identity theft, and virtual accounts.
- Clause 3: Empowers the National Computer and Cybercrimes Coordination Committee (NC4) to issue directives on websites and applications that may be rendered inaccessible within the country.
- Clause 4: Expands the scope of the offence of cyber harassment.
- Clause 5: Expands the scope of the offence of phishing.
- Clause 6: Introduces the offence of unauthorised SIM swap.
Clause 3 in particular, seeks to amend section section 6 of the Computer Misuse and Cybercrimes Act, to grant the NC4 power to block websites and applications, “where it is proved that a website or application promotes illegal activities, child pornography, terrorism, extreme religious and cultic practices, issue a directive to render the website or application inaccessible.”
Given Kenya’s recent history of shutting down the Internet in June 2024 and blocking messaging applications like Telegram in November 2023, the proposal does not come as a surprise. It appears to be yet another attempt to formalise and expand government censorship. A similar proposal was made in the Computer Misuse and Cybercrimes (Amendment) Bill, 2021, which was later withdrawn following pushback by civil society. This new clause in the bill is equally problematic and should be withdrawn.
The overly broad, ambiguous and vague language of the amendment, such as “where it proved”, “promotes illegal activities” or “extreme religious and cultic practices” are bad in law. Despite stating that it does not limit fundamental rights and freedoms, the bill proceeds to violate constitutional and human rights standards around rights to freedom of expression, political participation, privacy and related civil liberties.
The implementation of the provision could lead to censorship of legitimate speech, including political dissent or religious expression. It may also pave the way for arbitrary blocking of websites and applications or invasive surveillance practices, particularly during politically sensitive times like protests and elections, if the events following the #RejectFinanceBill2024 are anything to go by. Most recently, the prosecution of David Morara Kebaso for the offence of cyber harassment signals the likelihood of more repressive action by the state against critical speech.
Given the fact that previous internet disruptions have been carried out without any legal mandate or oversight, there is a risk that such a provision could lead to abuse and overreach by NC4 due to its vague terminology, absent oversight or no limitation on the period of blocking. Thus, any speech online or on social media that is deemed to “promote illegal activities” could be used as a basis to block the website or application indefinitely.
Further, and despite using the phrase “where it is proven”, it is not clear to whom the proof shall be adduced to, and there is still no clear oversight of NC4 or of the proposed powers, which could result in politically motivated censorship or disproportionate restrictions on free speech. The power also makes the NC4 investigator, prosecutor and judge, which goes beyond the scope of its functions under the CMCA limited to advising the government and coordinating cybercrime matters. Also, the manifest lack of due process guarantees and clear mechanisms for appealing NC4 decisions could leave websites and applications vulnerable to arbitrary and unjust restrictions.
Additionally, the adoption of the bill in its current form could have a significant economic cost to the digital ecosystem by creating uncertainty and increasing the cost for developers, users and investors. For example, enforcing the restrictions will require significant infrastructure which could become a compliance burden by ISPs and tech firms thereby increasing the cost of doing business. The broad nature of such powers means other users of the websites and applications are likely to be adversely affected by such restrictions. The blocking of Telegram, for example, is estimated to have cost the country USD 27.02 million (KES 4.2 billion). Similarly, the ripple effects of the shutdown in June were felt in Burundi, Rwanda and Uganda, causing a significant economic impact on users of internet and financial services.
Countries with similar laws to restrict websites and applications include Russia, China, India, UAE, and Turkey, and these countries have poor human rights records. Likely, the adoption of such a retrogressive proposal could also trigger a decline in Kenya’s global rankings on internet freedom as well as its attractiveness as a favourable ICT investment destination – Africa’s Silicon Savannah.
Civil society has expressed concern over the intensification of digital authoritarianism and declining democratic governance in the continent. Similar concerns are being levelled against the recently adopted United Nations Convention Against Cybercrime, which continues a worrying trend of the adoption of cybercrime laws with vague definitions, broad scope and weak human rights protections.
It is important to note that while combating illegal activities like terrorism and child sexual abuse material is legitimate, these activities are often used to justify and introduce sweeping censorship and surveillance. Human rights bodies insist that such laws must comply with the 3-part test (be necessary, proportionate and provided by law) and have clear safeguards to prevent abuse, such as independent judicial oversight. KICTANet is a member of the #KeepItOn Coalition.