Upload
ombo-malumbe
View
47
Download
2
Tags:
Embed Size (px)
Citation preview
O m b o . D . M a l u m b e P a g e | i
COMPUTER HACKING AND/OR UNAUTHORIZED ACCESS: A CRITICAL
ANALYSIS OF THE LEGAL FRAMEWORK IN KENYA
BY
OMBO DUNCAN MALUMBE
(BLAW/112/01299)
A RESEARCH PROJECT SUBMITTED TO MOUNT KENYA UNIVERSITY IN
PARTIAL FULFILLMENT FOR THE REQUIREMENT OF THE AWARD OF
BACHELORS DEGREE IN LAW (LLB)
O m b o . D . M a l u m b e P a g e | ii
DECLARATION
I hereby affirm in positive that this research project is my original work and it has never been
forwarded to any facility for whatsoever award and is to partially fulfill the requisite requirement
of the award of Bachelor’s Degree in Law (LLB).
OMBO DUNCAN MALUMBE
REGISTRATION NUMBER: BLAW/112/01299
Signature……………………………………….. Date……………………………………..
Supervisor Approval
I confirm the work reported in the research project was carried out by the candidate under my
supervision.
Ms. Mercy Mutheu
Advocate of the High Court of Kenya
Head of Moot Court at the Mount Kenya University, School of Law
Lecturer at Mount Kenya University, School of Law
Signature………………………………………… Date……………………………………..
O m b o . D . M a l u m b e P a g e | iii
DEDICATION
The social, economic and not shying to mention the biological particles that when consolidated
build me, are deeply rooted to Mr. Radicliffe Lafont Malumbe and Mrs. Anne Mutsami Malumbe.
Being my parents, I have a lot of phrases and phraseology to show my humble and deep
appreciation for making me reach this far and be rich in knowledge, but that will demand a new
rostrum: so I engulf the whole bunch of utterances by saying Thank You. I applaud my siblings:
Ms. Rachel Susan Nyamisi and Master Philip Jackson Mutsami for offering the most suitable
environment for me to undertake my studies. This section will not earn the last full-stop without
acknowledging the prayers they always and still make in my favour, Thank You.
O m b o . D . M a l u m b e P a g e | iv
ACKNOWLEDGEMENT
It is not by my wishes to reach this far, hence, I insist to appreciate the Almighty God for the same.
Herein after, I trace my LLB journey, and thereof, I appreciate the efforts of Dr. Mercy Mutheu
for the ably guidance she has offered me when penning this dissertation paper, I take notice of Dr.
Maurice Awour for helping me to structure the initial stages of this dissertation paper. I extend my
gratitude to one Mr. Michael Murungi for offering documents that greatly helped in my research.
The unprecedented effort by one Attorney Karnika Seth for providing me with the requisite Indian
Laws, so as to execute the research with close knowledge of the Indian Laws.
I appreciate the conducive atmosphere that I was pampered with for the purpose of conducting my
research by the Library officials of the Mount Kenya University, Nairobi Branch.
I am indebted to my active peers, hence I utilize my ink to appreciate: Mr. JB Ong’anya, Mr.
Kipkemoi Sang, Ms. Natasha Juma, Mr. Gachogu Titus, Ms. Joy Chege, Mr. Philip Nyoro, Ms.
Fuad Zainab et al. who kept me abreast with the issues emanating under my subject matter.
May I mention Mrs. Esther Odari, Mr. Kenneth Muhanji for the unrelenting moral guidance they
offered me, and also Mr. Fred Mutsami for the material support.
O m b o . D . M a l u m b e P a g e | v
ABBREVIATIONS
419 scam Nigerian Penal Code
Addl. Additional
App Application
Art. Article
AUCCSC African Union Convention on Confidence and Security in Cyberspace
Cap. Chapter
CERT Computer Emergency Response Team
CFAA Computer Fraud and Abuse Act
CIPIT Center for Intellectual Property and Information Technology
Cir. Circuit
Co. Company
CoK Constitution of Kenya
Crim. Criminal
CSIRT Computer Security Incident Response Team
Distt. District
EA East Africa
EAC East Africa Court
e-book electronic book
ECOWAS Economic Community of West Africa States
ECT Electronic Communication and Transaction Act
Ed. Edition
eKLR electronic Kenya Law Reports
ER England Reports
EU European Union
HC High Court
ICCPR International Covenant on Civil and Political Rights
O m b o . D . M a l u m b e P a g e | vi
ICESCR International Covenant on Economic, Social and Cultural Rights
ICT Information and Communication Technology
IMP Interception and Monitoring Prohibition Act
IPC Indian penal Code
IT Information Technology
ITA Information Technology Act
ITAA Information technology Amendment Act
Ke – CIRT Kenya Computer Incidence Response Team
Ke Kenya
Ltd Limited
NCSMP National Cyber Security Master Plan
NIS – Ke National Intelligence Service of Kenya
Pp page(s)
PROATIA Promotion of Access to Information Act
RICPCRIA The Regulation of Interception of Communications and Provision of
Communication
SA South Africa
Sec. Section
Title III Wiretap Act
UDHR Universal Declaration of Human Rights
UNCITRAL The United Nations Commission on International Trade Law
US / USA United States of America
USC United States Code
O m b o . D . M a l u m b e P a g e | vii
STATUTES
1. The Republic of Kenya
- Constitution of Kenya, 2010
- Evidence Act, Cap 80
- The Kenya Information and Communication Act, Cap 411A
- The Penal Code, Cap 63
- The Finance Act, 2012
- Data Protection Act, 2013
2. The Republic of South Africa
- Electronic Communication and Transaction Act
- Promotion of Access to Information Act
- Interception and Monitoring Prohibition Act
- Regulation of Interception of Communication and Provisions of Communication Related
Information Act
- Computer Evidence Act
- National Prosecuting Authority Act
3. Federal Republic of Nigeria
- Nigeria Criminal Code Act
- Economic financial Crime Commission Act
- Advanced Fee Fraud and related Offences Act
4. The Republic of India
- Information Technology Act, 2008
- Evidence Act
5. United States of America
- Electronic Communication Privacy Act
- Computer Fraud Abuse Act
- Wiretap Act
O m b o . D . M a l u m b e P a g e | viii
REGIONAL AND INTERNATIONAL LEGAL INSTRUMENTS
- The Banjul Charter
- The African Union Convention on Confidence and Security on Cyberspace
- Directive C/DIR. 1/08/11 on Fighting Cybercrime within Economic Community of West
African States
- The Budapest Convention
- Universal Declaration of Human Rights
- The International Convention on Civil and Political Right
- The United Nation Commission on International Trade Law
O m b o . D . M a l u m b e P a g e | ix
CASE LAWS
Alternative Media Limited v Safaricom Limited [2004] eKLR
Apple Inc. v Samsung Electronics Co., Ltd et al C 11-1846 & C 12-0630
Giella v Cassman Brown & Co. Ltd [1973] EA 358
Hedley Byrne v Heller [1964] AC 465
Heggy v. Heggy, 944 F.2d 1537, 1541-42 (10th Cir. 1991)
International Shoe Co. v Washington [1945] 326 US 310
Johnson Joshua Kinyanjui v. Republic [2002] HC Crim App
Nairobi Law Monthly Company Limited v Kenya Electricity Generating Company & 6
Others [2013] eKLR
Narlis v. South African Bank of Athens [1976] (2) SA 573 (A)
R v. Secretary of State for Home Department, ex parte Ruddock and others [1987] 2 ALL
ER 516
Republic v Kipsigei Cosmas Sigei & Another [2004] 19 HC
Reynolds v. Spears 93 F.3d 428, 435-36 (8th Cir. 1996)
Role Models America, Inc. v. Jones, 305 F. Supp. 2d 564 (D. Md. 2004)
Sanders v. Robert Bosch Corp., 38 F.3d 736, 740 (4th Cir. 1994)
United States v. Szymuszkiewicz WL 3503506 (7th Cir. 2010)
United States v. Townsend, 987 F.2d 927 (2d Cir. 1993)
United States v. Turk, 526 F.2d 654, 658 (5th Cir. 1976)
Williams v. Poulos 11 F.3d 271, 285 (1st Cir. 1993)
Ziegler Case
O m b o . D . M a l u m b e P a g e | x
ABSTRACT
Kenya is a State that is appreciating the fruits of technology, this is within the Government,
Commercial Institutions, Organisations and also at the personal level. However, the rose flower
never lacks a thorn, hence, technology has also its own ramifications. In this context, the paper
acknowledges the existence of cybercrimes, more so the ‘mother’ of all the cybercrimes. The term
‘mother’ is utilized to enunciate the fact that, Computer Hacking and/or Unauthorized Access of
Information is the first step that will be done prior other various technological crimes will follow
suit.
Herein, Chapter 1 will solely give a glimpse of what computer hacking and/or unauthorized access
to information is and a bit of its history. The same Chapter will delve on the reasons as to why the
same division is worth to address regards to Kenya, and also have a view of how other Nations
and Organisations tackle cybercrimes.
Chapter 2, does delve into the Kenyan Laws that address matters at hand, this is also including the
legal instruments that have an impact on cybercrimes: computer hacking.
Chapter 3, therein it will be beautified with the legal instruments from African countries, namely:
South Africa and Nigeria, thereon the African Union legal instrument addressing computer
hacking and/or unauthorized access will also be delved into.
Chapter 4 sources legal instruments from States that are found outside the African Continent,
namely: India and United States of America. The Countries are chosen in favour of the author’s
interest, as United States of America has a rich jurisprudence regarding cybercrimes, while India
is a State that Kenya has in most instances borrowed the fruits of its Jurisprudence.
O m b o . D . M a l u m b e P a g e | xi
In Chapter 5 of this paper, concentration will be given to The Budapest Convention, this is a
European Union Convention that gives the prudent standards that each State should make an effort
to meet for purposes of addressing cybercrimes without causing confrontation among member
States and also creating a room to harmonize the laws addressing cybercrimes among members of
the EU.
The last bit of this paper is Chapter 6, the Chapter is inclusive of a Conclusion and
Recommendation. The aforementioned will be given in respect of the research done to give birth
to the initial five Chapters of this paper.
O m b o . D . M a l u m b e P a g e | xii
TABLE OF CONTENTS
TITLE PAGE i
DECLARATION ii
DEDICATION iii
ACKNOWLEDGEMENT iv
ABBREVIATIONS v
STATUTES vii
INTERNATIONAL STATUTES viii
CASE LAWS ix
ABSTRACT x
TABLE OF CONTENTS xi
1.0 CHAPTER 1 1
1.1 Background of the study 1
1.1.1 Introduction 1
1.2 Statement of the problem 5
1.3 Objectives of the research 6
1.4 Research questions 7
1.5 Justification of the study 7
1.6 Literature review 8
1.7 Limitation to the study 12
1.8 Research methodology 13
2.0 CHAPTER 2 14
2.1 The Legal Framework in Kenya that stipulates about Cybercrime vis-à-vis
Computer Hacking and interlinking to Privacy 14
2.1.1. Introduction 15
2.1.2. Constitution of the Republic of Kenya 16
2.1.3. Kenya Information and Communication Act Cap 411A 23
O m b o . D . M a l u m b e P a g e | xiii
2.1.4 The Evidence Act, Cap 80 25
2.1.5 The Penal Code 30
2.1.6 The Finance Act 32
2.1.7 Data Protection Act 33
3.0 CHAPTER 3 38
3.1 Regional Legal Framework Addressing Cybercrime vis-à-vis Unauthorized
Access to Information. 38
3.2 African Union Convention on Confidence and Security in Cyberspace 38
3.3 South Africa 57
3.3.1 Electronic Communications and Transaction Act 57
3.3.2 Promotion of Access to Information Act 60
3.3.3 Interception and Monitoring Prohibition Act 61
3.3.4 Regulation of Interception of Communications and Provision of Communication
Related Information Act 63
3.4 Nigeria 66
3.4.1 The Nigerian Criminal Code Act, 1990 66
3.4.2 Economic Financial Crime Commission Act 68
3.4.3 Advanced Fee Fraud and Related Offences Act, 2006 69
3.4.4 Directive C/DIR. 1/08/11 on Fighting Cybercrime within ECOWAS 70
4.0 CHAPTER 4 73
4.1 States outside The African Region have framed their Laws vis-à-vis
Cybercrime: Unauthorized Access of Information 73
4.2 The Republic of India 75
4.2.1 Information Technology Act 75
4.2.2 The Evidence Act 78
4.3 United States of America 81
4.3.1 Computer Fraud and Abuse Act 81
O m b o . D . M a l u m b e P a g e | xiv
4.3.2 Wiretap Act 84
5.0 CHAPTER 5 89
5.1 Regional and International Organization on Cybercrime: Unauthorized
Access to Information 89
5.2 Budapest Convention 89
6.0 CHAPTER 6 96
6.1 Conclusion 96
6.2 Recommendations 99
REFERENCE 104
O m b o . D . M a l u m b e P a g e | 1
1.0 Chapter 1
1.1 Background of the problem
1.1.1 Introduction
Computer crimes or rather cybercrimes are of different nature. A computer crime, whereby the
computer itself is the target, is regarded as hacking. Computer hacking is and will be utilized herein
after to also refer to unauthorized access of data, information and/or information technology1.
Computer Hacking is not a new term more so to those societies that had the evolution of technology
in their own States. The question that comes into place is when was hacking born. As a recap to
what emanated in the Bell Telephone Company, thus in the year 1878, when a number of teenagers
whom their sex was male, were employed as switchboard controllers. They intentionally through
their acts or omissions did halt and misdirect calls2. Albeit not being regarded as mode of hacking
but it can be one form of undermining the hypothetical pros of technology.
Predominantly, technology has rooted itself into our society and questions always emanate as to
the ameliorating and deteriorating ramifications that transpire while utilizing technology vis-à-vis
computer(s). A few persons when discussing about technology will be inquisitive as to the cons
that come along with computer(s) or computerized gadgets.
1 Clough J. Principles of Cybercrime (Cambridge University Press New York, 2010) pp27 2 Tommy Doc, “First Hacks” ‘The Evolution of hacking’ [2013] ehow <www.ehow.com/info_12080965_evolution-hacking.html> (Accessed on 10th November 10, 2013)
O m b o . D . M a l u m b e P a g e | 2
Owing in mind the fact that networking vis-à-vis computers is not engulfed within one jurisdiction,
it leads one to delve into the question as to how matters relating to compromising of computers
can be dealt with. The initial cases of computer hacking were reported in the 1960 and 19683.
The society is dynamic, new significant factors keep emanating and depending on the societal
good perception, they are incorporated in the society gradually, and this is the case in Kenya vis-
à-vis Information Technology. Kenya has seen a great significance of having computers, however
they are not restricted on their utilization. It is imperative to acknowledge the requisite fact that
even states that are developed tend to have unresolvable and/or adjudication that negatively affect
their jurisdictional Statutes.
Regarding the matter of Statutes, The Republic of Kenya has laws but not well structured to deal
with the same matters, hence there is a lacuna that criminals utilize and thus making Kenya
capability of curbing the crimes that come along with technology vis-à-vis computer to be null.
Justice Yatindra Singh:
Inventions, discoveries and technology widen scientific horizons but also pose new
challenges for the legal world. Information Technology has also posed new problems in
jurisprudence. It has shown the inadequacy of law while dealing with it.4
3 In every act or omission there tend to be breach of law no matter how trivial a matter maybe. At some point, some acts or omission may go undetected; hence, those detected are those that will appear in an investigative report. Insofar as the fact that in one whole decade two hacking and/or cracking activities were reported it does not mean it was a frivolous issue at the eyes of the law. 4 Yatindra J Singh, Cyber Laws (5th ed, Universal Law Publishing Company, 2012) 3
O m b o . D . M a l u m b e P a g e | 3
On the 17th day of January 2012, one hundred and three (103) of the Government of Kenya
websites were defaced overnight, by an Indonesian hacker5.6
The aforementioned is not the only hacking that has taken place in Kenya, however thus a major
attack that exists in the Kenyan history in relation to hacking and defacing websites. On or about
the 21st day of July 2013, The Central Bank of Kenya’s website was hacked [and was in control of
the cyber-criminals] for almost five hours7. This shows how vulnerable the State’s Website are a
great target, and out of these attacks the question that hypothetical person can ask is, what laws
are in place to curb this matter, having in mind it is a crime committed within or over one State’s
territory/jurisdiction.
Despite calling for legislative measures to be utilized as supervisory instrument over cyber threats
relating to cybercrime of hacking, also the persons must take requisite measures to help curb the
situation.
Mr. William Makatiani:
5 Dennis Mbuvi, ‘103 Government of Kenya websites hacked overnight’ [2012] CIO East Africa <www.cio.co.ke/news/main-stories/103-Governement-of-Kenya-websites-hacked-overnight> (Accessed 2nd of November 2013) 6 Yes! Many persons having malice aforethought might target the Government websites and the Government should not shy away from acknowledging such risks. A hypothetical person will be appalled that 103 websites were brought down in one night and having the knowledge, that Kenya is one of the states advocating for IT, it does show some sort of inadvertence on the Governments’ side. It is noteworthy to ascertain the State does not acknowledge the threats that come along with IT, thus why the State is attacked and having many of its websites shut down for a while. 7 Judy Nguta ‘Central bank of Kenya website hacked’ [2013] Standard Digital <www.standardmedia.co.ke/mobile/?articleID=2000089020&story_title=Central%20Kenya%20website%20hacked/business/> (Accessed 2nd of November, 2013)
O m b o . D . M a l u m b e P a g e | 4
Government websites and banking institutions remain the most vulnerable targets, most of
their websites are developed externally, but they rarely do a check on their security settings
or update them.8
The State must come up with a methodology of having each and every person’s gadget meet a
certain standard. However, this is not that effective to every person regarding the economic status,
but institutions should not be spared as they engage in activities that affect public at large in case
of any tampering of information, hence stringent policies and laws should be put in place to meet
our situation.
8 Okuttah Mark, ‘80% of Kenyan websites vulnerable to cyber-attacks, says report’ [2012] Business daily Africa <www.businessdailyafrica.com/Corporate-News/Most-kenyan-websites-can-easily-be hacked- -report/-/539550/1462274/-/105r0rqz/-/index.html> (Accessed 2nd of November, 2013)
O m b o . D . M a l u m b e P a g e | 5
1.2 Statement of The problem
Acknowledging the fact that Computer Hacking Laws differ in every State, and the fact that
Computer Hacking ought to be ascertained hence punishments should follow suit, it will be
mandatory and requisite for a State that is facing Cyber Crimes in this matter Hacking, to engrave
Legislative measures to tackle issues of cybercrime. With regards to that, the issue that will be
under the microscope is how The Republic of Kenya tackles with matters relating to computer
hacking, and what Kenya can learn from other States and Organisations within planet earth.
Furthermore, computer hacking is a form of crime that will find its way deep into the society.
Owing to the fact that, technology is introducing new ways of leading life in the whole world,
hence most technological gadgets are utilized by way of commands. This gives a warning on
computer crimes and how evidence of the same can be adduced before Court, owing that Section
65 and Part VII of the Evidence Act, Cap 80 of The Laws of Kenya does not provide a requisite
path to utilize over the same.
With further arguments and reliance to authors who have split the topic of computer hacking, it
will be noteworthy to positively affirm that there is total ambiguity in the Kenyan Jurisdiction in
relation to computer hacking. However, the Kenya Information and Communication Act, Cap
411A and Data Protection Act of 2013 does give a glimpse on what computer hacking
(unauthorized access to information) is, but this does not mean that the law has captured the whole
matter of computer hacking and other major cyber-crimes. In making a fair comparison of Kenya
and South Africa, one will discover that there are various stipulations that capture issues of
computer hacking, hence acknowledging that cybercrime is one of the major technological crimes
that the society is being faced with.
O m b o . D . M a l u m b e P a g e | 6
1.3 Objectives of the Research
The research intends to:
1. Define what computer hacking is: considering a Computer as a discipline on its own and
Computer in relation to the legal world.
2. Acknowledge any laws in place within the Kenyan jurisdiction that provide on how
computer hacking can be dealt with.
3. How the various cases of computer hacking have been dealt with within the Kenyan
jurisdiction.
4. To understand under what basis can the Republic of Kenya borrow same laws or model its
laws to fit Kenya’s situation, and owing to the fact that the crime keeps on advancing in
sophisticated stages, how will the law be framed to meet the new cybercrimes.
O m b o . D . M a l u m b e P a g e | 7
1.4 Research Questions
i. Has or how far has the Kenyan Government taken the campaign of curbing computer
hacking within its jurisdiction?
ii. How is the Republic of Kenya co-operating with other States both regionally and
internationally for the sole purpose of coming up with measures that will enable reduce
computer related crimes?
iii. How do other countries deal with computer hacking within their jurisdiction and when the
attacks emanate outside there Jurisdiction?
iv. Are the legal framework instituted in Kenya tend and/or comprehensively delve into
matters relating to computer hacking?
v. With the knowledge elicited from other States, what could be the imperative
recommendation to the Kenyan Government to counter the rooting of computer hacking as
one of the major cyber-crimes?
1.5 Justification of the Study
After perusing through the relevant statutes, few articles and journals which are born in the Kenyan
Jurisdiction that address matters relating to cybercrimes in the Kenyan context, it has been noted
that cybercrimes are escalating, but the laws to address matters relating to cybercrimes are deficient
and if there is some sort of law(s) in place, the law(s) are not well articulated to address the same
issue.
Ostensibly, in addressing the matters of cybercrime (herein computer hacking and/or unauthorized
access to data, information and/or information technology) it will not give any solution by only
O m b o . D . M a l u m b e P a g e | 8
putting relevant laws into place. Just like there are army men to protect a nation when facing attack
or helping on emergency issues; there ought to be a facility that will be established for the sole
reason of addressing, and spearheading for the security at the cyberspace9.
Little has been mentioned as with regards to cybercrimes. A few Kenyans acknowledge how
cybercrimes are rooting into the society, this places each citizen at risk of losing valuable property
and in many occasions’ money and information are the greatest target.
Owing to the aforementioned factors, this document will delve into the matter of computer hacking
and/or unauthorized access of data, information and/or information technology, for the reason
being it is the very first step that takes place prior to committing of other crimes. For instance,
prior defacing a system one has to hack into the system, prior to committing the traditional crimes
by use of computers and networks, hacking or unauthorized access will be the first step taken.
1.6 Literature Review
Ostensibly, the ideology of how to address cybercrimes “hacking” in Kenya is more done
physically albeit not in every sphere and relating to legal perspective, the legal framework
enshrined in Kenya does not vividly address the nitty-gritty of how curbing these technological
crimes that at most are untraceable due to sophisticated mode of committing the crime.
Little has been legally touched vis-à-vis computer hacking, however, over the media and various
conferences the issue of cybercrime is highly uttered about; regarding the fact that the ramifications
9 Kenya Information Communication Act, Cap 411A of the Laws of Kenya, authorized the Communication Commission of Kenya to come up with the Kenya Computer Incidence Response Team; See also the Draft of the African Union Convention on Confidence and Security in Cyberspace.
O m b o . D . M a l u m b e P a g e | 9
that come along with technology adversely affect many institutions and individuals directly and/or
indirectly.
In a speech given by Bethwel Opil10, he stated:
While some businesses may view such rankings with little concern, they should in fact be
taking these realities seriously as these statistics will only get worse if the growing threat
of cybercrime is not understood and managed effectively,…cybercrime has been noted as
one of the biggest challenges for the [M]inistry of [I]nformation, [C]ommunication and
[T]echnology in Kenya, according to the [C]abinet [S]ecretary. In line with this, the
Kenyan Government declared war on cyber criminals in May 2013, which certainly
indicates the severity of the issues in the country.11
The question that can emanate from the quote will remain to be, if the Government will act on
impulse and enunciate legislations that will lead to conflict of laws, acknowledging the imperative
fact that by formulating new laws it will have some impact on other statutes, the best example
being the Evidence Act cap 80 of The Laws of Kenya and the Penal Code.
Kenya is applauded for having Kenya Computer Incidence Response Team12 (Ke – CIRT) within
the East African block13, albeit its 103 websites were compromised in one night, the requisite
10 A manager at Channel sales for East Africa under Kaspersky Lab (2013) 11 Simnikiwe Mzekandaba, ‘Kenyan businesses face ‘cyber security threat’, says Kaspersky’ [2013] ITWeb Africa <www.itwebafrica.com/security/515-kenyan-businesses-face-cyber-security-threat-says-kaspersky> (Accessed on 10th November, 2013) 12 This is a Commission brought into existence by the provisions of The Kenya Information and communications Act CAP411A. The Commission is set for purposes of addressing the issues of cyberspace activities, this will be with regards to establishing cyberspace security and respond to whatsoever cyberspace crimes. This will be inclusive of collaborating with other players outside the Kenyan Jurisdiction. <www.cck.go.ke/industry/information_security/ke-cirt-cc/functions.html> (Accessed 16th of June 2014) (as then it was, now it is www.ca.go.ke) 13 Nairobi (Xinhua) ‘East Africa states prepare ways to collaborate on ‘cyber’ security’ [2013] Coast Week <www.coastweek.com/3622_48.htm> (Accessed on 10th November 10, 2013)
O m b o . D . M a l u m b e P a g e | 10
question that a hypothetical person will raise is whether there is need to have CIRT – Ke, yet we
have poorly established websites and other computer related materials that are prone to
cybercrimes such as hacking. However, the Government is trying to do its best via relevant and
persuasive forums to generate ideas that will help in halting the rampant cases of cybercrime.
Currently there is the National Cyber Security Strategy Master Plan14 (NCSMP)15 that is being
borne for purposes of addressing the cybercrime issues and how to handle the same.
It is noteworthy to acknowledge that the Government is trying its best to ensure the cybercrime
perpetrators are engulfed within the requisite legal framework, but it entails a lot of underground
work that the Government has to delve into. With regards to this, the research undertaken herein
is to address the issue of computer hacking and how it can be addressed within the Kenyan legal
framework.
Some authors have been persuaded by the magnitude of the way cyber space is escalating in the
African Countries, in acknowledging that each State has its own challenges regarding the issues
relating to cyber law. This author digs deep into the Kenya’s Jurisdiction for how policies and the
legal frame work in Kenya is built. The increasing use of computers and internet in various spheres
of human activities impact both positively and negatively on social, economic, cultural and
political aspect16.
14 The sole reason of having this document is to give the Government and Private sectors the requisite guidelines of how cybercrimes can be addressed vividly. <www.cio.co.ke/news/main-stories/kenya-launches-national-cyber-security-strategy-and-master-plan> (Accessed on 16th of June 2014); see also Kenya National Cyber Security Strategy Master Plan (2013) 15 CCK, ‘Kenya Declares War on Cybercriminals’ [2013] CCK <www.cck.go.ke/news/2013/War_on_cybercrime.html> (Accessed on 10th November 10, 2013) 16 Murungi M, Cyber Law in Kenya “Abstract” (Kluwer Law International 2011)
O m b o . D . M a l u m b e P a g e | 11
With regards to author Murungi, there is that urgent need that the manner in which the computers
are utilized should be regulated lest the technology (use of computers and/or computer related
gadgets) becomes less viable to the society.
Geoffrey Sampson:
Computing is not yet like, say, medicine or architecture: no one is allowed to practice as
doctor or as an architect without qualifications recognized by the appropriate professional
body, but as yet there are no legal restriction on entry on the IT profession. However,
that is because our subject is still new; the situation is unlikely to last. Already IN 2006
the British Government made the first moves towards introducing statutory controls on
entry to jobs in computer security, and it seems probable that this trend will spread to
other areas of the profession17.
In scrutinizing the diction appended by Sampson, it is not disputable that anyone can utilize the
computers regardless of having the approval from a given body that certifies so, for instance in the
Legal field herein Kenya, the Law Society of Kenya certifies one to be a Practicing Advocate,
furthermore it monitors ones conducts expressly or through clients complains. Clinging on such
measures undertaken by other professions, it will be prudent that apart from having laws that give
punitive measures to cybercrime offenders, there ought to be some scheme to give persons the
rights to utilize the computers in a certain way.
With regards to the articles, publications, and/or books penned down by various authoritative
writers, it portrays that since time immemorial dealing with technological matters vis-à-vis the law
has not been easy and Kenya is no exception to be faced with the same challenges.
17 Sampson G. Law of Computing Students (Bookboon, Ventus Publishing ApS 2009) pp9
O m b o . D . M a l u m b e P a g e | 12
The works aforementioned have been well scripted, and for the matter to be discussed herein is
not well scripted in the Kenyan context, as compared to other jurisdictions as it will be portrayed
herein under in form of Chapters. Computer hacking is the subject matter under the microscope,
how the legal structure of Kenya is structured to attain the purpose of controlling, curbing and/or
appending surcharge on those who through their acts or omission do offend the law.
1.7 Limitation to the Study
While undertaking this research, it came into notice that, there is deficiency of books, articles or
journals that address matters relating to cyberspace substantively, regarding the Kenyan
Jurisdiction.
Due to the inefficiency of rich jurisprudence with regards to cybercrime in Kenya, there is much
reliance on precedence from other nations. Irrespective of cybercrimes being of the same nature,
there is the element of each jurisdiction to afford terms that meet their situations. It is noteworthy
that Nations do not define cybercrimes in unison.
O m b o . D . M a l u m b e P a g e | 13
1.8 Research Methodology
In undertaking this research, the primary sources of law will be utilized, that’s the various statutes
of the Kenyan Jurisdiction and those of the other States. Furthermore secondary sources that will
be accessible both at the library and online will be utilized for the same purpose. The secondary
sources will be inclusive of books, case laws, journals et al being soft copy or hard copy.
O m b o . D . M a l u m b e P a g e | 14
2.0 Chapter 2
2.1 The Legal Framework in Kenya that stipulates about Cybercrime vis-à-vis Computer
Hacking and interlinking to Privacy.
Predominantly, the law might not capture all the deviant activities that root itself within the society,
it may be out of the inadvertence of the legislators or the society’s failure to raise the red flag or
the capability of enforcing some laws may be inconvenienced by various cultural18 aspects. In
applauding the healthy Constitution that the Kenyan Government has planted through its citizenry,
the Judiciary and the advocates will have the leeway to utilize the international laws and treaties
that are available to define and prosecute some computer related crimes inclusive of the computer
hacking, and also Kenya being a Common Law State, case laws from various countries will be
utilized during the court proceedings.
Kenya is bound by laws and treaties that they have ratified and other Conventions.19
Predominantly, no State can be guided with only the International Law and meet its National
obligation, for instance despite the fact that the Constitution is termed as the Supreme Law of the
Land20 this does not mean that the Constitution can be utilized to meet all the needs of the society.
Hence, there are other laws coming into place that are required to be in conformity with the
Constitution. Concerning that, the Government has the mandate to come with laws about the
cybercrimes21.
18 The term culture is not appended and utilized in the reasonable person assumptions; this is capturing the culture that people in a given society assume unlike the ethnicity-based culture. For instance a culture of preferring to give bribes to evade the jaws of law. 19 Art 2 (6) of The CoK 20 Art 2 (1) of The CoK 21 Cybercrime is a wide division which cannot be captured by one sentence (nutshell) and this ought to be looked at with its great gravity as it portrays. Currently, the State is malnourished with regards to Lex Specialis that can supervise Cybercrimes.
O m b o . D . M a l u m b e P a g e | 15
2.1.1. Introduction
Arguably, various sentences and/or provisions can be regarded to have captured the terms relating
to cybercrimes within the laws born in the Kenyan Jurisdiction. Albeit, this is not an assurance of
having viable laws to define, prosecute, argue matters with regards to Jurisdiction while
prosecuting (Internet does not have jurisdiction), inviting evidence to the Courts and authentication
of the sophisticated evidence.
Under the Bill of Rights in the Constitution of Kenya (CoK) there are various rights that were, can
be, are and/or they will be infringed by utilizing the Computer. The computer crimes may violate
a great deal of Human Rights; this is inclusive of Right to Life.22 As that may appall many people,
one should consider the definition of the term “hacker23, hacking, unauthorized access of
information” et al. With the help of computers (more clarification herein under) one can
manipulate the details inscribed on medical records and eventually lead to wrong medication,
hence leading to the death or incapacitation of a person. It is obvious that computers may play a
part in the commission of nearly every form of criminal activity, from fraud to murder24 (own
emphasis).
Reed Chris:
[In] the first category is traditional types of criminal offence that may be committed using
computers as the instrument of the crime, referred to as ‘computer-related crime’, such as
fraud. The second category concerns ‘content-related crimes’, where computers and
22 Art 26 of The CoK 23 The term hacking/hacker and cracking/cracker seem to catch different meanings as some authors tend to define them, however, herein the term hacker and hacking will utilized to refer to the unauthorized access to information. 24 Reed C. Computer Law (7th ed, Oxford Press New York 2012) pp682
O m b o . D . M a l u m b e P a g e | 16
networks are the instrument, but the content itself is illegal, such as infringing intellectual
property and certain forms of pornography. The third category is offences that have been
established specifically of computer and communications systems, such as viruses and
other malware; ‘computer integrity crimes’.25
As stated in the book edited by Reed, it is noteworthy that various crimes do emanate when
computer hacking takes place; however, herein the subject matter is the laws that govern the crimes
that fall under cyber-crime and specifically Computer Hacking. The viability of the work’s by
Reed Chris, and clinging on his diction, is to spill the beans that the Kenyan legislators need to
discuss the Computer Hacking in Length as it is wide, and that the making of nutshell provisions
only open aisle of confusion within the Kenyan Jurisdiction.
2.2. Constitution of the Republic of Kenya
With regards to the CoK, 2010, there are no terms such as “computers, internet, cybercrime” this
does not mean that it is mandatory or even need to have them mentioned under it so as to show the
need to address the issue. However, under Chapter Four (4) of the Bill of Rights in the CoK there
are various Articles that relate to Computers either directly or indirectly and hence there ought to
be legislation that zoom on the same division for purposes of clarity.
Hon. Carl Levin:
This is in addition to what is also well known, that China hacks the accounts of human
rights activists in order to suppress human rights (own emphasis) in China.26
25 Reed C. Computer Law (7th ed, Oxford Press New York 2012) pp682 26 Chinese Hacking: Impact On The Human Rights and Commercial Rule of Law <www.gpo.gov/fdsys/pkg/CHRG-113hhrg855/pdf/CHRG-113hhrg81855.pdf> (Accessed on 8th February 2014)
O m b o . D . M a l u m b e P a g e | 17
With regards to diction of the United States Senator, while referring to a detailed report on the
activities of China towards Human Rights, it clearly display how hacking is utilized in different
platforms to achieve some aims that are contrary to the Rule of Law.
The applicability of the CoK may be termed to be vertical, this is because the Government is the
custodian of the same rights under the CoK and hence the Government also oversees other
organizations how they handle its citizens.
Joshua Gold:
[B]usinesses that have been hacked may face claims from Governmental authorities, such
as State Attorney Generals and consumer protection departments charged with protecting
the public from practices that are asserted to have imperiled consumers.27
This affirms that apart from the Government incubating and coming up with projects that will help
curb and control the rate of computer hacking within the country, the institution or organizations
have that mandatory duty to take requisite measures that protect the interests of its citizens28 or its
subscribers29.
When the Society is reluctant in addressing computer hacking due to ignorance, this creates the
law in action30 thus persons31 will continue to suffer from the impacts of computer hacking.
27 Joshua G. Data Breaches and Computer Hacking: Liability & Insurance Issue <www.andersonkill.com/webpdfext/ART_DataBreachesAndComputerHackingLiability.PDF> (Accessed 9th of February 2014) 28 Citizens will fall under the purview of a specified jurisdiction, herein Kenya. 29 By the terms subscribers is noteworthy to applaud that some institutions such as PayPal do offer online accounts, hence it will be prudent for the institution to come up with reasonable measures to protect its subscribers. PayPal does have access by persons from different Jurisdiction; hence, the term Subscriber is different from Citizens in this context. 30 This is a termed by Sociological School of Thought (Social Engineering), that states, despite having coded laws, there are practices in the society that have been practiced (act or omission) and are assumed to be norm. 31 The term “person” is incorporated herein due to the fact both the Artificial and Natural Persons will suffer from the effects of computer hacking. As much as terming an artificial person having Rights under the Bill of Rights of
O m b o . D . M a l u m b e P a g e | 18
However, the vertical relationship is not absolute as one can utilize the horizontal relationship to
make a claim where a person has the locus standi:
The Bill of Rights applies to all law and binds all State organs and all persons32.
Every person has the right to institute court proceedings claiming that a right or
fundamental freedom in the Bill of Rights has been denied, violated or infringed, or
threatened33.
As it will be discussed herein under, it is noted that the two provisions are imperative to enrich the
Kenyan Jurisprudence with regards to the Computer Hacking and other related Cybercrimes. It is
noteworthy to acknowledge the fact that, as much as the legislature is a State Organ given the
authority to make laws, the Judiciary does play a major role in making the laws be in-conformity
with the dynamic society and acknowledge the need to foresee to the future.
In Republic v Kipsigei Cosmas Sigei & Another34, it was held that despite the fact that there was
deficiency of laws with regards to the admissibility of Video Evidence, it was the obligation of the
Court to dispense justice, and hence the same will not be disregarded as much as there is no law
to that effect. The Court has the requisite mandate to determine matters on the inherent
reasonability it has and that is to apply the common sense approach.
That is one among the many instances the courts does make laws or principles so as to catch up
with the dynamic society.
the CoK will be absurd, it will not be absurd to give artificial persons some of the “Citizen Rights.” Currently, Kenya is not offering some of the Rights to Artificial Persons. Right to ask for information was denied in: Nairobi Law Monthly Company Limited v Kenya Electricity Generating Company & 6 Others [2013] eKLR 32 Article 20 (1) of the CoK 33 Ibid n15 Article 22 (1) read together with Article 22 (2) 34 [2004] 19 HC
O m b o . D . M a l u m b e P a g e | 19
2.2.1 Right to life
The matter has been highlighted herein above, however, just to raise the bar of the thoughts and
walking away from the main division herein, and inviting the most common cybercrime that has
led to death of various persons. This is in relation to cyberbullying. Traditionally, cyberbullying
has been regarded as to fall under the ambit of children, preteen and/ or teenagers, however it is
also affecting those above the “teen” parenthesis, but it is not regarded as cyberbullying35.
However, in the context herein, it is all about computer hacking. The umbilical cord between
Computer hacking and cyberbullying, is when one does hack into a computer or a computerized
gadget and elicit information in whatsoever form and use it against a victim (the victim is the
person and not the computer) so as to cyberbully and cyber-blackmail the person, which in some
other instances leads to committing of suicide36.
Computer hacking has more than what meets the eye. It is after effecting hacking of a computer,
server and/or a given system, then, thereon one will utilize the whatsoever data found for various
purpose(s): be it advantageous or disadvantageous to the owner or a third party, advantageous to
him/her or a third party and/or distortion of the whole data. The hacker might decide to distort
some vital information; the distortion of the information may possibly mislead the subscribers to
the source and in one way or another this can lead to infringement of various Human Rights, such
as the Right to Life37.
So far, there have been no known incidents of a hacked medical device injuring or killing a person,
but researchers have demonstrated that [these] events are possible38. This approves that as much
35 <www.kean.edu/˞schandle/Students/LNerilo/what%20is%20cyberbullying.htm> (Accessed on 16th of June 2014) 36 United States v Drew [2009] 259 FRD 449 37 Tanya L. Medical Devices Vulnerable to Hackers, New Report Says <www.m.livescience.com/39889-medical-devices-vulnerable-to-hackers.html> (Accessed 8th February 2014) 38 Tanya L. Medical Devices Vulnerable to Hackers, New Report Says <www.m.livescience.com/39889-medical-devices-vulnerable-to-hackers.html> (Accessed 8th February 2014)
O m b o . D . M a l u m b e P a g e | 20
as there is no reported cases over the same, the Right to Life of a person might be at stake now and
later on in future. An Australian medical clinic’s patient records have been forcibly encrypted by
attackers, who are demanding $4 200 to decrypt the data39. The holding of information at ransom
is deeply prejudicial to the patient(s), this is so because the medication that is given at intervals
can end up being administered earlier or later than it is supposed to be, hence deterring the effects
of the medication or eventually lead to death or incapacitate the victim.
Jim Finkle; ed Tiffany Wu Allen et al
He (Barnaby Jack) told Reuters last week that he could kill a man from 30 feet away by
attacking an implanted heart device…Two years ago Jack turned his attention to medical
devices, while working [with] a team at McAfee that engineered methods for attacking
insulin pumps. Their research prompted medical device maker Medtronic Inc. to revamp
the way it designs its products.40
That expounds the ideology of how hacking can lead to breach of Right to Life, and the cons of
the internet seem to play at a higher platform than the pros of the same. However, with the dynamic
society one cannot stall progress that is taking a great wave in the world. The Government should
be learning on its predecessors with regards to States that have developed on the Technology
world. As it is hard to regulate hard technology, the Government should consider how to control
soft technology and the interplay of the two technologies.
2.2.2 Human dignity and privacy
39 Mathew J. InformationWeek: Security//Attacks & Breaches ‘Hackers Hold Australian medical records Ransom’ <www.informationweek.com/attacks/hackers-hold-australian-medical-records-ransom/d/d-id/1107754> (Accessed on 8th February 2014) 40 Jim F. Reuters US ‘Famed Hacker Barnaby jack Dies A Week before hacking Convention’ <www.reuters.com/article/idUSBRE96P0K120130726?irpc=932> (Accessed on 8th February 2014)
O m b o . D . M a l u m b e P a g e | 21
The CoK provides that “Every person has inherent dignity and the right to have that dignity
respected and protected.”41 The same concept is raised and protected under Universal Declaration
of Human Rights (UDHR). This is among the fundamental Rights inscribed into the Constitution
and elicits its strength from various Regional and International Statutes42.
The Right to Privacy is a close relative to Human Dignity, the two are provided for under the CoK,
and there is rich Jurisprudence over the same, under the Banjul Charter and other requisite
Conventions and treaties Kenya is party to.
The importance of the right to personal privacy became self-evident in the immediate
aftermath of the horrors of the Second World War. The right to principles of human
dignity and inherently linked to many other rights such as equal treatment and free
expression (own emphasis). A society that does not pay proper regard to personal privacy
is one where dignity, autonomy and trust are fatally undermined.43
Relating the quote with the Chinese hacking Report, it purports that the Republic of China, does
infringe the privacy rights of its citizens as Mr. Wen Yunchao44 explains how the Government has
been going through his private data45.
In Kenya it was vivid to the nation that the State was with intents of perusing through its citizens
emails, however, most people called for legal framework to be put in place. With regards to South
Africa, they have specific Acts that address and provide limitations on such imperative divisions.
41 Art 28 of CoK 42 Art. 2 (5) & (6) of the CoK 43 Liberty 80, <https://www.liberty-human-rights.org.uk/human-rights/privacy/> (Accessed on 8th of February 2014) 44 Independent Journalist and Blogger 45 Chinese Hacking: Impact on Human Rights and Commercial Rule of Law (US Government Printing Office, Washington 2013)
O m b o . D . M a l u m b e P a g e | 22
Hacking or unauthorized access to information, irrespective of the form in which the information
in that case is stored, can lead to other cyber-crimes46 that on the onset have an impact on various
Human Rights provided under the Bill of Rights under the Constitution of Kenya. Thus, the matter
of unauthorized access to information is a vital matter that need to be addressed substantively.
Considering what happens thereon after eliciting information, there are many serious crimes that
follow. Hypothetically, when one hacks into a victim computer and elicit a person’s private images
or profile(s), the person who commits the crime might ask for monetary consideration so as not to
make the pictures public via internet or any given social media platform.
2.2.3 Right to property.
Property not only necessarily cling on physical matters, however, property also relate to ideas that
persons may have towards a certain division, this kind of property does fall under the strata of
property known as Intellectual Property. Intellectual property is an idea, a design etc. that
somebody has created and the law prevents other people from copying47.
The CoK does dictate under Article 40 on issues of property, however, the property being given a
wider view is Land. The CoK does even brush through Intellectual Property by giving the term
property the intellectual aspect48. In the so-called digitized era, it is noteworthy to acknowledge
that most persons happen to publish their intellectual Property to the internet for purposes of
reaching a large audience or subscribers to their work. However, as what happens to the physical
world, whereby persons may break into corporeal property and steal, in the internet one does hack
into the system or one accesses the computer that stores the incorporeal property and acquires the
46 Carter, E. Examining Cybercrime: Its Forms and Its Perpetrators (National University of Internal Affairs in Kiev, 2002) 47 Oxford Advanced Learners Dictionary 8th ed 48 Article 40 (5) of the CoK
O m b o . D . M a l u m b e P a g e | 23
property illegally49. The advantage of publishing copyrighted work on the internet, which makes
a work available to a wider audience, might also attract misuse and infringement of copyrighted
material50. This puts the owner of the expressed ideologies to suffer great loss at times irreparable
loss51.
Marco Gercke:
Digitization has opened the door to new copyright violations. The basis for current
copyright violations is fast and accurate reproduction. Before digitization, copying a record
or a videotape always resulted in a degree of loss of quality. Today, it is possible to
duplicate digital sources without loss of quality, and also, as a result, to make copies from
any copy52.
Digitalization is a process that roots itself so deep and with its fascinating nature, it is irresistible
within the great numbers of the members in the society, hence, the Government has the duty to
make reasonable and expeditious plan on how to deal with cybercrimes: computer hacking. Where
by one hacks into a system and elicits the given intellectual property (music, e-books, software’s
et al) and thereon distributes the same to an unlicensed persons for free or at a lower price.
2.3. Kenya Information and Communication Act Cap 411A
Ostensibly, the diction afforded in the Act, does raise a lot of relevant questions as to the
authentication of the documents that will be provided for. Briefly, Sec. 83G of the aforementioned
Act provides as follows:
49 Clough J. Principles of Cybercrime (Cambridge University Press New York, 2010) pp29 50 Adam J. ICT Law book: A Source Book For Information and Communication Technologies & Cyber Law in Tanzania & East African Community (Mkuki na Nyota Publishers Ltd Dar es Salaam 2010) pp218 51 Meaning of irreparable damage as per: Giella V Cassman Brown & Co. Ltd (1973) EA 358 52 Marco G. Understanding cybercrime: Phenomena, Challenges and Legal Responses (ITU Publications 2012) pp 28
O m b o . D . M a l u m b e P a g e | 24
Where any law provides that information or other matter shall be in writing then, notwithstanding
anything contained in such law, such requirement shall be deemed to have been satisfied if such
information or matter is:—
(a) Rendered or made available in an electronic form; and
(b) Accessible so as to be usable for a subsequent reference
The aforementioned Act does give a glimpse53 of what unauthorized access to information is and
what it entails. Such a statute does not vividly address the nitty-gritties of why cyber laws ought
to be in place. Technology is swift but complex, and it will be easy to use such channels for data
diddling and so forth, hence, this leaves a lacuna that criminals can rely on, when committing
some crimes, as the viability of prosecuting a case through their evidence might not materialize.
The ideology that appends to computer crimes vis-à-vis computer hacking is given some light
under Sections: 83G, 83M, 83P, 83W, 83X and 84F54.
With weight being placed on Sec. 83G (a)55 it is worth to appreciate that, there ought to be
authentication of the data being relied upon by the Honourable Courts. In the due course of having
the same being acted upon as valid and viable, there has to be substantive prove that what is before
the court was not supplanted. This is one of the madcaps clauses found in the law, as it is widely
uttered there is no punishment without referral law, will the Governmental institution cling to that
ideology as Kenyan Jurisprudence is being diluted!
53 This is so, as some other States have special Act(s) in place that delve into what the matter entails unauthorized access to information, for instance: Electronic Communications and Transactions Act, Interception and Monitoring Prohibition Act, South African; Wiretap, Electronic Communication Act , USA; Information Technology Act – 2008, Evidence Act, India. 54 The Kenya Information Communication Act, Cap 411A 55 The Kenya Information Communication Act, Cap 411A
O m b o . D . M a l u m b e P a g e | 25
The Act under this division is imperative to some extent as it stipulates on computer hacking and/or
unauthorized access to computer systems, documents et al.
Kenya Information Communication Act:
83U— Unauthorized access to computer data.
83V— Access with intent to commit offences.
83W— Unauthorized access to and interception of computer service.
83X— Unauthorized modification of computer material.
83Z— Unauthorized disclosure of password.
84A— Unlawful possession of devices and data.
84C— Tampering with computer source documents
84F— Unauthorized access to protected systems.
84G— Re-programming of mobile telephone56.
Herein above are some of the imperative stipulations of the act that touch on matters of hacking or
unauthorized access to systems, electronic gadgets and/or servers. The Act also introduces the
element of Mens Rea57, hence no strict liability. However that is per Sec. 83V, unlike Sec. 83U of
the Kenya Information Communication Act, which does not need Mens Rea, hence it is of strict
liability.
2.4 The Evidence Act, Cap 80
56 Kenya Information Communication Act 57 Guilty mind: Dean’s Law Dictionary
O m b o . D . M a l u m b e P a g e | 26
As Kenya and other developing States are catching up with technology, such as internet for various
purposes. Thus as most youths are regarded to acquire gadgets that can access internet for purposes
of socializing, it is noteworthy to acknowledge that most commercial enterprises are taking
advantage of the same internet to advertise, execute business and/or register or informing its clients
et al.58
Jae. K, Anique. A, & Joel. G:
[Hence,] appropriate use should always be legal, ethical, reflect academic honesty, reflect
community standards, and show restraint in the consumption of shared resources. It should
demonstrate respect for intellectual property; ownership of data; system security
mechanisms; and individuals rights to privacy and to freedom from intimidation,
harassment, and unwarranted annoyance59.
When it comes to matters relating to technology, the law enforcement bodies must be cautious on
how they admit and disregard evidence that is presented before it. In that case, the Evidence Act,
Cap 80 of the laws of Kenya, is an imperative legal document to be discussed60.
However, prior delving in the Evidence Act of Kenya, it is noteworthy to recognize that it was
amended in the year 2009 so as to fit the evidences regarded as electronic evidence61. The
amendment was introduced by the Kenya Communication (Amendment) Act of 2008 assented in
200962.
58 UNITED NATIONS OFFICE ON DRUGS AND CRIME: Vienna “Comprehensive Study On Cybercrime” 2013 59 Jae. K, Anique. A & Joel. G International Handbook of Computer Security (Glen-lake Publishing Company Ltd Chicago USA, 2000) pp204 60 Sec. 65 and Part VII - Sec. 106A – 106I of the Evidence Act, Cap 80 of The Laws of Kenya 61 Part VII - Sec. 106A – 106I of the Evidence Act, Cap 80 of The Laws of Kenya 62 Evidence Act, Cap 80 (PART VII – ELECTRONIC RECORDS): Insert the following new part in Chapter III immediately after Part VI – Kenya Communication (Amendment) Act, 2009.
O m b o . D . M a l u m b e P a g e | 27
Cyber-crimes have a sophisticated way of execution, and thus there ought to be laws that permeate
over the computer related crimes. In the current legislations that give measures that one should
subscribe to while intending to invite evidence in court, they are less viable with regards to the
evidence that will be tagged as those of electronics or computer nature. The Evidence Act does
have two imperative Parts that address issues relating to documentary and also electronic
evidence63.
Predominantly, the Evidence Act, Cap 80 of the laws of Kenya has given what can be termed as a
wider view on electronic evidence as compared to other Statutes. Under Section 65 (6) of the
Kenyan Evidence Act does dictate on evidentiary issues vis-à-vis computer print-out, the Act tends
to utilize terms that raise the questions such as “what if?”
[C]omputer print-out containing the statement must have been produced by the computer
during the period in which the computer was regularly used to store or process
information for the purposes of any activities regularly carried on over that
period…64(own emphasis)
The best question that one should invite in this context is that, what if one hacks into the computer
and distort the information that was stored in the storage data disk(s), and later on be printed, will
the Courts stick to the shallow view that, having the proof that the computer printout is actually
from a given computer then the information is valid. With such occurrence, there can be chances
of wrongful conviction or dismissal of matters before the court.
Herein under is an eye catching Section of the Evidence Act.
63 Sec. 65 (primary documents) and Part VII (Electronic Records) of the Evidence Act 64 Sec. 65 (6) (a) Evidence Act, cap 80 of The Laws of Ke
O m b o . D . M a l u m b e P a g e | 28
[T]he information contained in the statement reproduces or is derived from information
supplied to the computer in the ordinary course of business 65(own emphasis).
The accuracy of information can be distorted as some States have the tendency of filtrating the
data that is sent into their Jurisdiction. Regarding to the Report: Chinese Hacking on how the
Chinese Government managed to go through emails being sent to Mr. Wen Yunchao, by hacking
into his Gmail account,66 does approve that, at some point the information that is “supplied to the
computer in the ordinary course of business67” can be manipulated or distorted hence not being
the actual information sent or supplied in the first instance.
[The] lack of adequate training (own emphasis) of law enforcement officers will often
exacerbate68 the challenges being faced when adducing evidence for purposes of executing cases
against perpetrators. In appending the provisions of the Evidence Act and those of the Kenya
Information and communication Act, it is imperative to acknowledge that there are various stages
whereby the law enforcement officers are or will be required to have adequate skills as to dealing
with certain Crimes that emanate from the violation of certain provisions.
In Johnson Joshua Kinyanjui v. Republic69, the Honourable Courts declined to invite evidence that
were in computer print-out form, this was with regards to the fact the prosecution did not call upon
an expert to authenticate the evidence in computer print-out form.
Thus due to the deficiency of expertise in the given field to authenticate the evidence, the Court
disregarded the evidence. It is imperative for such cases to be dealt and delved upon by the
65 Sec 65 (6) (d) of the Evidence Act, Cap 80 of The Laws of Ke 66 Chinese Hacking: Impact On The Human Rights and Commercial Rule of Law <www.gpo.gov/fdsys/pkg/CHRG-113hhrg855/pdf/CHRG-113hhrg81855.pdf> (Accessed on 8th February 2014) 67 The quote does mirror the diction utilized under Sec. 65 (6) of the Evidence Act, Cap 80 of the Laws of Kenya. 68 Reed C. Computer law (7th ed, Oxford Press New York 2012) pp715 69 [2002] HC Crim App
O m b o . D . M a l u m b e P a g e | 29
Government effectively, for that to be done, it has (The Government) to have expertise in the
requisite field like Information Technology (hereinafter IT).
A document is defined as follows:
Notwithstanding anything contained in this Act, any information contained in an electronic
record which is printed on paper, stored, recorded or copied on optical or electro-magnetic
media produced by a computer (herein referred to as computer output) shall be deemed to
be also a document.70
Under Part VII of the Evidence Act, it provides on matters of Electronic Evidence thus from Sec.
106A – 106B. Some of the diction under Sec. 65 (6) and (7) of the same Act have been repeated
under Sec. 106B (2) and (3) respectively.
Admissibility of documents under Part VII will be with regards to Sec. 106B (2), (3), (4) and (5).
Having noted that the same does not mention the matters relating to Cybercrimes directly,
however, the stringent provisions in place try if not to stop the reliance of documents that can or
have been forged or altered for whatever reasons (this is best addressed by the Kenya Information
Communication Act, Cap 411A).
For purposes of certification of the signatures, thus if a party to a case does dispute the
authentication of the “secure signature” hence the same will have to be litigated upon so as to
prove it is valid electronic signature.
On matters relating to the proof and proof as to the verification of electronic signature, it
is provided under 106C and 106D.
Presumptions as to: gazette in electronic form, electronic agreements, electronic records
and electronic signatures and electronic messages, are provided under Sec. 106E – 106I71.
70 Sec. 106B of the Evidence Act of The Laws of Kenya 71 Evidence Act, Cap 80 of the Laws of Kenya
O m b o . D . M a l u m b e P a g e | 30
2.5 The Penal Code
A Penal Code is a legal instrument that provides and defines act or omissions that are regarded as
crimes, and thereon it appends the requisite punishments of the same. The Black Law Dictionary
provides that: [A Penal Code is] a compiled list that describes and defines all of the offenses, as
well as the law which can be applied and the punishments that can be given72.
The Kenyan Penal Code is deficient of the terms that can be utilized to effect the prosecution of
Cybercrimes, this being inclusive of Computer Hacking. Delving in the diction utilized by the
legislature is based on the traditional crimes as the crimes were. However, there is some alteration
made so as to capture the fact that the traditional crimes have taken a different platform. This is
with regards to the requisite fact that most of the traditional crimes which are now committed
online, happen to be committed after effecting unauthorized access or hacking of computers and
related gadgets thereon.
Herein, the argument will not be based on the types of murder as under the division of the CoK,
matters relating to Right to Life has been addressed.
In chapter thirty four (XXXIV), under division seven of the Penal Code of Kenya it provides on
definitions of terms relating to forgery of documents.
Penal Code:
Sec. 345 Forgery is the making of a false document with intent to defraud or to deceive.
Sec. 346 In this division of this Code, "document" does not include a trade mark or any
other sign used in connexion with articles of commerce though they may be written or
printed or in electronic form.73
72 Black Law Dictionary, 2nd ed. 73 The Penal Code of Kenya
O m b o . D . M a l u m b e P a g e | 31
The Penal Code is not silent to the type of documents, thus it does specify physical or a computer
file. For this purpose, it can be stated that the documents herein can be defined based on a given
case.
The Oxford Advanced Leaners Dictionary 8th ed. provides:
[A]n official paper or book that gives information about [something] or that can be used as
evidence or proof of [something];
[A] computer file that contains text that has a name that identifies it74.
[A document is] an instrument on which is recorded, by means of letters, figures, or marks, matter
which may be evidentially used. In this sense the term “document” applies to writing; to words
printed, lithographed, or photographed; to seals, plates, or stones on which inscriptions are cut or
engraved; to photographs and pictures; to maps and plans75.
Acknowledging the definitions given by the Dictionaries more than relating to the Black Law’s
Dictionary, is noteworthy to state that the documents under the Penal Code can be of whatsoever
nature, however, as much as the physical document will be authenticated by means such as delving
into: author’s hand writing, signatories, witnesses et al. when it comes to computer file(s) as given
under the Black Law definition of what a ‘document’ is, it is prudent to acknowledge that such
documents have a lot of complexities when it comes to authenticating the same.
In this context as provided under The Penal Code, does not directly link to computer hacking or
unauthorized access to information76. However, in some instances it is after hacking into a system
74 The Oxford Advanced Leaners Dictionary 8th ed. 75 Featuring Black’s Law Dictionary 2nd ed. <www.thelawdictironary.org/document/> (Accessed on 16th of June 2014) 76 Sec. 345 – 348 of the Penal Code of The Laws of Kenya
O m b o . D . M a l u m b e P a g e | 32
that the same act (forgery of documents) can be committed77. Hence, this is the reason as to why
computer hacking comes into play in the given context.
The Penal Code is flowered with requisite terms like “electronic,” just like The Kenya Information
Communications Act, which provides the same and defines other electronic and technology terms.
It will be less prudent to discuss on the punishment(s) in store for the violators of the law (computer
hacking and/or unauthorized access) that is not in existence.
2.6 The Finance Act
A society is not a stagnated structure; hence, as time goes by, there are always a variety of changes
that take place. Some being positive and others negative, some of the factors affect the law(s) in
place; hence, the legislature has the mandate to address the emanating issues. For reasons thereof,
the Finance Act does provide requisite alterations that have to be made in various statutes in Kenya;
this is also inclusive of definitions of terms and new terms being invited.
The Finance Act:
"[I]nformation technology" means any equipment or software for use in storing, retrieving,
processing or disseminating information;
"[C]omputerized motor vehicle registration system" means any software or hardware for
use in storing, retrieving, processing or disseminating information relating to registration
records of motor vehicles and trailers, the licensing of drivers, and the keeping of such
records in relation thereto as are required by this Act.78
As per the definition given to what Information Technology is, it is noteworthy that these should
be in line with the fact that the “equipment or software for use in storing, retrieving processing or
77 Carter, E. Examining Cybercrime: Its Forms and Its Perpetrators (National University of Internal Affairs in Kiev, 2002) 78 Sec. 27 of The Finance Act 2013 of the Laws of Kenya
O m b o . D . M a l u m b e P a g e | 33
disseminating information” can be affected by the malicious act or omissions that emanate from
the hackers. This can be by installing new software(s) that can alter the virtual information.
Linking the definition given and what Computerized motor vehicle registration system79 means in
the literal sense, when clinging to Part IV – Public Documents of the Evidence Act of the Laws of
Kenya, it sheds light on what public documents are. Public Documents are regarded to be
admissible before a Court if they certify Sec. 80 and Part V – Presumptions as to Documents (Sec.
84) of The Evidence Act.
Thus, it makes the fact that Electronic Documents can be made admissible before court and this
should be concerning the authentication. Just as the physical documents require the signature of
the holder of the document, under the electronic documents there is the electronic signature that
can be linked to the private key and public key of the sender and the receiver respectively. The
receiver utilizes the public key infrastructure to certify that actually the document is genuine, thus
concerning the authentication of the signature.
As much as the Kenyan Jurisprudence concerning Information Technology is taking short steps to
address the subject matter in it, it is also quite prudent to acknowledge all these documents can be
prone to forgery as the Penal Code provides. This Traditional Crimes take effect in the internet
after hacking or unauthorized access is made to whatsoever virtual documents, server and/or
computer.
2.7 Data Protection Act
The Data Protection Act does address the essential factors that relate to virtual data. In defining
what entails to “data,” the Act provides as follows:
79 Ibid n40
O m b o . D . M a l u m b e P a g e | 34
(a) is being processed by means of equipment operating automatically in response to
instructions given for that purpose;
(b) is recorded with the intention that it should be processed by means of such equipment;
(c) is recorded as part of a relevant filing system or with the intention that it should form part
of a relevant filing system;
(d) where it does not fall under (a), (b) or (c), forms part of an accessible record;
(e) is recorded information held by public entity and does not fall within any of paragraphs
(a) to (d)80;
The Data Protection Act, utilizes terms such as “processed,” “equipment operating automatically
in response to instructions,” “part or should be part of a relevant filling system” and thereon it
stipulates that in the event whereby the data does not fall under the first three provisions of what
data entails, but forms part of accessible record it will be deemed data for that purpose.
The Act does extent its arm to “recorded information held by public entity” and does not fall under
the ambit of the first four stipulations. This affirms that the Act is taking cognizance of the
unauthorized access of information whereby information is not in the virtual formality.
The aforementioned Act does provide for the protection of personal information, the extensive
definition what personal information entails is offered in the Data Protection Act.
“[P]ersonal information” means information about an identifiable individual, including,
but not limited to−
(a) information relating to the race, gender, sex, pregnancy, marital status. national, ethnic or
social origin, colour, age, physical or mental health, well-being, disability, religion,
conscience, belief, culture, language and birth of the individual;
80 Sec. 2 (1) of the Data Protection Act of The Laws of Ke
O m b o . D . M a l u m b e P a g e | 35
(b) information relating to the education or the medical, criminal or employment history of
the individual or information relating to financial transactions in which the individual has
been involved;
(c) any identifying number, symbol or other particular assigned to the individual;
(d) the fingerprints, blood type or contact details including telephone numbers of the
individual;
(e) correspondence sent by the individual that is implicitly or explicitly of a private or
confidential nature or further correspondence that would reveal the contents of the original
correspondence to a third party;
(f) a person’s views or opinions about another person ; and
(g) any information given in support or relation to a grant, award or prize proposed to be made
to an individual;81
The Act provides what Personal Information is, and it further provides that, the stated are not the
only type of information that can be termed as personal information. This means that whatever
personal information is, will always be discussed from case to case basis.
Owing to the sensitivity of the matter, the law does require major factors to be considered while
dealing with personal information, this includes, but not limited to consent, lawful use, store or
reserved as per the provisions of law, safeguarding of the information et al.82.
As much as the Information Technology and Law jurisprudence is quite young in the Kenyan
jurisdiction, it is valuable to note that, for the fact that laws are in existence that will help to foster
for how to solve cybercrimes mayhem and reducing chances of a State being a cyber-criminals
haven.
81 Sec. 2 (1) of The Data Protection Act of the Laws of Kenya 82 Sec. 4 of the Data Protection Act
O m b o . D . M a l u m b e P a g e | 36
Some countries may even see opportunities to establish themselves as ‘data havens’, providing
maximum privacy and minimal regulation of content hosted there.83
Jonathan Clough:
Accessing wireless networks, with or without authorisation, may conceal the identity of
the actual user even if the location can be identified. Data may be stored deliberately in
jurisdictions where regulation and oversight is lax…For others, particularly in the
developing world, cybercrime may simply not be a priority.84
In the words of the author it is quite clear that perpetrators of cyberspace will take advantages of
States that lack effective provisions that address the matters of cybercrime.
The recognition of the fundamental right to privacy is also enshrined in the Act. This does balance
the way in which a given institution or facility will utilize the personal information of a given
person85. It also helps in controlling the horizontal relations between citizens and other persons in
different jurisdictions, whereby each citizens has to respect the privacy of each person.
Cybercrime Strategy:
Individuals can protect themselves by controlling the amount of personal data they make
available on the internet. However, the use of privacy enhancing technology in systems can
also enhance an individual’s privacy, help reduce the risks of privacy breaches and the
significant costs associated with them and build trust between customers and clients.86
The Cyber Crime Strategy Cm 7842 of the British Government alludes that citizens can help in
controlling the chances of infringing their privacy. However, the same report does acknowledges
83 J. N. Geltzer, ‘The new Pirates of the Caribbean: How data havens can provide safe harbors on the internet beyond Governmental reach’ (2004) Southwestern Journal of Law and Trade in the Americas 433. 84 Clough J. Principles of Cybercrime (Cambridge University Press New York, 2010) 85 Sec. 4 of the Data Protection Act 86 Secretary of State for the Home Department by Command of Her Majesty. Cyber Crime Strategy Cm 7842 (2010)
O m b o . D . M a l u m b e P a g e | 37
the difficulties of personal initiative to protect oneself privacy. In the light of the social classes in
the society, the vast majority cannot protect oneself from electronic gadgets attacks from cyber
criminals.
Agencies are given a mandate to deal with personal information with caution; this will include
coming up with programs that will ensure such information shall be kept as per the policies of the
institution and reflecting the wishes of the laws in places.87
An agency includes public entities and private bodies.88 This means that also banks, educational
facilities, human resource in each institution, hospitals, research facilities et al.
In the event, one speculates that a given agency does have in store his or her personal information,
the person has the right to inquire over the same. However, the Freedom of Information Act will
guide the procedure and the kind of information to be elicited.89
The Act’s diction does provide that it is not advisable for an agency to assign Unique Identifiers
to individuals. However, the same statute does offer exception to the general rule. In the event the
Unique Identifier is assigned to the same individual by a different agency, it is not licit unless the
two agency are regarded as association as per the Income Tax Act, the Unique Identifier should
have been assigned to a specific individual.90
87 Sec. 8 of the Data Protection Act 88 Sec. 2 (1) of the Data Protection Act 89 Sec. 9 of the Data protection Act 90 Sec. 14 of the Data Protection Act
O m b o . D . M a l u m b e P a g e | 38
3.0 CHAPTER 3
3.1 Regional Legal Framework Addressing Cybercrime vis-à-vis Unauthorized Access to
Information.
3.2 African Union Convention on Confidence and Security in Cyberspace
In the light of the fact that Africa as a Region suffers from the deficiency of laws and/or policies
that address matters that relate to technology and/or cybercrimes directly or indirectly, the African
Union came up with the Draft of African Union Convention on Confidence and Security in
Cyberspace of 2012 (herein after referred to as AUCCSC). The aforementioned Convention is
expected to meet some of the contentious issues that persons, institutions and the Government do
suffer from, as concerning to the ramifications of cyberspace, (herein it is with regards to computer
hacking or unauthorized access).
Talwant Singh91 stated that, Success in any field of human activity leads to crime that needs
mechanisms to control it92. Thus as stated in the initial chapter of this document, it is noteworthy
to ascertain the AUCCSC has come up with extensive or expansive provisions to address the cons
that come along with the pros of technological factors that are now sweeping the African Region
at a high rate, hence the need to be put under the radar.
The AUCCSC is not yet effective, as there has been opposition to it. Bestowed to Strathmore
University’s Centre for Intellectual Property and Information Technology (herein after referred to
as CIPIT), there is great concern that AUCCSC gives the judges absolute power on a ground that
91 Addl. Distt. & Sessions Judge, Delhi 92 Talwant S. CYBER LAW & INFORMATION TECHNOLOGY <www.delhidistrictcourts.nic.in/ejournals/CYBER%20LAW.pdf> (5th of February 2014)
O m b o . D . M a l u m b e P a g e | 39
will lead to grave violation of African’s Human Rights. Thus the Right to Privacy93, hence there
is need for that to be addressed prior to planting the AUCCSC94.
Strathmore’s University CIPIT argument is viable. Delving into the AUCCSC as to how it defines
its terms, it states as follows:
Consent of data subject means any manifestation of express, unequivocal, free, specific
and informed will by which the person concerned or his/her legal, judicial or treaty
representative accepts that his/her personal data be subjected to manual or electronic
processing95 (own bold).
As with regards to that definition of what “Consent of data subject” is, it means that the concerned
person is given the first and foremost concern as to give his or her consent, however, the person
concerned is not the only person who can give consent. The consent can be earned through his/her
legal, judicial or treaty representative. Ostensibly, this affirms that irrespective of a person’s wish,
the third party players can allow the analyzing and processing of one’s data.
Owing to the fact that the CoK provides that:
Any law (own emphasis), including customary law, that is inconsistent with this
Constitution is void to the extent of the inconsistency, and any act or omission in
contravention of this Constitution is invalid96.
Thus the “Any law…” is inclusive to the laws, treaties and/or conventions provided under Article
2 (5) & (6) of The CoK. Thus if the same is read together with Article 2 (4) it is worthy to ascertain
93 Art 5 of The Banjul Charter; and Art 28 & 31 of The CoK 94 <www.itwebafrica.com/security/513-africa/231821-kenyan-bid-to-stop-flawed-au-cybersecurity-convention> (Accessed on 22nd of May 2014) 95 Part II, Section 1, Art. II – 1 (2) of the AUCCSC 96 Art 2 (4) of The CoK
O m b o . D . M a l u m b e P a g e | 40
that the AUCCSC where it infringes Article 31 of the CoK and other International Instruments as
provided by the CIPIT, shall be null and void to the extent of its inconsistence. The need of
cyberspace laws and/or policies to be in consistence with the national law (herein the Constitution)
and other legal instruments should be acknowledged97.
However, ignorance of the law is no defence, thus it is hypothetical for the same to be addressed
prior to the planting of the AUCCSC.
Herein the AUCCSC will be addressed in three segments as is itself partitioned into three parts98.
The discussion will not be based in all the provisions under the Convention, but delve into the
provisions that have an impact on computer hacking and/or unauthorized access to information.
AUCCSC - Part I: ELECTRONIC TRANSACTIONS
Electronic commerce means the act of offering, buying, providing of goods and services
over electronic systems such as the Internet and other networks99.
It is prudent to acknowledge that when transactions take the electronic formalities, there are
various questions as to confidentiality. Confidentiality herein is about the information that is
regarded as private towards the party hoping to undertake transactions through electronic
platform(s). Globally, cybercrime acts show a broad distribution across financial-driven acts, and
computer-content related acts, as well as acts against the confidentiality, integrity and accessibility
of computer systems100.
97 Art 6 – III : Right to Citizens of The AUCCSC 98 ELECTRONIC TRANSACTIONS; PERSONAL DATA PROTECTION; and PROMOTING CYBERSECURITY AND COMBATING CYBERCRIME of The AUCCSC 99 Part 1, Sec. I, Art. I – 1 (3) of The AUCCSC 100 UNITED NATIONS OFFICE ON DRUGS AND CRIME: Vienna “Comprehensive Study On Cybercrime” 2013
O m b o . D . M a l u m b e P a g e | 41
In any event the information is accessed by unauthorized persons or persons who exceed the
authority they have been afforded, it leads to violations of laws hence the same has to be addressed
vividly. The information should be protected through a process known as Cryptology101.
The rapid pace with which software is developed means that ‘bugs’ in software are inevitable, with
hackers seeking to exploit these vulnerabilities before they are rectified102. Owing to the fact that
as much as various institutions take the initiative to have the confidential information in their
systems secured, it is noteworthy to also acknowledge that hackers can compromise the system by
identifying various bugs that will allow them acquire swift access into the computer systems,
servers and electronic gadgets that have the confidential information.
In acknowledging the fact that there are various traditional crimes that can be undertaken by third
parties and/or employees in an organization103, it is prudent to try and make sure that, in the event
evidence is produced before a court, it is not to mislead the Court but represent the imperative
factors as they ought to be. Thus, when a system, server, or electronic gadget that is utilized in
electronic transaction is compromised, there can be chances that the perpetrator has caused data
diddling and/or salami attacks et al.
Hence, to make the evidence or the electronic documents presented before court for purposes of
supporting and/or defeating a given submission, the evidence or electronic documents must meet
some requisite measures, as the legislature will have provided. This is also provided by the
AUCCSC as follows:
101 Part 1, Sec. I, Art. I – 2 (10) of The AUCCSC : the science of protecting and securing information particularly for the purpose of ensuring confidentiality, authentication, integrity and non-repudiation 102 Australian High Tech Crime Centre, Malware: Viruses, worms, Trojan horses, High Tech Crime Brief no. 10 (AIC, 2006) 103 Carter, E. Examining Cybercrime: Its Forms and Its Perpetrators (National University of Internal Affairs in Kiev, 2002)
O m b o . D . M a l u m b e P a g e | 42
Where a written matter is required to validate a legal act, a member State may by legislation
establish the conditions for the functional equivalence of electronic communications to
paper-based documents104.
Where a matter written on paper has been subject to special legibility or presentation
requirements, a written matter in electronic form shall be subject to the same
requirements.105
With regards to the aforementioned Article of AUCCSC, it is imperative for a State to come up
with provisions that will effectively meet those standards needed so as a Honourable Court cannot
be misguided by the facts before it.
However, some documents have been qualified not to meet the provisions under Art. I – 20 of the
AUCCSC. Thus, these documents ought to be in their physical formalities as the degree of
alteration is high, thus ascertaining of the authenticity of the same documents might be a hard task
for the Courts, in case of any matter that arises such as a person(s) demises. AUCCSC provides as
follows:
Acts under the signature of a private individual, relating to family law and law of
succession; and
Acts of civil or commercial nature under the signature of a private individual, relating to
personal or real security in solidarity with domestic legislations, except where such acts
have been established by a person for the purposes of his/her profession106.
104 Art. I – 20 of the AUCCSC 105 Part 1, Sec. IV, Art. I – 20 of The AUCCSC 106 Art. I – 21 of the AUCCSC
O m b o . D . M a l u m b e P a g e | 43
It is quite prudent for one not to take lightly evidence that is categorized as of electronic nature as
the weight it carries is equal to that of the physical evidence or rather referred as paper based
evidence, in approving this assertions, the AUCCSC provides that:
An electronic written matter shall be admissible as proof on equal terms as paper based
written matter and shall have the same evidentiary weight as the latter, provided the person
who is source thereof can be duly identified and that it is prepared and conserved in
conditions that guarantee its integrity107.
Perusing through Art. I – 27 of the AUCCSC it raises many questions as it grants a lot of power
to a Judge or whoever will be when administering proceeding(s) that fall under the umbrella of
electronic and/or computer based. Just to preview on the same, it states as follows:
Where the legislative provisions of Member States have not laid down other provisions,
and where there is no valid agreement between the parties, the judge shall resolve proof
related conflicts by determining by all possible means the most plausible claim regardless
of the message base employed.108
AUCCSC does provide on the Certification of documents by a State authority will be effective and
it further states that, any act undertaken in the electronic form will have the same weight as that of
the act itself in the real world109. When one hacks or accesses unauthorized information and/or
exceeds his or authority, the act therein is regarded to be dealt with as matter that happened in the
real world, only the evidentiary matters are the one that will be complex.
107 Art. I – 24 of the AUCCSC 108 Art. I – 27 of the AUCCSC 109 Art. I – 28 of the AUCCSC
O m b o . D . M a l u m b e P a g e | 44
Matters relating to electronic signature and authentication of the same have been provided for
under the AUCCSC110. This is imperative, owing to the fact that, perpetrators can access the
documents and/or the information and hence alter it; hence, there is the requisite need to ascertain
the authenticity of the documents in this case, not only the signature but also the content.
AUCCSC - Part II: PERSONAL DATA PROTECTION
The degree of what entails ‘personal data’ will differ from time to time and case to case, as this
can be that if information which reaches the public domain or certain person or groups of persons
will be prejudicial to the victim. In many cases, persons have utilized personal data to blackmail
the victims, so as to attain a certain benefit or favour from them. On the other hand, personal data
can be used to commit traditional crimes that encompass on monetary gain; this can include crimes
such as the salami attacks111, identity theft et al.
It is prudent for various institutions, Governmental organization and persons as individuals take
the requisite measures to protect their personal data. However, the Governments should spearhead
the efforts to have policies that will help address matters that relate to personal data protection and
cybercrimes as whole.
In spearheading for policies that institutions have to observe so that can be able to protect person’s
private data, it (The Government) will take action against institutions that are reluctant to effect
the same.
The eye catching terms:
110 Art. I – 29 & 30 of the AUCCSC 111 In Ziegler Case, the principle of de minimis transfer is expressed by actions of the defendant after mounting a programme in a bank, that helped him elicit money from accounts of the bank’s clients.
O m b o . D . M a l u m b e P a g e | 45
Consent of data subject means any manifestation of express, unequivocal, free, specific
and informed will by which the person concerned or his/her legal, judicial or treaty
representative (own emphasis) accepts that his/her personal data be subjected to manual
or electronic processing112.
As provided for in the introductory part of this Chapter, it is quite easy to affirm that there are
chances that the information of given person will be subjected to scrutiny (data processing) without
the consent of that person. This is because there are third parties who have been given the authority
to give the consent of the same on behalf of a person.
It will be valuable if the legislature makes demarcations as to what instances the third parties can
give the consent for a person concerned, so that the personal data be scrutinized and/or processed.
Processing of personal data is as per the definition given under Art. II – 1 on Personal Data
Processing.
Personal data means any information relating to an identified or identifiable natural
person by which this person can be identified, directly or indirectly in particular by
reference to an identification number or to one or more factors specific to his physical,
physiological, mental, economic, cultural or social identity113.
It would be much more hypothetical to acknowledge artificial persons this is because there is that
information that can be regarded as exclusive to a given artificial person. Herein, a simple example
is formulas an artificial person utilizes to produce certain products.
112 Part II: Sec. 1: Art. II – 1 (2) of the AUCCSC 113 Part II: Sec. 1: Art. II – 1 (4) of the AUCCSC
O m b o . D . M a l u m b e P a g e | 46
In acknowledging competition in the corporate world and other institutions, it is of relevance that
the same right under Art. II – 1 (4) be given to corporations.
In Apple Inc. v Samsung Electronics Co., Ltd et al.114 , it was decided that Samsung had aped the
design and the mode in which the applications/software of the Apple gadgets are, and Samsung
was to pay for the infringement of Apple patent rights.
Looking at this context, it is vivid that a natural or artificial person115 can hack into the system of
another corporation and elicit, alter, copy and/or process the data thereof.
Section III of Part of the AUCCSC gives a picture on how States have to establish Institutions that
will help in the protection of the personal data, and thus the same data can be processed in
accordance with the domestic laws.
Each Member State of the African Union shall establish an authority with responsibility to
protect personal data.
This national authority shall be an independent administrative authority with the task of
ensuring that the processing of personal data is conducted in accordance with domestic
legislations116.
The institutions will have autonomy, in the sense that the Government should not have a hand in
how the duties of the Institution are dispensed.117 This is imperative, as it is known in many
jurisdictions the Government always taps people’s conversations and delving into person’s
114 C 11-1846 & C 12-0630 115 If the artificial person does employ a natural person to commit a given crime, it will be prudent to utilize the Principle Of Lifting The Veil, and whereby the artificial person commits a crime, the crime being committed by an employee while performing the duties given to the natural person, then the liability will be appended on the employer under the Principle Of Vicarious Liability. 116 Part II: Sec. III: Art. II – 14 of the AUCCSC 117 Part II: Sec. III: Art. II – 19 of the AUCCSC
O m b o . D . M a l u m b e P a g e | 47
information without consent, in the pretext of National Security matters. However, it is unknown
to the public what kind of information is elicited and how likely the information tapped will be
exposed to third parties and/or how the information will be utilized for other reasons other than
that which it was intended for. Herein under is how the Convention states:
Membership of the national protection authority shall be incompatible (own emphasis)
with membership of Government, the exercise of the functions of enterprise executive and
shareholding in enterprises of information and telecommunication technologies sector118.
Incompatible: two or more relations, offices, functions, or rights which cannot naturally, or may
not legally, exist in or be exercised by the same person at the same time119.
Clinging to that definition and reading the Article in a holistic manner, it portrays that the
Government will not be given the opportunity give directives as to how the institution will be
running.
Functions of the Institution
Under Chapter II of Part II of the AUCCSC, it provides for the functions of the institution that is
purported to be established by every State that is a member to the African Union.
The function of the anticipated institution, thus is to be born after the AUCCSC is passed, is
imperative as it touches on matter of computer hacking and/or unauthorized access of information.
As much as the institution will be entrusted by the duty to process personal data it is relevant to
acknowledge that some persons who have personal malicious intentions may exceed their authority
118 Part II: Sec. III: Art. II – 19 of the AUCCSC 119 Black Law Dictionary 2nd ed
O m b o . D . M a l u m b e P a g e | 48
or there are those employees who have been pushed and/or blackmailed to elicit certain
information and give to a third party.
Such cases will never cease to exist hence, as the functions of the institutions are provided for,
there ought to be surcharge in the event the same authority is violated, as in this case it leads to
unauthorized access of information which is the same as hacking.
AUCCSC - highlighting the eye catching functions of the Institution:
The national protection authority shall ensure that ICTs do not constitute a threat to public
freedoms and private life of citizens. To this end, it shall:
1) Respond to every request for opinion regarding personal data processing;
2) Inform the persons concerned and the data processing official of their rights and
responsibilities (own emphasis);
… … …
7) Undertake the audit of all processed personal data, through its agents or through
sworn agents (own emphasis);
… … …
9) Update the processed personal data directory and circulate to the public (own
emphasis);
… … …
11) Authorize cross-border transfer of personal data (own emphasis);
O m b o . D . M a l u m b e P a g e | 49
… … …120
Function number one, is not stating what are the limitations as to what information can be given
to the third party, and it is also valuable to note that the persons asking for information also matters
in this case. In the event the Government asks for information, institution falling under the private
sector and other regional and/or States located off Africa.
It is quite evident this function is well stipulated but to some extent it contradicts with what the
same Conventions provides when defining “Consent of data Subject”.
As per the AUCCSC, there are third parties who are regarded as agents of the institution, but it
raises eyebrows as to the number of persons the personal data passes through prior reaching the
final institution121. When the chain becomes too long it can create a lacuna in within the main
institution and those agencies. This is because one will not be able to note the employee or
employees who are acting contrary to the code of conduct and violating other laws.
Section 9 should be expounded upon as to specify what kind of information could be circulated to
the public; this is so, because if left as it, it is equivocal.
Just as other States more so the developed States tend to protect the interest of their citizens at a
higher degree, it will be valuable for the institution to put the interest of its citizens at a higher
degree. This is with regards on how Section 11 of Art. II – 23 of the AUCCSC is to be executed.
Compromising of the laws will lead to violation of the various Human Rights under the
Constitution and other subordinate laws to the Constitution.
120 Art. II – 23 of the AUCCSC 121 Sec. 7 of Art. II – 23 of the AUCCSC
O m b o . D . M a l u m b e P a g e | 50
It is under the violations of the functions of the Institution that the Convention has given definitive
surcharge that can be taken against any official who violates the functions as stated herein.
AUCCSC:
Where the data processing official fails to comply with the formal demand addressed to
him/her, the national protection authority may impose the following sanctions after
adversarial proceedings:
1) Provisional withdrawal of license;
2) Definitive withdrawal of license;
3) Pecuniary fine122.
The Convention does not provide for what happens to the information in possession of the
perpetrator of the provisions of how the functions of the institution ought to be observed. However,
concisely it addresses the matter as provided herein under:
In case of emergency, where the processing or use of personal data results in violation of
fundamental rights and freedoms, the national protection authority may, after adversarial
proceedings, decide as follows (own emphasis):
1) Interruption of data processing;
2) Locking up some of the personal data processed;
122 Article II – 25 of the AUCCSC
O m b o . D . M a l u m b e P a g e | 51
3) Temporary or definitive prohibition of any processing at variance with the provisions of
this Convention123.
It is not quite hard to state that, the National Protection Authority will be capable to initiate a
proceeding and anticipate to get a decree that will enable it meet one if not all the three remedies
available124. This is because when a person decides to hack into a system for something he or she
is not given the authority to do so, it will take quite a short period and his or her intents will have
been achieved.
As the Convention provides that after the adversarial proceedings125, meaning even prior an
interim injunction is effected, the perpetrator might have committed the crime and even try to clear
his or her tracks. Hence, this Article ought to be relooked into by the legislature. However, the
close option to this can lead to violation of Human Rights, thus even the perpetrator has rights
before the law.
The legislature can effect the policies to be such as: The officials under the National Protection
Authority shall be granted a warrant of seizure of computers and any other electronic gadget and/or
computer that is directly or indirectly linked to any computer or server that can be of relevant use
in establishing the crime that was, is or will be committed or substantiate the prosecution’s case.
This is so as considering the principle that ought to be utilizing while establishing that one’s rights
are going to be violated gravely, hence thereof, one should be granted an interlocutory Injunction,
of which is not easy to satisfy to the court expeditiously as it ought to be. In considering if, the
same interlocutory injunction might affect the rights of the respondent in that matter.
123 Article II – 26 of the AUCCSC 124 Article II – 26 of the AUCCSC 125 Art. II – 25 of the AUCCSC
O m b o . D . M a l u m b e P a g e | 52
Chanan Singh J. acknowledged the same in Alternative Media Limited v Safaricom Limited126,
whereby he quoted from Halsbury “an interlocutory injunction will not, however, be granted
where the plaintiff can be properly protected by the Defendant being ordered to keep an account
and the Defendant might suffer irreparable injury from an injunction restraining him from
publishing pending the trial, nor will an interlocutory injunction be granted if the plaintiff has
been guilty of undue delay in coming in the court or his conduct has amounted to an acquiescence
in the infringement, or there is any substantial doubt as to the Plaintiff’s right to succeed.”127
Considering that, the general principles of to consider prior earning an interlocutory injunction are
provided in Geilla v Cassman Brown & Co. LTD128, which provides that:
- Probability of success;
- Irreparable harm which will not be adequately compensated for in damages; and
- If in doubt then on a balance of convenience129.
Under Article II – 28, it espouses that the concerned persons whom, data processing is to be
dispensed upon will give consent; however, there are several exceptions to this general rule. For
instance where: it is a matter of public interest, compliance with legal obligation, it is in the interest
of the so affected person and safe guard the interest and fundamental rights130.
This should be regulated so that, the same cannot be used as a leeway to violate Human Rights.
126 [2004] eKLR 127 Alternative media Limited v Safaricom Limited [2004] eKLR 128 [1973] EAC 358 129 Geilla v Cassman Brown [1973] EAC 358 130 Sec. 4 of Art. II – 28 of the AUCCSC
O m b o . D . M a l u m b e P a g e | 53
Article II – 29 does affirm that the activities under Article II – 28 should be done in a manner that
observes legal measures, honestly and non-fraudulently131.
Article II – 30 does state that the data processing ought to be based on the objectives needed, not
to be in excess and when it comes to conservation of data, it ought to be for research and history
purposes that are in line with the law in place132.
The Convention further requires the National Authority body to deal with personal data in
accuracy, transparency, and confidentiality133.
Section V: The rights of the person whose personal data are to be processed
Chapter 1: Right to information
Article II – 42:
The data processing official shall furnish the person whose data are to be processed with the
following information, not later than the time of gathering the said data regardless of the means
and facilities utilized:
1) His/her identity and, where necessary, that of his/her representative;
2) Ultimate purpose for which the data processed will be used;
3) Categories of data involved;
4) Recipient(s) to which the data are likely to be transmitted;
5) The capacity to request to feature no longer in the file;
131 AUCCSC 132 AUCCSC 133 Art. II – 32 of the AUCCSC
O m b o . D . M a l u m b e P a g e | 54
6) Existence of the right of access to the data concerning the person and the right to correct
such data;
7) Duration of conservation of the data;
8) Possibility of transfer of the data to third countries134.
Herein above are some of the right of persons whom their data is due for processing, thus, if they
are not informed of the same, it will be deemed violation of their rights. In considering that, it will
be presumed that there has been violation of Human Rights, not forgetting the unauthorized access
to data135.
The person whose data is undergoing procession can request to have access to the data, contest,
and request for correction to be made where necessary136.
PART III – PROMOTING CYBERSECURITY AND COMBATING CYBERCRIME
When Part III of the AUCCSC was penned down, the legislatures did directly put in mind matters
that relate to all sorts of Cybercrimes, inclusive the division of discussion herein, which is
computer hacking and/or unauthorized access and acknowledging the one offered by the
Convention of exceed authorized access.
Exceed authorized access, means to access a computer with authorization and to use such access
to obtain or alter information in the computer that the accesser is not entitled to obtain or alter137.
134 Art. II – 42 of the AUCCSC 135 Part III Promoting Cybersecurity and Combating Cybercrime: of the AUCCSC – irrespective of the fact that one is granted the permission n to access certain information, thereon he or she exceeds the authority he or she is given, that will automatically be a cybercrime. Hence, violation of Art. II – 42 of the AUCCSC will be regarded to fall under Part III of the AUCCSC. 136 Art. II 43; 44 & 45 of the AUCCSC 137 Art. III – 1 (7) of the AUCCSC
O m b o . D . M a l u m b e P a g e | 55
The definition is also capturing those persons who are granted with the authority to deal with
personal data, and they happen to act in excess of the authority they are granted. That will also be
equal to unauthorized access of information, however, there will be sieving of what information
will be treated as was accessed in violation of the laws and that which was in the ambit of the
persons authority, hence, will not be utilized against the perpetrator.
The Convention, provides for the National Cyber Security Framework, Legislative Measures,
National Cybersecurity System, National cyber security monitoring structures,138 the chapters are
recommendatory in nature, whereby, they stipulate on what African Union member States are
required to consider when coming up with policies and structures that will be dealing with issues
of data processing and so forth.
AUCCSC, provides that there is need of the Harmonization of the laws and policies in place,
further more to consider establishing institutions that will take part in data exchange relating to
cyber threats with other nations both at the regional and out of the region. The Conventions goes
further and provides the names of the same as Computer Emergency Response Team (CERT) or
Computer Security Incident Response Team (CSIRTs).139
AUCCSC does provide for “Offenses specific to Information and Communication Technologies”,
it is noteworthy that the Convention does define only the types of offences that one can commit140.
Section II of chapter 1, does discuss on offences related to “attack on Computerized Data”,
introducing terms such as “intercepting or attempting to intercept”, herein the Convention is also
defining offences and giving recommendations to the African Union member States.
138 Art. III of the AUCCSC 139 Art. III – 43 of the AUCCSC 140 Part III of the AUCCSC
O m b o . D . M a l u m b e P a g e | 56
AUCCSC provides that: Each Member State of the African Union has to take necessary legislative
measures to ensure that the offenses defined in this Convention attract appropriate punishments
according to domestic legislations141.
There aforementioned Article does afford to state that, states will provide for the punishment to be
discharged against any persons (Natural and Artificial persons) who offend the laws in place.
141 Art. III – 46 of the AUCCSC
O m b o . D . M a l u m b e P a g e | 57
3.3 South Africa
As the name suggests, South Africa is a country located at southern part of the continent of Africa.
Being among the countries that are developed in Africa, it will be to the States advantage to have
embraced technology and other technological factors; hence, they are facing the cons that come
along with the technology. Herein it will be prudent to stick to the theme of discussion (computer
hacking and its incidental factors) so as to come up with a requisite conclusion of what is amiss
and where to applaud to.
South Africa has a number of statutes that address matters that relate to cybercrime, herein under
the statutes will be perused and thereon elicit relevant factors relating to the subject matter.
3.3.1 Electronic Communications and Transaction Act
Prior the birth and maturity in the Electronic Communication and Transaction Act (herein after
referred as ECT), there was existence of a statute that was brought into place to curb the flaws that
existed prior the State realising new criminal activities and admissibility of certain categories of
evidence. However, the statute was ill prepared hence it was not prudent for utilizing142.
The Computer Evidence Act No. 57 of 1983, was legislated after the ruling in Narlis v. South
African Bank of Athens143 held, a computer printout was inadmissible in terms of the Civil
Procedure and Evidence Act 25 of 1965. It was also held that, a computer is not a person144.
This was a positivistic view given to the laws that were in existence. This led to the birth of the
Computer Evidence Act of 1983, which was not ill prepared as it did quell what it was initiated
142 Snail, S., ‘Cyber Crime in South Africa – Hacking, cracking, and other unlawful online activities’, 2009(1) Journal of Information, Law & Technology (JILT), <http://go.warwick.ac.uk/jilt/2009_1/snail> 143 [1976] (2) SA 573 (A) 144 Narlis v South Africa bank of Athens [1976] (2) SA 573 (A)
O m b o . D . M a l u m b e P a g e | 58
for. The Computer Evidence Act seemed to make more provision for civil matters than criminal
ones. It created substantial doubts and failed the mark for complimenting existing statutes and
expansion of common principles.145
For reasons thereof, the ECT Act was introduced as a way to address the requisite matters that the
law in place had not addressed. Herein under is the discussion of the ECT Act.
Under the ECT Act, it provides the demarcation to observe while interpreting the same, in verbatim
it provides as follows:
This Act must not be interpreted so as to exclude any statutory law or the common law
from being applied to, recognising or accommodating electronic transactions, data
messages or any other matter provided for in this Act146.
This allows the Hybrid State to elicit principles from the Common Law; hence, this will help curb
the lacuna that may exist in the statute.
Under ECT Act, on how the critical data bases are to be handled ought to observe the law, thus if
the same is not considered it will lead to the violation of the laws in place, unauthorized access of
information being one of the factors, Sec 55 (1) (b).
Chapter XIII of the ECT does initiate by defining the term “access”, herein under the definition is
provided in verbatim:
145 Kufa, M (2008), ‘Cybersurfing without boundaries’, De Rebus, December, 20 146 Sec. 3 of the ECT Act of South Africa
O m b o . D . M a l u m b e P a g e | 59
"[A]ccess" includes the actions of a person who, after taking note of any data (own
emphasis), becomes aware of the fact that he or she is not authorised to access that data
and continues to access that data147.
Some of the hackers do not have knowledge of the data in the system; nevertheless, they may be
contended to access the data after effect an unauthorized access into a given data. As much as the
definition seems to be incapacitated, it does not bar the conviction of the violators of the law. This
is concerning Sec. 3 of the ECT Act.
Unauthorised access to, interception of or interference with data, thus the title to Sec. 86 of the
ECT Act. This is about hacking and/or an authorized access to data, information, and technological
information. Hence, the Act vividly outlines the computer hacking and other incidental
cybercrimes most of which cannot exist prior effecting computer hacking or an authorized access
of information.
Subject to the Interception and Monitoring Prohibition Act, 1992 (Act No. 127 of 1993).
A person who intentionally accesses or intercepts any data without authority or permission
to do so is guilty of an offence.
A person who utilizes any device or computer program mentioned in the subsection (3) in
order to unlawfully overcome security measures designed to protect such data or access
thereto, is guilty of an offence148.
147 Sec. 85 of the ECT Act of the South African Laws 148 Sec. 86 (1) & (4) of the ECT Act of the laws of South Africa
O m b o . D . M a l u m b e P a g e | 60
The first quote from the ECT does introduce a new Act that introduces a new concept apart from
that of “access”, the term being interception of data. The interception of data without ‘authority or
permission’ renders the act an offence, hence one will be held liable.
In acknowledging the existence of tools and software’s or computer programs that can be utilized
to effect these cybercrimes, the Act provides that if any person if so utilizes the aforementioned,
the perpetrator will be liable.
A person who helps to effect a crime under Sec. 86 and 87 of the ECT Act will be held liable
wholly.149
However, there are many concerns as to how the act surcharges are stipulated. The surcharge lack
the deterrent factor, as the surcharge are lenient, whereby the National Prosecuting Authority Act,
No. 32 of 1998 offers a maximum of 25 years in prison or a fine or both150, while the ECT offers
a term not exceeding 5 years.151
3.3.2 Promotion of Access to Information Act
In general the Promotion of Access to Information Act (thereon referred as PROATIA), is designed
in such a way to balance the information that will be denied from access and under what conditions
will such information be regarded as to be accessed contrary to the laws in place152.
The PROATIA does not specifically provide for the term hacking; however, it regulates the access
of information, and considering the technological factors in the society. Thus, some imperative
149 Sec. 88 of the ECT Act of the laws of South Africa 150 Sec. 40A (1) (d) of the National Prosecuting Authority Act, No. 32 of 1998 of the laws of South Africa 151 JACQUELINE F. CYBER CRIME IN SOUTH AFRICA: INVESTIGATING AND PROSECUTING CYBER CRIME AND THE BENEFITS OF PUBLIC-PRIVATE PARTNERSHIPS (Pricewaterhousecoopers, 2009) 152 Snail, S., ‘Cyber Crime in South Africa – Hacking, cracking, and other unlawful online activities’, 2009(1) Journal of Information, Law & Technology (JILT), <http://go.warwick.ac.uk/jilt/2009_1/snail> (Accessed on 6th of June 2014)
O m b o . D . M a l u m b e P a g e | 61
information can be under “information technology” hence, hacking can be effected. Nevertheless,
the whole Act delves on restricted information, authorized access and exceeding authorized access.
3.3.3 Interception and Monitoring Prohibition Act
The requisite provisions of the Interception and Monitoring Prohibition Act (herein after referred
as IMP Act) does address matters relating to intercepting of communication. The Act stipulations
does criminalize the act of interception of data or whatsoever conversation et al., however, the
same is not absolute.
Under the IMP Act, it stipulates as follows regarding prohibiting interception of communication:
Prohibition of interception and monitoring; (1) no person shall
(a) intentionally and without the knowledge (own emphasis) or permission of the
dispatcher intercept a communication which has been or is being or is intended to be
transmitted by telephone or in any other manner over a telecommunications line; or
(b) intentionally monitor a conversation by means of a monitoring device so as to gather
confidential information concerning any person, body or organization153.
Clinging to the diction utilized under (a) of the quote hereinabove, it displays the notion that the
law is not concerned with the intent. It is of strict liability, thus it does not require proving of Mens
Rea154.
Under (b) it quashes of use of monitoring devices to intercept conversations et al.
153 Sec. 2 of the IMP Act of South Africa 154 If the statute requires Mens Rea to be established, this will be asking for the “intents or intentions” of the
offender. However, in the case herein above, the law does not need to know the intentions; all it is concerned with is the act.
O m b o . D . M a l u m b e P a g e | 62
IMP Act, provides that making interception is not absolutely regarded as crime, this is because
there are exceptions to that general rule.
(2) Notwithstanding the provisions of subsection (1) or anything to the contrary in any
other law contained, a judge may direct that-
(a) a particular postal article or a particular communication which has been or is being or
is intended to be transmitted by telephone or in any other manner over a
telecommunications line be intercepted;
(b) all postal articles to or from a person, body or organization or all communications which
have been or are being or are intended to be transmitted by telephone or in any other manner
over a telecommunications line, to or from a person, body or organization be intercepted;
or
(c) conversations by or with a person, body or organization, whether a telecommunications
line is being used in conducting those conversations or not, be monitored in any manner
by means of a monitoring device155.
Under this part (2) of section 2 of the IMP Act, it is utilized to give the go-ahead to have
interception to be undertaken. However, the interception ought to be in line with the laws in place.
It therefore requires consent from the judge to effect the interception.
In R v. Secretary of State for Home Department, ex parte Ruddock and others156, held; the state
should not utilize the rights it has been given so as to offend other rights of its citizens in the
constitution. Thus, there is need to have the procedure to be followed substantively prior effecting
155 Part (2); Section 2 of the IMP Act 156 [1987] 2 ALL ER 516
O m b o . D . M a l u m b e P a g e | 63
rights appended to the Government. This is due to the fact that if the same is not observed, there
will be violation of the Right to Privacy157.
3.3.4 Regulation of Interception of Communications and Provision of Communication
Related Information Act
The Regulation of Interception of Communications and Provision of Communication Related
Information Act (herein after referred as RICPCRIA), defines Interception as:
Intercept means the aural or other acquisition of the contents of any communication
through the use of any means, including an interception device, so as to make some or all
of the contents of a communication available to a person other than the sender or recipient
or intended recipient of that communication, and includes the –
(a) monitoring of any such communication by means of a monitoring device;
(b) viewing, examination or inspection of the contents of any indirect communication; and
(c) diversion of any indirect communication from its intended destination to any other
destination158.
This Act does delve much deeper on matters concerning interception of data, and under what
circumstances a warrant for search can be issued. The Act addresses on revocation of licenses
where the institutions that have been trusted with certain matters such as communication end up
violating the laws in place.
RICPCRIA provides as follows,
157 R v. Secretary of State for Home Department, ex parte Ruddock and others [1987] 2 ALL ER 516 158 Sec. 1 “Definition of Terms” of the RICPCRIA
O m b o . D . M a l u m b e P a g e | 64
Notwithstanding any other law, a telecommunication service provider must –
(a) provide a telecommunication service which has the capability to be intercepted
(own emphasis); and
(b) store communication-related information159.
Ostensibly, due to security purposes the State may require to have some communication tapped or
intercepted, this is the sole reason for the existence of this section. On (b) of the same Section, it
enables to help on evidential matters.
Matters of interception as provided under Section 30 of the RICPCRIA, must be read in line with
Section 45 and 46 of the RICPCRIA. This is concerning the facilities that are to be utilized for
purposes of interception of communication.
Generally, interception is a violation of laws, as it is equal to call phone tapping or wiring or
hacking. Concerning matters of “interception” which is polite term for hacking, the RICPCRIA is
much stricter on applicability of the laws in place.
Unlawful interception of communication as per RICPCRIA:
(1) Any person who intentionally intercepts or attempts to intercept, or authorises or
procures any other person to intercept or attempt to intercept, at any place in the Republic,
any communication in the course of its occurrence or transmission, is guilty of an offence.
(2) Subsection (1) does not apply to the –
(a) interception of a communication as contemplated in sections 3, 4, 5, 6, 7, 8 and 9; or
159 Sec. 30 (1) of the RICPCRIA
O m b o . D . M a l u m b e P a g e | 65
(b) monitoring of a signal or radio frequency spectrum as contemplated in sections 10 and
11160.
Section 49 explicitly addresses on issues of intercepting without authority, it goes further to state
activities that do not fall in the ambit of unauthorized interception, this is as per (2) of Section 49
of the RICPCRIA.
160 Sec. 49 of the RICPCRIA
O m b o . D . M a l u m b e P a g e | 66
3.4 Nigeria
A computer crime as well as cyber survey conducted recently indicated that Nigeria is the
most internet fraudulent country in Africa. Besides, the same report further stated that the
giant of Africa is ranked third among others identified with cyber fraud and computer crime
in the world161.
Nigeria is a country located at the Western part of Africa, well known for having large oil well
reserves. The aforementioned State happens to suffer from a high number of cybercrimes of
different types; hence, it will be prudent to consider Nigeria due the hypothetical fact that, since it
is known for high rates of commission of cybercrimes. Hence, the State has to take a major step to
try to curb the atrocities that its citizens suffer from due to cybercrime and how other persons in
different jurisdiction are affected, thus, when a claim is raised over matters of forum, it will be
easy to solve.
3.4.1 The Nigerian Criminal Code Act, 1990
In Act, under Section 418 of Chapter 38, initiates by giving a wide definition on “representation”,
which states as follows:
Any representation made by words, writing, or conduct, of a matter of fact, either past or
present, which representation is false in fact, and which the person making it knows to be
false or does not believe to be true, is a false pretence162.
161 Computing: Nigeria Ranked third In The World for Cuber-crime, says Survey; Issue no 302 <www.balancingact-africa.com/news/en/issue-no-302/computing/nigeria-ranked-thrid/en> (Accessed on 2nd of June 2014) 162 Sec. 418 of the Nigeria Criminal Act, 1990
O m b o . D . M a l u m b e P a g e | 67
The definition herein can be termed as to only incorporate matters of fraud and/or swindles;
however, when considering the mode in which web pages are displayed, they are giving false
representation. The false impressions like the most acknowledged that of “winning lottery online”,
one is swayed by that, thereon, he or she put his or her credit card information which can or will
be used to hack into ones bank account and elicit money.
Nigeria Penal Code has been quoted using a term known as “419 scam163”. The term is regarded
to have a nexus to the Nigeria Criminal Code Act, of 1990, which states as follows:
Any person who by any false pretence, and with intent to defraud, obtains from any
other person anything capable of being stolen, or induces any other person to deliver
to any person anything capable of being stolen (own emphasis), is guilty of a felony,
and is liable to imprisonment for three years164.
If the thing is of the value of one thousand naira or upwards, he is liable to imprisonment
for seven years.
It is immaterial that the thing is obtained or its delivery is induced through the
medium of a contract induced by the false pretence (own emphasis)165.
The offender cannot be arrested without warrant unless found committing the offence.
The eye-catching statement is placed in bold, whereby, the ideology of “…any false
pretence….anything capable of being stolen…” is quite and very relevant when delving on the
matters of hacking or unauthorized access and/or exceed authorized authority. If by any chance, a
163 Chawki, M. Nigeria Tackles Advanced Fee Fraud <www2.warwick.ac.uk/fac/soc/law/elj/jilt/2009_1/chawki/> (Accessed on 2nd of June 2014) 164 Section 419 of Nigeria Criminal Code Act, 1990 165 Sec. 419 of the Nigeria Criminal Act, 1990
O m b o . D . M a l u m b e P a g e | 68
person does exceed authorized authority, the person can end up eliciting relevant information or
utilize a given medium, in a way that will negatively affect the concerned person.
Example:
In the event a person is only allowed to access an institution email address for purposes of
confirming if an anticipated email has been sent, and thereon the perpetrator does not revert
back to the person who sent the perpetrator, but rather he/she corresponds with the concern
person and thereon strikes a deal with the concerned person. this will fall under the
definition of crimes under Section 419 of the Nigerian Criminal Act.
By hacking into a given system or email address and then correspond to someone, him or
her assuming is addressing the owner of a given private key infrastructure, and thereon that
will be a crime under the same section of the Nigerian Criminal Act, of the year 1990.
It also invalidates the defence that it was a contract, as the same contract will defeat relevant
Contractual principles such as Legality, Consent et al.
3.4.2 Economic Financial Crime Commission Act
As the name of the Act itself provides, it is evident that it gives birth to provisions that deal with
matters relating to Economic and Financial Crimes in the Nigerian territory. Under its provisions,
Part II of the aforementioned Act stipulates as follows:
(b). the investigation of all financial crimes including advance fee fraud, money laundering,
counterfeiting, illegal charge transfers, futures market fraud (own emphasis), fraudulent
encashment of negotiable instruments, computer credit card fraud (own emphasis),
contract scam, etc. (own emphasis);
O m b o . D . M a l u m b e P a g e | 69
… … …
(g). the facilitation of rapid exchange of scientific and technical information and the
conduct of joint operations geared towards the eradication of economic and financial
crimes166;
Under (b) the Act portrays a vivid pictorial composition of it being of futuristic nature, thus, it will
not be engulfed to the diction but to other crimes of economy or finance that will emanate in future.
The is also a clear mention of “computer credit card fraud”, these crimes are prevalent at the
moment, hence, it is of worth notice that the same is addressed by Nigeria. As much as it is not in
detail, it is a major step as a way to try to control the cybercrimes.
The use of “etc.,” is also in relation to “future market fraud,” thus, the Act is opening doors for a
claimant in any given situation can persuade the judicial system in Nigeria to incorporate any new
viable term so as to domesticate the law under precedence. Even though to some extent it will lead
to the elusiveness of the section, it will help curb the loopholes that cybercrime perpetrators might
wish to utilize.
Under (g)167, it provides for cooperation, this is necessary as the cyberspace is owned by no State,
hence, no States can claim jurisdiction. The exchange of information, is quite necessary because
there will exchange of cybercrime data by States in a move to curb the same.
3.4.3 Advanced Fee Fraud and Related Offences Act, 2006
166 Sec. 6 (b) & (g) of the Economic Financial Crime Commission Act 167 Sec. 6 (g) of the Economic Crimes Commission Act
O m b o . D . M a l u m b e P a g e | 70
This Act, is majorly dedicated to address the issue of cybercrimes in Nigeria, thus it manifests
itself by utilizing the term “false pretences”, whereby the term defined to widely so as to leave no
loophole.
Advanced Fee Fraud and Related Offences Act of 2006, it provides provisions relating to
“obtaining property by false pretences, etc168. and then under the same Act, Section 4 affords the
term “Fraudulent Invitation”169.
It is not appalling to the diction the Nigerian Legislations are dipped into and utilization much of
the term “fraudulent”, as per the survey stated herein about Nigeria. It is noteworthy to appreciate
the fact that, Nigeria is well known for scammers hence the name “Scam 419”.
Unlike other cybercrimes (traditional crimes) as stated herein, they take effect after hacking and/or
unauthorized access of information or electronic gadget and/or a server, scammers tend to solicit
for information through websites, thereon the information is utilized to hack or make unauthorized
access into one’s information170.
3.4.4 Directive C/DIR. 1/08/11 on Fighting Cybercrime within ECOWAS
The Directive C/DIR. 1/08/11 On Fighting Cybercrimes (herein after the Directive) was
conceptualized to address the issues of Cybercrimes within the member States of the Economic
Community of West African States. The eleven-page document acknowledges the new forms of
crimes and also the traditional crimes finding a hospitable environment at the cyberspace.
168 Sec. 1 of the Advanced Fee Fraud and Related Offences Act of 2006 169 Advanced Fee Fraud and Related Offences Act of 2006 170 Carter, E. Examining Cybercrime: Its Forms and Its Perpetrators (National University of Internal Affairs in Kiev, 2002)
O m b o . D . M a l u m b e P a g e | 71
The Directive does take cognizance of computer hacking and its incidental crimes, of which herein
the incidental crimes will not be stated as they are not the major division of discussion. However,
just as an enlightening move, most of the traditional crimes or incidental crimes to hacking or
unauthorized access and/or exceed authorized authority, take effect after hacking or unauthorized
access and/or exceed authorized authority.
Objective: The objective of this Directive is to adapt the substantive criminal law and the criminal
procedure of ECOWAS member States to address the cybercrime phenomenon.171
Scope; This Directive shall be applicable to all cyber-crime related offences within the ECOWAS
sub-region as well as to all criminal offences whose detection shall require electronic evidence.172
The later acknowledges the need of substantive criminal laws that delve in cybercrimes while the
former invites the need of delving into the matters of electronic evidence. The two are imperative
to extent that by giving definitive provisions as to the technological crimes and also giving
surcharge that are of equivalent measure, then that will help deal with the crime. The former is
highly requisite to matters of authenticity of the electronic evidence as they are prone to alteration
or modification of whatsoever nature after hacking or unauthorized access of information.
Article 4, 6 & 8 of the Directive, do address on matters of hacking or unauthorized access of
information and/or electronic gadget or server et al. the hacking concept is grinded into:
Article 4: Fraudulent access to computer system;
Article 6: Interfering with operation of a computer system; and
171 Article 2 of the Directive C/DIR. 1/08/11 on Fighting Cybercrime within ECOWAS 172 Article 3 of the Directive C/DIR. 1/08/11 on Fighting Cybercrime within ECOWAS
O m b o . D . M a l u m b e P a g e | 72
Article 8: fraudulent interception of computer data173.
The aforementioned Directive does highlight on persons who obtain equipment to commit an
offence as follows:
Obtaining equipment to commit an offence is the act by which a person knowingly without
any legitimate reasons produces, sells, imports, possess, distributes, offers, transfers or
makes available equipment, computer programmes, or any device or data, any password,
access code or similar computer data by which they commit any offence as stipulated in
this Directive174.
This Article tends to capture the persons who instigate the effecting of cybercrimes, whereby it
delves on the fact that, some people lack the techno-know how on how to programme as system,
so it simplifies the task by offering them an opportunity to commit cybercrimes by use given
systems or software’s and/or notes.
The Directive takes cognizance that there might be a link of cybercriminals interlinking on how
they effect their activities on the victims, hence it provides as follows:
Participation in an association or arrangement to commit computer offences
Participation in an association or arrangement to commit computer offences is the act by
which the person participates in an association that is formed or an arrangement that is
established for the purpose of preparing or committing one or several of the offences
described in this Directive175.
173 Directive C/DIR. 1/08/11 on Fighting Cybercrime within ECOWAS 174 Article 14 of the Directive C/DIR. 1/08/11 on Fighting Cybercrime within ECOWAS 175 Article 15 of the Directive C/DIR. 1/08/11 on Fighting Cybercrime within ECOWAS
O m b o . D . M a l u m b e P a g e | 73
4.0 CHAPTER 4
4.1 States outside The African Region have framed their Laws vis-à-vis Cybercrime:
Unauthorized Access of Information
Law is not an element, but a compound, hence it is composed of many factors. It is an invalid
ideology to state that law emerges from nowhere to address a given social, economic and/or
political factors, law does act as an applauding, regulatory and/or prohibitive instrument. Laws
emanate for the sole reason to address the aforementioned factors that originate in the society.176
Hence, in this paper, it will be a poorly nurture concept to state that Kenya is the first country to
be faced with cybercrimes, it is wise to acknowledge that even our predecessors have undergone
and are still undergoing the processes of addressing matters relating to cybercrime. Thus, we can
learn various requisite issues from them.
Regarding the previous chapters, it has been noted that authors addressing IT, law and IT, countries
and AU, happen to have domesticated different definition of what entails cybercrimes177. Well,
each State does afford its own terms on what cybercrimes are, so as to make the statute capture a
lot of crimes falling under cybercrime, this helps a State to have jurisdiction over cybercrimes that
fall within a States/Courts jurisdiction and that which falls outside the States jurisdiction, but the
acts complained of emanate or have an impact in that given forum.178
176 International Covenant on Civil and Political Rights; See also, International Covenant on Economic, Social and Cultural Rights; See also, Talwant S. Cyber Law & Information Technology 2011 <www.slideshare.net/talwant/cyber-law-information-technology> (Accessed on 21st of June 2014) 177 The definition is with regards to Kenya, SA, Nigeria, AUCCSC, 178 Rosenblatt, B. Principles of Jurisdiction <www.cyber.law.harvard.edu/property99/domain/Betsy.html> (Accessed on 28th of June 2014)
O m b o . D . M a l u m b e P a g e | 74
It’s noteworthy, that most of the principles and laws that are being utilized to address cybercrimes
have been born by some of the developed nations, and other developing nations have undertaken
the lead in addressing the same matters. For instance, in 1945 USA had already made principles
that can be utilized to establish personal jurisdiction.179
Herein under, focus will be given to India and USA, it should be noted that, not all the statutes will
be elicited and/or mentioned, however, much credit will be given to relevant sections of the statutes
and thereon, inviting relevant precedents that have been decided upon by the relevant Courts in
each of the aforementioned jurisdiction.
179 International Shoe Co. v Washington [1945] 326 US 310: As the facts of the case are attached to matters of taxation, the principles in it have been of value of addressing matters relating to Personal Jurisdiction; See also, Rosenblatt, B. Principles of Jurisdiction (supra).
O m b o . D . M a l u m b e P a g e | 75
4.2 The Republic of India
As transactions were also effected in the virtual world and due to the effects of having the World
Wide Web and development of technology, it meant that the Indian Jurisdiction should find a place
to accommodate the same. Owing to the fact that technological inventions sweep the society
irrespective of having laws or not, and under no circumstance the society will have the opportunity
to stop the technological wave, it followed that the Information Technology Act was established,
seeking inspiration from The United Nations Commission on International Trade Law
(UNCITRAL). The IT 2000, is regarded to have emended the Indian Penal Code (IPC) by
introducing the term “electronic” to all relevant Sections of the IPC.180
4.2.1 Information Technology Act
Information Technology Act of 2000181, is regarded as the mother of all cyber-laws and computer
related matters in India182. It is noteworthy to acknowledge that the ITA was amended by the ITAA
in the year 2008. The ITA address a number of factors, including e-commerce, advocate for IT
oriented fields and prevent cybercrimes. However, the initial Act did not address all the relevant
matters or with the changing of times, hence there are other factors the ITA had not featured and
needed to be incorporated in it. Consequently, the ITAA introduced new definitions, which
acknowledged e-signatures et al.183
The ITA 2008 states as follows:
180 <www.iibf.org.in/Cyber-Laws-chapter-in-Legal-Aspects-Book.pdf> (Accessed on 29th September 2013) 181 The Information Technology Act of 2000, will herein after be addressed as ITA, while the Information Technology Amendment Act of 2008, will herein after be referred as ITAA or ITA 2008. 182 Duggal, P. <www.coe.int/t/dghl/cooperation/economiccrime/cybercrime/Documents/Reports-Presentations/Octopus2011/Update_sessin_pavan_duggal.pdf> (Accessed 7th of December 2013) 183 Rouse, M. ITAA (IT Act 2008) – 2010 <www.searchsecurity.techtarget.in/definition/Information-Technology-Amendment-Act-2008> (Accessed on 28th of June 2014)
O m b o . D . M a l u m b e P a g e | 76
"Cyber Security" means protecting information, equipment, devices, computer,
computer resource, communication device and information stored therein from
unauthorized access (own emphasis), use, disclosure, disruption, modification or
destruction.184
While incorporating what entails cyber security, the Act acknowledges the existence of
“unauthorized access” of information, equipment devices, computer, computer resource,
communication device and information stored therein.
In precise the Act does not necessarily glue to access of information as the only cybercrime, but
also the equipment, devices, computer, computer resource and communication device. This means
that irrespective of one not eliciting the information in one or all of the aforementioned, the
perpetrator will be held liable and charged as per the provisions of the ITA – 2008.
The ITA – 2008, does afford ample and wide terms that the central Government or a State
Government or any of its officer specially authorized by the Central Government or the State
Government to effect interception or monitoring or decryption of data and/or communications for
reasons that is in the interest of the State, Defence of the State, foreign friendly relations et al.185
The diction appended in statute is equivocal, the matter will be decided upon from case to case
basis.186
Pavan Duggal:
184 Sec. 2 (1) (nb) of the ITA 2008 185 Sec. 69 (1) of the ITA 2008 186 ITA 2008 (supra)
O m b o . D . M a l u m b e P a g e | 77
The Act has provided Indian Government with the power of surveillance, monitoring187
and blocking188 data traffic. The new powers under the amendment act tend to give Indian
Government a texture and color of being a surveillance state.189
If so, the Government of India is at the position that it will violate the Human Rights, specifically,
the right to privacy, dignity and freedom to information.
As for purposes of curbing matters relating to Cybercrimes, the ITA – 2008, provides for
establishment of an institution that will deal with cybercrimes and any matter that relates to
cybercrimes.190 The facility is pampered with the following duties:
(a) collection, analysis and dissemination of information on cyber incidents
(b) forecast and alerts of cyber security incidents
(c) emergency measures for handling cyber security incidents
(d) Coordination of cyber incidents response activities
(e) issue guidelines, advisories, vulnerability notes and white papers relating to information
security practices, procedures, prevention, response and reporting of cyber incidents
(f) such other functions relating to cyber security as may be prescribed.191
Presuming the phraseology penned under the ITAA, the CERT – In, the institution and other
persons will have to observe matters of confidentiality and privacy.192 If the persons dealing with
187 Sec. 69B of the ITA 2008 188 Sec. 69A of the ITA 2008 189 Rouse, M. ITAA (IT Act 2008) – 2010 <www.searchsecurity.techtarget.in/definition/Information-Technology-Amendment-Act-2008> (Accessed on 28th of June 2014) 190 Indian Computer Emergency Response Team (CERT - In): Sec. 70B ITA 2008 191 Sec. 70B (4) of the ITA 2008 192 Sec. 72 of the ITA 2008
O m b o . D . M a l u m b e P a g e | 78
the personal information, he or she must observe Sec. 72 of the ITAA. If one defeats the writings
of the aforementioned Act, the person or persons will be held liable for an offence.
With regards to matters of e-signatures, the legislators acknowledged the fact that one can tamper
with a given system and thereon have the opportunity to alter the e-signature, thus placing a
signature where it does not exist.193
The Protected System194 will only be accessed by the authorization, effected by a Gazette Notice.
Where one does purport to secure such access or secures access to a Protected System, he or she
will be charged for an offence as provided by the Act. However, some analysts of the ITAA, have
concluded that it is lenient on the surcharge it offers, making it lack the deterrent element in it.195
4.2.2 The Evidence Act
The Evidence Act is a requisite legal instrument to be delved in, this is for the sole reason that, it
gives the procedures and what type of evidence can be adduced before the Honourable Court, for
purposes of supporting or diminishing the arguments brought forward by the adversarial in a given
case.
Authenticity of the documents have been addressed by the ITA 2008196, however, the Evidence
Act ought to establish the same principles. This is to help avoid admission of evidence that falls
below the expectations of the Courts or prudent laws that are in place to secure justice. For
193 Sec. 74 of the ITA 2008 194 Sec. 70 of the ITA 2008 195 Rouse, M. ITAA (IT Act 2008) – 2010 (supra) 196 Part II – Sec. 3 of the ITA – 2008: By having digital signature and electronic signature being authenticated, it will ascertain the validity of a given document, this will be in line with ascertaining that the contents of the documents are true.
O m b o . D . M a l u m b e P a g e | 79
instance, matters of e-signatures can be tampered with after one does secure access into an
information store or system or documents that are purported to be of relevance in a given case.
The Evidence Act of India, was amended by the ITA – 2000, as initially the Act only based its
view on physical documents, the amendment of the Act does it invite the electronic documents.197
Admissibility of electronic evidence is provided for under Chapter V of the Evidence Act of India.
Any matter relating to proving what entails e-records, will be guided by Sec. 65B of the Evidence
At.198 The Act provides as follows:
Notwithstanding anything contained in this Act, any information contained in an electronic
record which is printed on paper, stored, recorded or copied on optical or electro-magnetic
media produced by a computer (herein referred to as computer output) shall be deemed to
be also a document.199
The amendment under the Evidence Act of India that was made by the introduction of the ITA -
2000 does have the same diction as that incorporated under Part VII – Electronic Records of the
Kenyan Evidence Act, which was amended in the year 2009.
The Indian Evidence Act, does acknowledge that documents found in the virtual form, are
admissible before the courts as long as they meet the stipulations under Sec. 65B of the Indian
Evidence Act.
197 <www.iibf.org.in/Cyber-Laws-chapter-in-Legal-Aspects-Book.pdf> (Accessed on 29th September 2013) 198 Sec. 65A of The Indian Evidence Act of India 199 Sec. 65B of the Evidence Act of India
O m b o . D . M a l u m b e P a g e | 80
The legal lacuna realized when mentioned under Chapter II of this discussion paper reflects the
same image of what is facing the Indian jurisprudence vis-à-vis the Indian Evidence Act200.
200 Ombo, D. Chapter II: 2.4 The Evidence Act, Cap 80 (Computer Hacking and/or Unauthorized Access: A Critical Analysis Of The Legal Framework In Kenya)
O m b o . D . M a l u m b e P a g e | 81
4.3 United States of America
United States of America is among the developed countries in the world, which has rich
jurisprudence on cybercrime or cyber-law. Florida had a legislation addressing cybercrimes in the
year 1978201. Having dealt with cases of cybercrime as early as 1960’s202, the country’s judicial
system stands to have well established principles that guide matters relating to cybercrimes.
However, the matter of concern is that the society is utilizing what they lack ample knowledge
towards it, hence making it hard to have cautious persons.203
Cybercrimes tend to take a different twist every time technology does change, thus as the
technology is advancing, so the cybercriminals are establishing new tactics to attain the criminal
activities. Cybercrime has taken a different lane, this is because the small groups that used to
execute cybercrimes are now forming major cartels, the cybercriminal groups tend to utilize IT
guru’s to execute the crimes.204
4.3.1 Computer Fraud and Abuse Act
In 1984, Congress hastily drafted and passed the CFAA205. At the time, the Act was widely
criticized as being overly vague and too narrow in scope. In light of these deficiencies,
Congress undertook a more careful study of computer crime and completely revised the
Act in 1986. Since then, the CFAA has been amended eight more times during its relatively
201 Kerr, ‘Cybercrime’s scope’, 1615. For a summary of state computer crime statutes see M. D. Goodman and S. W. Brenner, ‘The emerging consensus on criminal conduct in cyberspace’ (2002) UCLA Journal of Law and Technology 44. 202 LaMance, K. LegalMath Law Library: Cyber Crime <www.legalmatch.com/law-library-cyber-crime.html> (Accessed on 30th of June 2014) 203 Dr. Carl Sagan, cited in In the Matter of the Application of the United States of America for an Order Authorizing the Installation and Use of a Pen Register and a Trap & Trace Device on E-Mail Account, 416 F Supp 2d 13, 14 (D DC 2006). 204 <www.interpol.int/Crime-areas/Cybercrime/Cybercrime> (Accessed on 23rd of June 2014) 205 Computer Fraud Abuse Act
O m b o . D . M a l u m b e P a g e | 82
short lifespan. An appreciation of the Act’s history is necessary to understand the problems
with the current version.206
In the Computer Fraud and Abuse Act (herein after referred as the CFAA), does have a section
that addresses matters relating to unauthorized access to information.207 The Section is to be
discussed herein under as it relates to the topic of discussion of this paper.
Title 18, United States Code, Section 1030(a) (2) provides: Whoever –
(2) intentionally accesses a computer without authorization or exceeds authorized access,
and thereby obtains -
(A) information contained in a financial record of a financial institution, or of a card issuer
as defined in section 1602(n) of title 15, or contained in a file of a consumer reporting
agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15
U.S.C. 1681 et seq.);
(B) information from any department or agency of the United States; or
(C) information from any protected computer208
The definition of unauthorized access or exceeding authority that one has been offered by given
laws or statutes and/or policies have been penned herein above by the previous chapter(s).
However, in a nutshell, it is the event when one does access information without attaining consent
from the owner, the information trustee and/or any other information that is regarded as personal
206 Reid, S. Cybercrimes & Misdemeanors: A Reevaluation Of The Computer Fraud And Abuse Act (2003) 207 Accessing a Computer and Obtaining Information: 18 U.S.C. § 1030(a)(2) of the CFAA 208 Marshall J. & Michael W. Prosecuting Computer Crimes Computer Crime and Intellectual Property Section Criminal Division pp 16 – 17; See also, Title 18, United States Code, Section 1030(a)(2) of the CFAA
O m b o . D . M a l u m b e P a g e | 83
and/or State confidential information. The access can be in physical, however, herein, much focus
is placed on electronic information.
As a way of the CFAA providing what entails “unauthorized access to computer,” the term
intentionally is utilized. The term is very imperative, as it will help one to know where the
demarcation of the statute does commence and adjourn.
The concept behind the intent of accessing information, does only capture the one who violates
the provisions so as to acquire information, and in the event a third party does access the same
information, thus being from the person who acquired the information contrary to the law, he or
she will not be violating the law.209 However, the law does afford to acknowledge conspiracy to
commit crimes, and also the fact that, it is a crime to protect or hide criminals, when it is in one’s
knowledge that a given person is a criminal, that will lead to criminal liability.210
Thereon, after one effects the hacking or unauthorized access and/or exceed authorization, is when
the other criminal activities will follow suit. This includes the traditional crimes and ideological
crimes on cyberspace.211
Case Law
209 Role Models America, Inc. v. Jones, 305 F. Supp. 2d 564 (D. Md. 2004) 210 Marshall J. & Michael W. Prosecuting Computer Crimes Computer Crime and Intellectual Property Section Criminal Division 211 Carter, E. Examining Cybercrime: Its Forms and Its Perpetrators (National University of Internal Affairs in Kiev, 2002)
O m b o . D . M a l u m b e P a g e | 84
In Reynolds v. Spears212 unlike the principles of Tort law that afford one a defence of having relied
on information offered by a competent persons213, herein the courts rejected the defence that, the
defendant had solely relied on the information given by an enforcement officer.
In Williams v. Poulos214 held, the defense that one was using the gadget (intercepting gadget) and
disclosing information thereon, and believing that all was in good faith and presuming it fell under
the ambit of the statute, could not be upheld by the court.
It has been also nullified that no defence will be upheld, if it relates to good faith vis-à-vis mistake
of law.215
4.3.2 Wiretap Act
Prior having the Title III216 being effective to capture cybercrimes, thus electronic communication,
it only addressed matters relating to oral and wire communication. In the year 1986 amendments
were made, so as to have the Act accommodate communications falling under the ambit of
electronic communication.217
Intercepting a Communication 18 U.S.C. § 2511(1) (a),218
Except as otherwise specifically provided in this chapter any person who -
212 93 F.3d 428, 435-36 (8th Cir. 1996) 213 Tort law does have the element of ‘duty of care’ this element does not solely require a long term relationship between the parties: Hedley Byrne v Heller [1964] AC 465 214 11 F.3d 271, 285 (1st Cir. 1993) 215 Heggy v. Heggy, 944 F.2d 1537, 1541-42 (10th Cir. 1991) 216 Also known as the Wiretap Act; See also, Marshall J. & Michael W. Prosecuting Computer Crimes Computer Crime and Intellectual Property Section Criminal Division 217 Marshall J. & Michael W. Prosecuting Computer Crimes Computer Crime and Intellectual Property Section Criminal Division 218 Title III
O m b o . D . M a l u m b e P a g e | 85
(a) Intentionally intercepts, endeavors to intercept, or procures any other person to
intercept or endeavor to intercept, any wire, oral, or electronic communication
The person will be held liable for a given offence under the same Act.219
With regards to the diction utilized in the Title III, it quite evident the valuable terms are as follows:
intentionally and interception. The subject matter that is being focused on is “…any wire, oral, or
electronic communication.”
Interception
The Act provides that interception is the aural or other acquisition of the contents of any
wire, electronic, or oral communication through the use of any electronic, mechanical, or
other device.220
Interception does lead to infringement of privacy rights, this can also lead to unauthorized access
of information. Precluding the notion of “oral” and sticking to the wire and electronic mode of
communication, one will have to hack into the system, emails, phones and so forth.221
Interception is when communication between users is compromised by a third party222, where the
third party has the advantage of recording or taking note of the conversation between two people,
main targets can be fixed lines, wireless, emails et al.223 however, it has been noted that the
definition offered by the Wiretap Act vis-à-vis the definition of “intercept” to be very complex, as
it is short but very wide as it has complex terms in within it.224
219 Title 18, United States Code, Section 2511 (4) of the Wiretap Act 22018 U.S.C. § 2510(4) of The Wiretap Act: See also, Marshall J. & Michael W. Prosecuting Computer Crimes Computer Crime and Intellectual Property Section Criminal Division 221 UNITED NATIONS OFFICE ON DRUGS AND CRIME: Vienna “Comprehensive Study On Cybercrime” 2013: See also, Marco, G. Understanding Cybercrime: Phenomena, Challenge and Legal Response <www.itu.int/ITU-D/cyb/cybersecurity/legislation.html> (Accessed on 7th of December 2013) 222 United States v. Turk, 526 F.2d 654, 658 (5th Cir. 1976). 223 Marco, G. Understanding Cybercrime: Phenomena, Challenge and Legal Response <www.itu.int/ITU-D/cyb/cybersecurity/legislation.html> (Accessed on 7th of December 2013) 224 Marshall J. & Michael W. Prosecuting Computer Crimes Computer Crime and Intellectual Property Section Criminal Division pp62
O m b o . D . M a l u m b e P a g e | 86
The interceptor will not have a defence, that he or she did not listen or read the conversation. For
the sole reason that the interception is intentional or purposively, the defendant or the interceptor
will be held liable of the offences provided for.225
Marshall J. & Michael W.:
Applying Turk,226 most courts have held that both wire and electronic communications are
“intercepted” within the meaning of Title III only when such communications are acquired
contemporaneously with their transmission. An individual who obtains access to a stored
copy of the communication left behind after the communication reached its destination
does not “intercept” the communication.227
Precisely, it is stated that, the communication that can be intercepted, is the communication, which
is taking place contemporaneously. If the information has already been sent and received, thereon
stored, and one accesses the information, it does not fall under the ambit of what interception
means.228
However, the term contemporaneous has not been discussed that much by the USA courts.
Regardless of that, the American jurisprudence in a recent case has defined what interception is,
as being not necessarily what ‘contemporaneously with their transmission’ is.
Marshall J. & Michael W.:
[T]here is no timing requirement in the Wiretap Act, and judges ought not add to statutory
definitions…It stated that acquisition of a stored voice message would fall within the
definition of “interception,” and that under the statute, any acquisition of information using
225 Sanders v. Robert Bosch Corp., 38 F.3d 736, 740 (4th Cir. 1994) 226 United States v. Turk, 526 F.2d 654, 658 (5th Cir. 1976) 227 Marshall J. & Michael W. Prosecuting Computer Crimes Computer Crime and Intellectual Property Section Criminal Division pp63 228 Marshall J. & Michael W. Prosecuting Computer Crimes Computer Crime and Intellectual Property Section Criminal Division pp64
O m b o . D . M a l u m b e P a g e | 87
a device is an interception. It was prosecution for a violation of the Wiretap Act through
the interception of e-mail. The court found that the evidence in that case established that
the defendant intercepted e-mail contemporaneous with transmission. Consequently,
despite [that] prosecutors are advised to charge Wiretap Act violations only when the
contemporaneity requirement is present (own emphasis).229
What the courts emphasized on, was that, irrespective of the fact that there is no timing requirement
in the Wiretap Act or the contemporaneous factor of transmission in the Wiretap Act, it will be
prudent to raise claims under the same Act if the claims have an element of contemporaneity.
Intentional
The term intentional is defined as follows;
Marshall J. & Michael W.:
An act is done intentionally if it is done knowingly or purposefully. That is, an act is
intentional if it is the conscious objective of the person to do the act or cause the result. An
act is not intentional if it is the product of inadvertence or mistake. However, the
defendant’s motive is not relevant and the defendant needs not to have intended the precise
results of its conduct or have known its conduct violated the law.230
The intent element needed here, is not to be questioned, if it was in good faith or bad faith.231 The
matter of mens rea is not applauded to, as the court’s went further to simplify the concept by
stating, even he or she who steals food for the family or children and/or the instances that fall under
229 Marshall J. & Michael W. Prosecuting Computer Crimes Computer Crime and Intellectual Property Section Criminal Division (supra); See also, United States v. Szymuszkiewicz WL 3503506 (7th Cir. 2010) 230 Marshall J. & Michael W. Prosecuting Computer Crimes Computer Crime and Intellectual Property Section Criminal Division pp61 231 United States v. Townsend, 987 F.2d 927 (2d Cir. 1993): The case law further provides that, even if the equipment utilized was attained so as to be utilized in good faith, that will not stand as a defence.
O m b o . D . M a l u m b e P a g e | 88
acts that Robin-hood did, still fall under the purview of a crime, it does not matter the purpose of
why one steals or commits a crime.232
The matter of concern is whether it is within the defendants knowledge that actually the
interception is being made, thus “knowingly or purposefully.” If the interception does take place
due to “inadvertence or mistake” the defendant will not be held liable, in such an event it is upon
the defendant to convince the court that the act was out of inadvertence or mistake.233
232 S. Rep. No. 99-541, at 24 233 Based on the principle of proofing beyond reasonable doubt.
O m b o . D . M a l u m b e P a g e | 89
5.0 CHAPTER 5
5.1 Regional and International Organization on Cybercrime: Unauthorized Access to
Information
Under the International bodies, there are many legal instruments that address matters relating to
computer hacking and/or unauthorized access directly and indirectly.
UNCITRAL – Model laws does address matters relating e-commerce, e-signatures and also
advocated for States to acknowledge e-documents to be under the definition of documents. This
was relevant as it helped to catch up with the fact that the transactions were much more being
effected through the World Wide Web platform.234
In the event computer or electronic gadget has been hacked into or unauthorized access has been
effected, there can be a number of crimes that will follow suit ab initio and thereon after attaining
the information. This can be: Right to Life; Right to Privacy; Right to Information; Right to
Dignity; Freedom of Expression et al. this rights are acknowledged by the Budapest Convention;
AUCCSC; UDHR; ICCPR; ICESCR et al.
5.2 Budapest Convention
Recognising the value of fostering co-operation with the other States parties to this
Convention.235
Gluing and acknowledge the irrebuttable fact that no State can make laws that will administer the
whole of the Cyberspace, the Budapest Convention does affirm in its Preamble, the need to have
234 <www.uncitral.org/uncitral/en/uncitral_texts/electronic_commerce.html> (Accessed on 29th of June 2014) 235 Preamble, Budapest Convention
O m b o . D . M a l u m b e P a g e | 90
the harmonization of laws, that will address matters relating to cyberspace and specifically
prosecuting perpetrators of the prudent use of the cyberspace.
As stated earlier on, the prosecution of a cybercrime in a different forum will need the two States
have the matter mitigated upon, thus considering the interests of other states, the defendant, the
rule of Natural Justice and interests of the forum State.236
Despite the thirst of the European Union to have the laws to address cybercrime, the Convention
was not structured in a manner that it will overstep on other provisions or statutes in existence.
The Convention requires that as much as the States take the move to utilize the Budapest
Convention to curb matters relating to cybercrime, they ought to respect and acknowledge the
Fundamental Rights of Human Beings.237
The Convention initiates by acknowledging the aspect of Illegal Access and Illegal Interception.238
Illegal access is used to signify hacking into a system or unauthorized access and/or exceed
authorized access. These are the basic topics in this paper, hence, the same will have to be
scrutinized as to the definition and to what extent it can be used to stall cybercrimes.
Budapest Convention:
Each Party shall adopt such legislative and other measures as may be necessary to establish
as criminal offences under its domestic law, when committed intentionally, the access to
the whole or any part of a computer system without right (own emphasis). A Party may
require (own emphasis) that the offence be committed by infringing security measures,
with the intent (own emphasis) of obtaining computer data or other dishonest intent (own
236 <www.cyber.law.harvard.edu> (supra) 237 Preamble, Budapest Convention 238 Art. 2 & Art. 3 of the Budapest Convention
O m b o . D . M a l u m b e P a g e | 91
emphasis), or in relation to a computer system that is connected to another computer
system.239
Without Right: this term is domesticated in the Article to refer permission. Thus permission does
differ from different cases, this can be through giving of licenses to operate under certain limits
and/or a contract for a given task. In the event one does effect illegal access, this will be in violation
of this statute. The first sentence of the Article is of strict liability, thus it does not require to know
the intent of the person who wants to or is in the process to and/or acquires access the restricted
information, but for the sole reason one does purports or accesses the restricted information
without the right, the person will be held liable for the offense provided for under the domestic
law.
With intent: When the same Article of the Convention introduces the term “intent,” it goes contrary
to the first sentence of the Convention which requires no “intent.” The second sentence of the
Article requires the Mens rea of the alleged violator of law, thereon it purports the intent is with
regards to “obtaining computer data or other dishonest intent,” precisely, if a person who attains
access to a sever, computer system and other related electronic gadgets, and the persons does not
purport to commit any further crime, he or she does not fall under the diction of the second part of
the Article, the person falls under the first sentence of the Article.
When one so wishes to interpret Article 2 of the Budapest Convention, it will be of prudent to
utilize the Purposive Rule of Interpretation. The purposive rule of interpretation is utilized by the
European Court of Justice when it is has the opportunity to interpret a statute.240
239 Art. 2 of the Budapest Convention 240 The Purposive Approach to Statutory Interpretation <www.e-lawresources.co.ke/purposive-approach.php> (Accessed on 29th of June 2014)
O m b o . D . M a l u m b e P a g e | 92
Lord Simon:
The first task of a court of construction is to put itself in the shoes of the draftsman – to
consider what knowledge he had and, importantly, what statutory objective he had
and…being thus placed…the court proceeds to ascertain the meaning of the statutory
language.241
Thus, with the two sentences stating two different factors, they are made to acknowledge the
hacking and/or unauthorized access is a different cybercrime and whatever the crime that follows
thereon is different, hence capturing the two offences. One being without the need of Mens rea
and the other one having to establish the element of Mens rea.
The fact is that, anyone who procures illegal access, will not be able to evade the jaws of law, as
the Articles are fully equipped to make a conviction with or without intent.
However, even despite applauding to the purposive approach of interpretation, the Article raises
a lot of questions as to what “[a] party may require that the offence be committed by infringing
security measures, with the intent of obtaining computer data or other dishonest intent.”242
UNITED NATIONS OFFICE ON DRUGS AND CRIME:
Offences involving illegal access to computer systems and data differ with respect to
the object of the offence (data, system, or information) (own emphasis), and regarding
241 Maunsell v Olins [1975] AC 373; See also, <www.e-lawresources.co.ke> (supra) 242 This means that a perpetrator my offer a defence that he might lacked the license (right), but had authority from a legal personnel. This will help the perpetrator defeat the “infringing security” & “dishonest intent”, such a defence does not have a standing in the American Jurisprudence: See, Marshall J. & Michael W. Prosecuting Computer Crimes Computer Crime and Intellectual Property Section Criminal Division (supra)
O m b o . D . M a l u m b e P a g e | 93
the criminalization of ‘mere’ access or the requirement for further intent, such as to cause
loss or damage.243
The Convention fails to inform its States members of the degree of crime, as of the object offence.
Budapest Convention:
Each Party shall adopt such legislative and other measures as may be necessary to establish
as criminal offences under its domestic law, when committed intentionally (own
emphasis), the interception without right (own emphasis), made by technical means, of
non-public transmissions of computer data (own emphasis) to, from or within a
computer system, including electromagnetic emissions from a computer system carrying
such computer data. A Party may require (own emphasis) that the offence be committed
with dishonest intent (own emphasis), or in relation to a computer system that is connected
to another computer system.244
Article 3 does have a repetition of some terms as those of Article 2, and also incorporates a new
term “intentionally.” The concept of “dishonest intent” should be a secondary factor to the
Convention, thus whereby, one cannot argue that he or she did not violate the law for the sole
reason the persons act or omissions does not amount to dishonesty, hence, the person cannot be
held liable for having intercepted the communication.
243 UNITED NATIONS OFFICE ON DRUGS AND CRIME: Vienna “Comprehensive Study On Cybercrime” 2013 ppXX 244 Art. 3 of the Budapest Convention
O m b o . D . M a l u m b e P a g e | 94
Intentionally: Intent, is defined as a purpose or formulated design that is utilized to earn a certain
goal.245 Clinging to the definition offered, the perpetrator must have conclusive goal,246 whereby
the Act did not emanate without him or her having knowledge of the same.
UNITED NATIONS OFFICE ON DRUGS AND CRIME:
The requisite intent for an offence also differs in approaches to criminalization of
interference with computer systems or data. Most countries require the interference to be
intentional, while others include reckless interference. For interference with computer data,
the conduct constituting interference ranges from damaging or deleting, to altering,
suppressing, inputting or transmitting data. Criminalization of illegal interception differs
by virtue of whether the offence is restricted to non-public data transmissions or not,
and concerning whether the crime is restricted to interception ‘by technical means’
(own emphasis). Not all countries criminalize computer misuse tools. For those that
do, differences arise regarding whether the offence covers possession, dissemination,
or use of software (such as malware) and/or computer access codes (such as victim
passwords) (own emphasis). From the perspective of international cooperation, such
differences may have an impact upon findings of dual-criminality between countries.247
The Convention does restrict interception of non-public data, by way of technical means. The
Budapest not only adjust itself to tools that might be utilized for interception, however, it thereon
245 Black’s Law Dictionary 246 Irrespective of the fact that the goal of the perpetrator is not attained, it will be a crime as long as the intent is established. 247 UNITED NATIONS OFFICE ON DRUGS AND CRIME: Vienna “Comprehensive Study On Cybercrime” 2013 ppXX
O m b o . D . M a l u m b e P a g e | 95
prohibits of making available of tools and devices for purposes of committing a crime that fall
under Article 2 – 5 of the Convention.248
248 Art. 6 of the Budapest Convention
O m b o . D . M a l u m b e P a g e | 96
6.0 CHAPTER 6
Herein under, the Conclusion and the Recommendation will echo the initial questions of concern:
Statement of the Problem, Objectives of the Research, Research Questions and Justification of the
Research, the four named divisions will be related to the research done in the several Chapters
herein above.
6.1 Conclusion
In the compilation and analyzing of the requisite data that was at disposal during the penning of
this dissertation paper, it is within the knowledge of the author that, basing on the information
elicited to from the laws of Kenya, South Africa, Nigeria, African Union, United States of
America, India and The European Union, that every State or Organisation does enjoy the ‘little’
paradise they have.
Kenya as a State is in its crawling stages as per the laws that address cybercrime, it is worth to
appreciate that the laws it has afforded are quite healthy in diction and tend to paint a sensible
colour scheme that will beautify the Jurisprudence of the country. Nevertheless, the laws are
structured to address the Kenyan Jurisdiction, this defeats the reality on the ground: Cyberspace
does not have whatsoever Jurisdiction, hence, question of concern is: how will cybercrimes
initiated off the Kenyan jurisdiction be dealt with.
Just like other countries, Kenya has several laws that have an element that goes to the root of
cybercrime: computer hacking and/or unauthorized access. This can lead to a lot of conflicting
interpretation of laws whenever a matter of the same magnitude arises. Such has already been
experienced in South Africa: The Electronic Communication and Transactions Act and The
O m b o . D . M a l u m b e P a g e | 97
National Prosecuting Authority Act tend to give conflicting surcharge on a person found guilty on
matters of computer hacking and/or unauthorized access.
The Kenyan Judiciary is filled with able Magistrates and Judges, however, it does not fulfill the
fact that they can be apt to preside over Cybercrime Offences, this is due to the fact that there are
a handful advocates and/or Magistrates or Judges who have arrested this topic and those oriented
to it as their subject matter of interest. Without seeming to abuse their virtuoso on the Legal field,
it is valuable to note that IT and The Law is a peculiar strata, the same has to be given its own
Court, thus having peculiar Magistrates or Judges.
Too much on paper is provided, as the country has taken the initiative to have National CERT –
Ke, however, much focus is on the capability of the same institution to tackle cybercrimes and
investigate the same, owing to the high degree of forensic power that is needed: not only by having
the IT and Law wits but machinery wise too, and at the same time, having the machinery without
the wits in IT and The Law nothing is operable.
In Kenya the Data Protection Act, is quite sober on addressing the issues pertaining computer
hacking and/or unauthorized access of information: this is as the provisions of the law give the
term personal data a wider rostrum. However, the law does not take recognition of the need to
cooperate with other foreign States, as it has been stated that matters falling under cybercrime tend
to be committed off jurisdiction and no state can assume the jurisdiction of cyberspace.
Nevertheless, the same Act does acknowledge the need to play by the international practices,
hence, the same ideology of cooperation between countries can find its way in via that
‘international practice’ tag.
O m b o . D . M a l u m b e P a g e | 98
The Data Protection Act, alludes of Unique Identifiers to help certain Organisation in undertaking
their duties. Such initiatives should be strictly monitored: a continuum communication can lead to
distortion and also the giving away of information to a third party can happen in between, this will
leave no person to blame, hence, the victim will have suffered prejudice.
The Data Protection Act does offer feeble punishments, considering the seriousness of
cybercrimes. This makes the law treat cybercrime as a callousness matter, the degree of morality
the law portrays is feeble.
The Evidence Act and The Kenya Information Communication Act, 411A tend to address the
matter of forensics lightly. This means dispensation of justice will not be attained prudently, thus
building a poor legal jurisprudence.
Not much attention is offered to the IT profession, this is with regards to the training and the
services expected from them, as the field is directly linked to the IT and Law, hence, most of the
computer hackers and other cybercriminals are IT professions and if not, it is effected by the help
of the IT guru’s. Owing to that fact, it is prudent for Kenya to delve into regulating the Profession
and it Professionals.
Without being shy, it will not be a healthy conclusion, if the same does not take notice of the
division of Right to Privacy and Information. Kenya is a country that is sufficed with a lot grave
topics that ought to addressed, and the same makes persons ignorant of some issues of Privacy and
that of Information. As the National Intelligence Service of Kenya (herein after NIS-Ke) wishes
to have laws that allow the Organisation access to each and every Kenyans personal data
(conversation/s) indiscriminately, such schemes are very prejudicial: Countries such as Germany,
Britain, Netherlands et al. have gave in-depth thoughts over the same, as Germany regarded such
O m b o . D . M a l u m b e P a g e | 99
laws that ape what the NIS – Ke is requesting for, to be null and void. As regards to that, Justice
Minister Beatrice Ask said the following “[T]he German ruling showed ‘that we have been right
in that that it concerns sensitive issues that demand very difficult judgments.’”249
It is worth to appreciate that the laws have offered some sort of deterrent element as to those who
violate laws that address matters relating to hacking and/or unauthorized access of information.
However, that should not be the end of the element of deterrence as the courts ought to consider
the value: thus monetary value of the information that has been attained contrary to the lex in place.
Hence, the surcharge should reflect the monetary value of the information.
6.2 Recommendations
Rooting from the research herein above and also clinging to the Conclusion, it is vivid that the
Kenyan Laws have no element that shows the urge to acknowledge that cybercrimes can be
committed off its jurisdiction. The State should come up with laws and/or policies that can help
address the same issue. For instance: In International Shoe Co. v Washington (supra), there are
viable principles as further expounded by Darrel Menthe:
- Personal Jurisdiction: The Personal Jurisdiction does not demand the physical
presence of a person, rather it arises from the Contacts one does make with the given
State or the purported Forum State. The contact can be physical or virtual (use of
networks and/or internet).
- Prudent Minimum Contacts: When one makes any contact with a given foreign State,
the person is bound by the laws of the State. In the event it is an Inconsistent Contact,
249 Melissa E. & Verena S. Security: German Court Overturns Phone, e-mail data law: 2010 <www.nbcnews.com/id/35672314/ns/technology_and_science-security/t/german-court-overturns-phone-e-mail-data-law/> (Accessed on 23rd day of August, 2014)
O m b o . D . M a l u m b e P a g e | 100
the claim raised will be glued to that very act or omission that one commits against the
State, while when it is Consistent Contact that is Continuous, the defendant will be held
liable of the direct subject matter and also the incidental crimes.
- Forum State: Predominantly, this is the State that assumes jurisdiction when an
offence has been committed against its persons. However, the same is not absolute as
the Rules of Fair Hearing and/or Natural Justice will be applied; by having such
applied, it helps build an international law (through case law) that is sober and can be
adopted by other States, also the same helps consider the Status (mostly economic) of
the defendant.
Currently, The Constitution of Kenya, 2010; Evidence Act, Cap 80; The Kenya Information and
Communication Act, Cap 411A; The Penal Code, Cap 63; The Finance Act, 2012; and Data
Protection Act, 2013 et al. are requisite laws that address elements that go to the root of the
ramifications of cybercrimes. The laws need to be harmonized, not literally, but the textual context
of each should applaud the other. This will raise a sober jurisprudence within the Country.
Just like there is a Land Law Court and an Industrial Court of which is to be rebranded as the
Labour Relations Court, there is need to have a peculiar court that will delve into matter of IT and
The Law, more so, cybercrimes. Owing to the fact that IT and The Law tend to hold on other
divisions of law (Tort Law, Contract Law, Evidence Law et al.), it will not be worth to aver that
calling a Court “Cybercrime Court” will be prudent. Having an “IT and The Law Court” will be
more prudent, however, the same should not have both the Civil and Criminal Jurisdiction. The
“IT and The Law Court” should have the Criminal Jurisdiction only. Such a Court will not demand
new laws as the schemes of the Penal Code and Criminal Procedure Code will be viable as long
the laws are ‘up-to-date’ with the IT and The Law provisions.
O m b o . D . M a l u m b e P a g e | 101
Regardless of the fact that Kenya has some laws that can be utilized to prosecute cybercrimes, it
should be noted that that will not stall the committing of the cybercrimes. The need to strengthen
the CERT – Ke by having virtuosos persons in the IT and IT and The Law field, not forgetting the
need to have installed the most prudent machinery in place to monitor and also receive complains
from the public, through: emails, calls and noting the email-bombers. This will help curb the rate
at which cybercrimes are committed.
As The AUCCSC and The Budapest Convention provide that there is need for cooperation within
States to address the vice, this is by exchanging of information and how prosecutions will be
undertaken, the Kenyan Government should take an initiative and make laws to that effect. This
will help have a sober discussion with other States on matters of Jurisdiction whenever a
cybercrime emanates or there is some intent of committing the same.
A human being is a social creature and that should be within the knowledge of the law drafters. As
the issue of letting a third party assume the duties of a given person on delving into personal data,
is opening the doors of having a person’s privacy (personal data) infringed. Each facility should
have its own Unique Identifiers or the Government should allow private firms that wish to be
Unique Identifiers to strictly applaud to the ethics of Professionalism inclusive of the wishes of
the Constitution.
The Criminal concept of the Data Protection Act, has made it that a surcharge will be of five
hundred thousand Kenyan Shillings or a maximum sentence of two years during conviction. This
is treating the issue of cybercrime with great callousness. Owing to the same being a serious white
color crime, the need to advance the deterrence element is prudent. The ECT Act of South Africa
offers the same punishment as the Data Protection Act of Kenya, while the National Prosecuting
Authority Act of South Africa offers a maximum sentence of twenty five years in prison. The
O m b o . D . M a l u m b e P a g e | 102
Kenyan legislature should review the sentence offered under the Data Protection Act, since Sec.
349 of the Penal Code also offers a feeble surcharge of three year imprisonment on forgery matters:
forgery can be effected after hacking or unauthorized access.
IT and The Law and Forensics are relatives. There is need of acknowledging the same in Kenya,
this will be a prudent step to address offences falling under the Cybercrime and/or IT and The
Law. Subjects such as e-contracts, e-signature, mirroring of Hard disk and other information
storage facilities et al. will always demand the highest degree of forensics. As opined herein above
in Chapter II under the Evidence Act and The Kenya Information Communication Act of Kenya,
that one can hack into a server and/or system and thereon alter the information and owing to the
fact the e-signature is not changed, the same will presumed to be the document on the grounds of
the viable signature. Hence, unearthing of the initial information will be the initial step of attaining
the truth that will lead to a reasonable adjudication.
As Geoffrey Sampson asserts, that the need to have IT Professional and its professionals regulated
just as the Medicine, Architect, Advocates et al. are regulated and their actions and inactions
undergo scrutiny. This will provide room to observe the acts and omissions of the Professionals
and also have ethical standards that they will subordinate to. As much as it will not totally stop the
cybercrimes, it will help bring sobriety into the IT Profession field, as the IT gurus are the most
likely to commit the crimes and also generate tools and/or software’s that can effect the committing
of cybercrimes. Laws to provide how minor offenders will be dealt with, as the paper by Edward
Carter portrays how minors are taking advantage of their age bracket to commit cybercrimes
because the laws have always been lenient towards them.
There are matters of National Interest of which if they are effected they can gravely be prejudicial
to all the citizenry Rights as provided under The Bill of Rights in The CoK and also other Regional
O m b o . D . M a l u m b e P a g e | 103
and International Legal instruments Kenya is party to. The NIS – Ke demands to have access to
all Kenyans personal data (conversation/s), its quest is abuse of the Grund-norm. The need to
wiretap and go through the conversation of Kenyans, ought to be objective, hence it must be
discriminatively, reasons whereof, if it is indiscriminative there will be lax of democracy, freedom
of expression, freedom to information et al. in precise the political wing of the Government in a
given regime will be curtailing the Fundamental Rights so as to have an environment that suits its
personal interests.
Reflecting the ideology of traditional crimes finding way into the cyber world, it is worth to note
that hacking and/or unauthorized access of information can be under the same strata. Thus, the
information elicited after hacking and/or unauthorized access could have monetary value. For
instance, when cybercriminals steal information for purposes of gaining pecuniary benefits from
it. This means that the same information should be investigated by the courts, by doing so, the
court will know the value of the information prior giving the sentence or surcharge to the accused
person. Edward Carter states that some American Courts tend to evaluate the value of the
information prior giving a sentence and/or surcharge.
O m b o . D . M a l u m b e P a g e | 104
Reference:
Black’s Law Dictionary
Deans Law Dictionary
Oxford Advanced Learners Dictionary 8th edition
<www.cck.go.ke> (Accessed 16th of June 2014) –as it was then, currently, rebranded to
<www.ca.go.ke>
<www.iibf.org.in/Cyber-Laws-chapter-in-Legal-Aspects-Book.pdf> (Accessed on 29th
September 2013)
<www.interpol.int> (Accessed on 23rd of June 2014)
<www.itwebafrica.com > (Accessed on 22nd of May 2014)
<www.kean.edu > (Accessed on 16th of June 2014)
<www.thelawdictironary.org> (Accessed on 16th of June 2014)
Adam J. ICT Law book: A Source Book For Information and Communication
Technologies & Cyber Law in Tanzania & East African Community (Mkuki na Nyota Publishers
Ltd Dar Es Salaam 2010)
Australian High Tech Crime Centre, Malware: Viruses, worms, Trojan horses, High Tech
Crime Brief no. 10 (AIC, 2006)
Carter, E. Examining Cybercrime: Its Forms and Its Perpetrators (National University of
Internal Affairs in Kiev, 2002)
Case Law
O m b o . D . M a l u m b e P a g e | 105
Chawki, M. Nigeria Tackles Advanced Fee Fraud <www2.warwick.ac.uk> (Accessed on
2nd of June 2014)
Chinese Hacking: Impact On The Human Rights and Commercial Rule of Law
<www.gpo.gov/fdsys/pkg/CHRG-113hhrg855/pdf/CHRG-113hhrg81855.pdf> (Accessed on 8th
February 2014)
Clough J. Principles of Cybercrime (Cambridge University Press New York, 2010)
Computing: Nigeria Ranked third In The World for Cyber-crime, says Survey; Issue no
302 <www.balancingact-africa.com/news/en/issue-no-302/computing/nigeria-ranked-thrid/en>
(Accessed on 2nd of June 2014)
Dennis Mbuvi, ‘103 Government of Kenya websites hacked overnight’ [2012] CIO East
Africa <www.cio.co.ke> (Accessed 2nd of November 2013)
Duggal, P.
<www.coe.int/t/dghl/cooperation/economiccrime/cybercrime/Documents/Reports-
Presentations/Octopus2011/Update_sessin_pavan_duggal.pdf> (Accessed 7th of December
2013)
J. N. Geltzer, ‘The new Pirates of the Caribbean: How data havens can provide safe harbors
on the internet beyond Governmental reach’ (2004) Southwestern Journal of Law and Trade in the
Americas
JACQUELINE F. CYBER CRIME IN SOUTH AFRICA: INVESTIGATING AND
PROSECUTING CYBER CRIME AND THE BENEFITS OF PUBLIC-PRIVATE
PARTNERSHIPS (Pricewaterhousecoopers, 2009)
O m b o . D . M a l u m b e P a g e | 106
Jae. K, Anique. A & Joel. G International Handbook of Computer Security (Glen-lake
Publishing Company Ltd Chicago USA, 2000)
Jim F. Reuters US ‘Famed Hacker Barnaby jack Dies A Week before hacking Convention’
<www.reuters.com> (Accessed on 8th February 2014)
Joshua G. Data Breaches and Computer Hacking: Liability & Insurance Issue
<www.andersonkill.com/webpdfext/ART_DataBreachesAndComputerHackingLiability.PDF>
(Accessed 9th of February 2014)
Judy Nguta ‘Central bank of Kenya website hacked’ [2013] Standard Digital
<www.standardmedia.co.ke> (Accessed 2nd of November, 2013)
Kerr, ‘Cybercrime’s scope’, 1615. For a summary of state computer crime statutes see M.
D. Goodman and S. W. Brenner, ‘The emerging consensus on criminal conduct in cyberspace’
(2002) UCLA Journal of Law and Technology
Kufa, M (2008), ‘Cybersurfing without boundaries’, De Rebus, December, 20
Legal Instruments
Legal Sociology School of Thought
Liberty 80, <https://www.liberty-human-rights.org.uk> (Accessed on 8th of February
2014)
Marco G. Understanding cybercrime: Phenomena, Challenges and Legal Responses (ITU
Publications 2012)
Marshall J. & Michael W. Prosecuting Computer Crimes Computer Crime and Intellectual
Property Section Criminal Division
O m b o . D . M a l u m b e P a g e | 107
Mathew J. InformationWeek: Security//Attacks & Breaches ‘Hackers Hold Australian
medical records Ransom’ <www.informationweek.com> (Accessed on 8th February 2014)
Murungi M, Cyber Law in Kenya “Abstract” (Kluwer Law International 2011)
Nairobi (Xinhua) ‘East Africa states prepare ways to collaborate on ‘cyber’ security’
[2013] Coast Week <www.coastweek.com> (Accessed on 10th November 10, 2013)
Okuttah Mark, ‘80% of Kenyan websites vulnerable to cyber attacks, says report’ [2012]
Business daily Africa <www.businessdailyafrica.com> (Accessed 2nd of November, 2013)
Reed C. Computer Law (7th ed, Oxford Press New York 2012)
Reid, S. Cybercrimes & Misdemeanors: A Reevaluation of The Computer Fraud And
Abuse Act (2003)
Rosenblatt, B. Principles of Jurisdiction <www.cyber.law.harvard.edu> (Accessed on 28th
of June 2014)
Rouse, M. ITAA (IT Act 2008) – 2010 <www.searchsecurity.techtarget.in> (Accessed on
28th of June 2014)
Sampson G. Law of Computing Students (Bookboon, Ventus Publishing ApS 2009)
Secretary of State for the Home Department by Command of Her Majesty. Cyber Crime
Strategy Cm 7842 (2010)
Simnikiwe Mzekandaba, ‘Kenyan businesses face ‘cyber security threat’, says Kaspersky’
[2013] ITWeb Africa <www.itwebafrica.com> (Accessed on 10th November, 2013)
O m b o . D . M a l u m b e P a g e | 108
Snail, S., ‘Cyber Crime in South Africa – Hacking, cracking, and other unlawful online
activities’, 2009(1) Journal of Information, Law & Technology (JILT), <http://go.warwick.ac.uk>
Talwant S. CYBER LAW & INFORMATION TECHNOLOGY
<www.delhidistrictcourts.nic.in/ejournals/CYBER%20LAW.pdf> (5th of February 2014)
Tanya L. Medical Devices Vulnerable to Hackers, New Report Says
<www.m.livescience.com> (Accessed 8th February 2014)
Tommy Doc, “First Hacks” ‘The Evolution of hacking’ [2013] ehow <www.ehow.com>
(Accessed on 10th November 10, 2013)
UNITED NATIONS OFFICE ON DRUGS AND CRIME: Vienna “Comprehensive Study
On Cybercrime” 2013
Yatindra J Singh, Cyber Laws (5th ed, Universal Law Publishing Company, 2012)