COMPUTER HACKING AND/OR UNAUTHORIZED ACCESS: A CRITICAL ANALYSIS OF THE LEGAL FRAMEWORK IN KENYA

O m b o . D . M a l u m b e P a g e | i

COMPUTER HACKING AND/OR UNAUTHORIZED ACCESS: A CRITICAL

ANALYSIS OF THE LEGAL FRAMEWORK IN KENYA

BY

OMBO DUNCAN MALUMBE

(BLAW/112/01299)

A RESEARCH PROJECT SUBMITTED TO MOUNT KENYA UNIVERSITY IN

PARTIAL FULFILLMENT FOR THE REQUIREMENT OF THE AWARD OF

BACHELORS DEGREE IN LAW (LLB)

O m b o . D . M a l u m b e P a g e | ii

DECLARATION

I hereby affirm in positive that this research project is my original work and it has never been

forwarded to any facility for whatsoever award and is to partially fulfill the requisite requirement

of the award of Bachelor’s Degree in Law (LLB).

OMBO DUNCAN MALUMBE

REGISTRATION NUMBER: BLAW/112/01299

Signature……………………………………….. Date……………………………………..

Supervisor Approval

I confirm the work reported in the research project was carried out by the candidate under my

supervision.

Ms. Mercy Mutheu

Advocate of the High Court of Kenya

Head of Moot Court at the Mount Kenya University, School of Law

Lecturer at Mount Kenya University, School of Law

Signature………………………………………… Date……………………………………..

O m b o . D . M a l u m b e P a g e | iii

DEDICATION

The social, economic and not shying to mention the biological particles that when consolidated

build me, are deeply rooted to Mr. Radicliffe Lafont Malumbe and Mrs. Anne Mutsami Malumbe.

Being my parents, I have a lot of phrases and phraseology to show my humble and deep

appreciation for making me reach this far and be rich in knowledge, but that will demand a new

rostrum: so I engulf the whole bunch of utterances by saying Thank You. I applaud my siblings:

Ms. Rachel Susan Nyamisi and Master Philip Jackson Mutsami for offering the most suitable

environment for me to undertake my studies. This section will not earn the last full-stop without

acknowledging the prayers they always and still make in my favour, Thank You.

O m b o . D . M a l u m b e P a g e | iv

ACKNOWLEDGEMENT

It is not by my wishes to reach this far, hence, I insist to appreciate the Almighty God for the same.

Herein after, I trace my LLB journey, and thereof, I appreciate the efforts of Dr. Mercy Mutheu

for the ably guidance she has offered me when penning this dissertation paper, I take notice of Dr.

Maurice Awour for helping me to structure the initial stages of this dissertation paper. I extend my

gratitude to one Mr. Michael Murungi for offering documents that greatly helped in my research.

The unprecedented effort by one Attorney Karnika Seth for providing me with the requisite Indian

Laws, so as to execute the research with close knowledge of the Indian Laws.

I appreciate the conducive atmosphere that I was pampered with for the purpose of conducting my

research by the Library officials of the Mount Kenya University, Nairobi Branch.

I am indebted to my active peers, hence I utilize my ink to appreciate: Mr. JB Ong’anya, Mr.

Kipkemoi Sang, Ms. Natasha Juma, Mr. Gachogu Titus, Ms. Joy Chege, Mr. Philip Nyoro, Ms.

Fuad Zainab et al. who kept me abreast with the issues emanating under my subject matter.

May I mention Mrs. Esther Odari, Mr. Kenneth Muhanji for the unrelenting moral guidance they

offered me, and also Mr. Fred Mutsami for the material support.

O m b o . D . M a l u m b e P a g e | v

ABBREVIATIONS

419 scam Nigerian Penal Code

Addl. Additional

App Application

Art. Article

AUCCSC African Union Convention on Confidence and Security in Cyberspace

Cap. Chapter

CERT Computer Emergency Response Team

CFAA Computer Fraud and Abuse Act

CIPIT Center for Intellectual Property and Information Technology

Cir. Circuit

Co. Company

CoK Constitution of Kenya

Crim. Criminal

CSIRT Computer Security Incident Response Team

Distt. District

EA East Africa

EAC East Africa Court

e-book electronic book

ECOWAS Economic Community of West Africa States

ECT Electronic Communication and Transaction Act

Ed. Edition

eKLR electronic Kenya Law Reports

ER England Reports

EU European Union

HC High Court

ICCPR International Covenant on Civil and Political Rights

O m b o . D . M a l u m b e P a g e | vi

ICESCR International Covenant on Economic, Social and Cultural Rights

ICT Information and Communication Technology

IMP Interception and Monitoring Prohibition Act

IPC Indian penal Code

IT Information Technology

ITA Information Technology Act

ITAA Information technology Amendment Act

Ke – CIRT Kenya Computer Incidence Response Team

Ke Kenya

Ltd Limited

NCSMP National Cyber Security Master Plan

NIS – Ke National Intelligence Service of Kenya

Pp page(s)

PROATIA Promotion of Access to Information Act

RICPCRIA The Regulation of Interception of Communications and Provision of

Communication

SA South Africa

Sec. Section

Title III Wiretap Act

UDHR Universal Declaration of Human Rights

UNCITRAL The United Nations Commission on International Trade Law

US / USA United States of America

USC United States Code

O m b o . D . M a l u m b e P a g e | vii

STATUTES

1. The Republic of Kenya

- Constitution of Kenya, 2010

- Evidence Act, Cap 80

- The Kenya Information and Communication Act, Cap 411A

- The Penal Code, Cap 63

- The Finance Act, 2012

- Data Protection Act, 2013

2. The Republic of South Africa

- Electronic Communication and Transaction Act

- Promotion of Access to Information Act

- Interception and Monitoring Prohibition Act

- Regulation of Interception of Communication and Provisions of Communication Related

Information Act

- Computer Evidence Act

- National Prosecuting Authority Act

3. Federal Republic of Nigeria

- Nigeria Criminal Code Act

- Economic financial Crime Commission Act

- Advanced Fee Fraud and related Offences Act

4. The Republic of India

- Information Technology Act, 2008

- Evidence Act

5. United States of America

- Electronic Communication Privacy Act

- Computer Fraud Abuse Act

- Wiretap Act

O m b o . D . M a l u m b e P a g e | viii

REGIONAL AND INTERNATIONAL LEGAL INSTRUMENTS

- The Banjul Charter

- The African Union Convention on Confidence and Security on Cyberspace

- Directive C/DIR. 1/08/11 on Fighting Cybercrime within Economic Community of West

African States

- The Budapest Convention

- Universal Declaration of Human Rights

- The International Convention on Civil and Political Right

- The United Nation Commission on International Trade Law

O m b o . D . M a l u m b e P a g e | ix

CASE LAWS

Alternative Media Limited v Safaricom Limited [2004] eKLR

Apple Inc. v Samsung Electronics Co., Ltd et al C 11-1846 & C 12-0630

Giella v Cassman Brown & Co. Ltd [1973] EA 358

Hedley Byrne v Heller [1964] AC 465

Heggy v. Heggy, 944 F.2d 1537, 1541-42 (10th Cir. 1991)

International Shoe Co. v Washington [1945] 326 US 310

Johnson Joshua Kinyanjui v. Republic [2002] HC Crim App

Nairobi Law Monthly Company Limited v Kenya Electricity Generating Company & 6

Others [2013] eKLR

Narlis v. South African Bank of Athens [1976] (2) SA 573 (A)

R v. Secretary of State for Home Department, ex parte Ruddock and others [1987] 2 ALL

ER 516

Republic v Kipsigei Cosmas Sigei & Another [2004] 19 HC

Reynolds v. Spears 93 F.3d 428, 435-36 (8th Cir. 1996)

Role Models America, Inc. v. Jones, 305 F. Supp. 2d 564 (D. Md. 2004)

Sanders v. Robert Bosch Corp., 38 F.3d 736, 740 (4th Cir. 1994)

United States v. Szymuszkiewicz WL 3503506 (7th Cir. 2010)

United States v. Townsend, 987 F.2d 927 (2d Cir. 1993)

United States v. Turk, 526 F.2d 654, 658 (5th Cir. 1976)

Williams v. Poulos 11 F.3d 271, 285 (1st Cir. 1993)

Ziegler Case

O m b o . D . M a l u m b e P a g e | x

ABSTRACT

Kenya is a State that is appreciating the fruits of technology, this is within the Government,

Commercial Institutions, Organisations and also at the personal level. However, the rose flower

never lacks a thorn, hence, technology has also its own ramifications. In this context, the paper

acknowledges the existence of cybercrimes, more so the ‘mother’ of all the cybercrimes. The term

‘mother’ is utilized to enunciate the fact that, Computer Hacking and/or Unauthorized Access of

Information is the first step that will be done prior other various technological crimes will follow

suit.

Herein, Chapter 1 will solely give a glimpse of what computer hacking and/or unauthorized access

to information is and a bit of its history. The same Chapter will delve on the reasons as to why the

same division is worth to address regards to Kenya, and also have a view of how other Nations

and Organisations tackle cybercrimes.

Chapter 2, does delve into the Kenyan Laws that address matters at hand, this is also including the

legal instruments that have an impact on cybercrimes: computer hacking.

Chapter 3, therein it will be beautified with the legal instruments from African countries, namely:

South Africa and Nigeria, thereon the African Union legal instrument addressing computer

hacking and/or unauthorized access will also be delved into.

Chapter 4 sources legal instruments from States that are found outside the African Continent,

namely: India and United States of America. The Countries are chosen in favour of the author’s

interest, as United States of America has a rich jurisprudence regarding cybercrimes, while India

is a State that Kenya has in most instances borrowed the fruits of its Jurisprudence.

O m b o . D . M a l u m b e P a g e | xi

In Chapter 5 of this paper, concentration will be given to The Budapest Convention, this is a

European Union Convention that gives the prudent standards that each State should make an effort

to meet for purposes of addressing cybercrimes without causing confrontation among member

States and also creating a room to harmonize the laws addressing cybercrimes among members of

the EU.

The last bit of this paper is Chapter 6, the Chapter is inclusive of a Conclusion and

Recommendation. The aforementioned will be given in respect of the research done to give birth

to the initial five Chapters of this paper.

O m b o . D . M a l u m b e P a g e | xii

TABLE OF CONTENTS

TITLE PAGE i

DECLARATION ii

DEDICATION iii

ACKNOWLEDGEMENT iv

ABBREVIATIONS v

STATUTES vii

INTERNATIONAL STATUTES viii

CASE LAWS ix

ABSTRACT x

TABLE OF CONTENTS xi

1.0 CHAPTER 1 1

1.1 Background of the study 1

1.1.1 Introduction 1

1.2 Statement of the problem 5

1.3 Objectives of the research 6

1.4 Research questions 7

1.5 Justification of the study 7

1.6 Literature review 8

1.7 Limitation to the study 12

1.8 Research methodology 13

2.0 CHAPTER 2 14

2.1 The Legal Framework in Kenya that stipulates about Cybercrime vis-à-vis

Computer Hacking and interlinking to Privacy 14

2.1.1. Introduction 15

2.1.2. Constitution of the Republic of Kenya 16

2.1.3. Kenya Information and Communication Act Cap 411A 23

O m b o . D . M a l u m b e P a g e | xiii

2.1.4 The Evidence Act, Cap 80 25

2.1.5 The Penal Code 30

2.1.6 The Finance Act 32

2.1.7 Data Protection Act 33

3.0 CHAPTER 3 38

3.1 Regional Legal Framework Addressing Cybercrime vis-à-vis Unauthorized

Access to Information. 38

3.2 African Union Convention on Confidence and Security in Cyberspace 38

3.3 South Africa 57

3.3.1 Electronic Communications and Transaction Act 57

3.3.2 Promotion of Access to Information Act 60

3.3.3 Interception and Monitoring Prohibition Act 61

3.3.4 Regulation of Interception of Communications and Provision of Communication

Related Information Act 63

3.4 Nigeria 66

3.4.1 The Nigerian Criminal Code Act, 1990 66

3.4.2 Economic Financial Crime Commission Act 68

3.4.3 Advanced Fee Fraud and Related Offences Act, 2006 69

3.4.4 Directive C/DIR. 1/08/11 on Fighting Cybercrime within ECOWAS 70

4.0 CHAPTER 4 73

4.1 States outside The African Region have framed their Laws vis-à-vis

Cybercrime: Unauthorized Access of Information 73

4.2 The Republic of India 75

4.2.1 Information Technology Act 75

4.2.2 The Evidence Act 78

4.3 United States of America 81

4.3.1 Computer Fraud and Abuse Act 81

O m b o . D . M a l u m b e P a g e | xiv

4.3.2 Wiretap Act 84

5.0 CHAPTER 5 89

5.1 Regional and International Organization on Cybercrime: Unauthorized

Access to Information 89

5.2 Budapest Convention 89

6.0 CHAPTER 6 96

6.1 Conclusion 96

6.2 Recommendations 99

REFERENCE 104

O m b o . D . M a l u m b e P a g e | 1

1.0 Chapter 1

1.1 Background of the problem

1.1.1 Introduction

Computer crimes or rather cybercrimes are of different nature. A computer crime, whereby the

computer itself is the target, is regarded as hacking. Computer hacking is and will be utilized herein

after to also refer to unauthorized access of data, information and/or information technology1.

Computer Hacking is not a new term more so to those societies that had the evolution of technology

in their own States. The question that comes into place is when was hacking born. As a recap to

what emanated in the Bell Telephone Company, thus in the year 1878, when a number of teenagers

whom their sex was male, were employed as switchboard controllers. They intentionally through

their acts or omissions did halt and misdirect calls2. Albeit not being regarded as mode of hacking

but it can be one form of undermining the hypothetical pros of technology.

Predominantly, technology has rooted itself into our society and questions always emanate as to

the ameliorating and deteriorating ramifications that transpire while utilizing technology vis-à-vis

computer(s). A few persons when discussing about technology will be inquisitive as to the cons

that come along with computer(s) or computerized gadgets.

1 Clough J. Principles of Cybercrime (Cambridge University Press New York, 2010) pp27 2 Tommy Doc, “First Hacks” ‘The Evolution of hacking’ [2013] ehow <www.ehow.com/info_12080965_evolution-hacking.html> (Accessed on 10th November 10, 2013)


Owing in mind the fact that networking vis-à-vis computers is not engulfed within one jurisdiction,

it leads one to delve into the question as to how matters relating to compromising of computers

can be dealt with. The initial cases of computer hacking were reported in the 1960 and 19683.

The society is dynamic, new significant factors keep emanating and depending on the societal

good perception, they are incorporated in the society gradually, and this is the case in Kenya vis-

à-vis Information Technology. Kenya has seen a great significance of having computers, however

they are not restricted on their utilization. It is imperative to acknowledge the requisite fact that

even states that are developed tend to have unresolvable and/or adjudication that negatively affect

their jurisdictional Statutes.

Regarding the matter of Statutes, The Republic of Kenya has laws but not well structured to deal

with the same matters, hence there is a lacuna that criminals utilize and thus making Kenya

capability of curbing the crimes that come along with technology vis-à-vis computer to be null.

Justice Yatindra Singh:

Inventions, discoveries and technology widen scientific horizons but also pose new

challenges for the legal world. Information Technology has also posed new problems in

jurisprudence. It has shown the inadequacy of law while dealing with it.4

3 In every act or omission there tend to be breach of law no matter how trivial a matter maybe. At some point, some acts or omission may go undetected; hence, those detected are those that will appear in an investigative report. Insofar as the fact that in one whole decade two hacking and/or cracking activities were reported it does not mean it was a frivolous issue at the eyes of the law. 4 Yatindra J Singh, Cyber Laws (5th ed, Universal Law Publishing Company, 2012) 3


On the 17th day of January 2012, one hundred and three (103) of the Government of Kenya

websites were defaced overnight, by an Indonesian hacker5.6

The aforementioned is not the only hacking that has taken place in Kenya, however thus a major

attack that exists in the Kenyan history in relation to hacking and defacing websites. On or about

the 21st day of July 2013, The Central Bank of Kenya’s website was hacked [and was in control of

the cyber-criminals] for almost five hours7. This shows how vulnerable the State’s Website are a

great target, and out of these attacks the question that hypothetical person can ask is, what laws

are in place to curb this matter, having in mind it is a crime committed within or over one State’s

territory/jurisdiction.

Despite calling for legislative measures to be utilized as supervisory instrument over cyber threats

relating to cybercrime of hacking, also the persons must take requisite measures to help curb the

situation.

Mr. William Makatiani:

5 Dennis Mbuvi, ‘103 Government of Kenya websites hacked overnight’ [2012] CIO East Africa <www.cio.co.ke/news/main-stories/103-Governement-of-Kenya-websites-hacked-overnight> (Accessed 2nd of November 2013) 6 Yes! Many persons having malice aforethought might target the Government websites and the Government should not shy away from acknowledging such risks. A hypothetical person will be appalled that 103 websites were brought down in one night and having the knowledge, that Kenya is one of the states advocating for IT, it does show some sort of inadvertence on the Governments’ side. It is noteworthy to ascertain the State does not acknowledge the threats that come along with IT, thus why the State is attacked and having many of its websites shut down for a while. 7 Judy Nguta ‘Central bank of Kenya website hacked’ [2013] Standard Digital <www.standardmedia.co.ke/mobile/?articleID=2000089020&story_title=Central%20Kenya%20website%20hacked/business/> (Accessed 2nd of November, 2013)


Government websites and banking institutions remain the most vulnerable targets, most of

their websites are developed externally, but they rarely do a check on their security settings

or update them.8

The State must come up with a methodology of having each and every person’s gadget meet a

certain standard. However, this is not that effective to every person regarding the economic status,

but institutions should not be spared as they engage in activities that affect public at large in case

of any tampering of information, hence stringent policies and laws should be put in place to meet

our situation.

8 Okuttah Mark, ‘80% of Kenyan websites vulnerable to cyber-attacks, says report’ [2012] Business daily Africa <www.businessdailyafrica.com/Corporate-News/Most-kenyan-websites-can-easily-be hacked- -report/-/539550/1462274/-/105r0rqz/-/index.html> (Accessed 2nd of November, 2013)


1.2 Statement of The problem

Acknowledging the fact that Computer Hacking Laws differ in every State, and the fact that

Computer Hacking ought to be ascertained hence punishments should follow suit, it will be

mandatory and requisite for a State that is facing Cyber Crimes in this matter Hacking, to engrave

Legislative measures to tackle issues of cybercrime. With regards to that, the issue that will be

under the microscope is how The Republic of Kenya tackles with matters relating to computer

hacking, and what Kenya can learn from other States and Organisations within planet earth.

Furthermore, computer hacking is a form of crime that will find its way deep into the society.

Owing to the fact that, technology is introducing new ways of leading life in the whole world,

hence most technological gadgets are utilized by way of commands. This gives a warning on

computer crimes and how evidence of the same can be adduced before Court, owing that Section

65 and Part VII of the Evidence Act, Cap 80 of The Laws of Kenya does not provide a requisite

path to utilize over the same.

With further arguments and reliance to authors who have split the topic of computer hacking, it

will be noteworthy to positively affirm that there is total ambiguity in the Kenyan Jurisdiction in

relation to computer hacking. However, the Kenya Information and Communication Act, Cap

411A and Data Protection Act of 2013 does give a glimpse on what computer hacking

(unauthorized access to information) is, but this does not mean that the law has captured the whole

matter of computer hacking and other major cyber-crimes. In making a fair comparison of Kenya

and South Africa, one will discover that there are various stipulations that capture issues of

computer hacking, hence acknowledging that cybercrime is one of the major technological crimes

that the society is being faced with.


1.3 Objectives of the Research

The research intends to:

1. Define what computer hacking is: considering a Computer as a discipline on its own and

Computer in relation to the legal world.

2. Acknowledge any laws in place within the Kenyan jurisdiction that provide on how

computer hacking can be dealt with.

3. How the various cases of computer hacking have been dealt with within the Kenyan

jurisdiction.

4. To understand under what basis can the Republic of Kenya borrow same laws or model its

laws to fit Kenya’s situation, and owing to the fact that the crime keeps on advancing in

sophisticated stages, how will the law be framed to meet the new cybercrimes.


1.4 Research Questions

i. Has or how far has the Kenyan Government taken the campaign of curbing computer

hacking within its jurisdiction?

ii. How is the Republic of Kenya co-operating with other States both regionally and

internationally for the sole purpose of coming up with measures that will enable reduce

computer related crimes?

iii. How do other countries deal with computer hacking within their jurisdiction and when the

attacks emanate outside there Jurisdiction?

iv. Are the legal framework instituted in Kenya tend and/or comprehensively delve into

matters relating to computer hacking?

v. With the knowledge elicited from other States, what could be the imperative

recommendation to the Kenyan Government to counter the rooting of computer hacking as

one of the major cyber-crimes?

1.5 Justification of the Study

After perusing through the relevant statutes, few articles and journals which are born in the Kenyan

Jurisdiction that address matters relating to cybercrimes in the Kenyan context, it has been noted

that cybercrimes are escalating, but the laws to address matters relating to cybercrimes are deficient

and if there is some sort of law(s) in place, the law(s) are not well articulated to address the same

issue.

Ostensibly, in addressing the matters of cybercrime (herein computer hacking and/or unauthorized

access to data, information and/or information technology) it will not give any solution by only


putting relevant laws into place. Just like there are army men to protect a nation when facing attack

or helping on emergency issues; there ought to be a facility that will be established for the sole

reason of addressing, and spearheading for the security at the cyberspace9.

Little has been mentioned as with regards to cybercrimes. A few Kenyans acknowledge how

cybercrimes are rooting into the society, this places each citizen at risk of losing valuable property

and in many occasions’ money and information are the greatest target.

Owing to the aforementioned factors, this document will delve into the matter of computer hacking

and/or unauthorized access of data, information and/or information technology, for the reason

being it is the very first step that takes place prior to committing of other crimes. For instance,

prior defacing a system one has to hack into the system, prior to committing the traditional crimes

by use of computers and networks, hacking or unauthorized access will be the first step taken.

1.6 Literature Review

Ostensibly, the ideology of how to address cybercrimes “hacking” in Kenya is more done

physically albeit not in every sphere and relating to legal perspective, the legal framework

enshrined in Kenya does not vividly address the nitty-gritty of how curbing these technological

crimes that at most are untraceable due to sophisticated mode of committing the crime.

Little has been legally touched vis-à-vis computer hacking, however, over the media and various

conferences the issue of cybercrime is highly uttered about; regarding the fact that the ramifications

9 Kenya Information Communication Act, Cap 411A of the Laws of Kenya, authorized the Communication Commission of Kenya to come up with the Kenya Computer Incidence Response Team; See also the Draft of the African Union Convention on Confidence and Security in Cyberspace.


that come along with technology adversely affect many institutions and individuals directly and/or

indirectly.

In a speech given by Bethwel Opil10, he stated:

While some businesses may view such rankings with little concern, they should in fact be

taking these realities seriously as these statistics will only get worse if the growing threat

of cybercrime is not understood and managed effectively,…cybercrime has been noted as

one of the biggest challenges for the [M]inistry of [I]nformation, [C]ommunication and

[T]echnology in Kenya, according to the [C]abinet [S]ecretary. In line with this, the

Kenyan Government declared war on cyber criminals in May 2013, which certainly

indicates the severity of the issues in the country.11

The question that can emanate from the quote will remain to be, if the Government will act on

impulse and enunciate legislations that will lead to conflict of laws, acknowledging the imperative

fact that by formulating new laws it will have some impact on other statutes, the best example

being the Evidence Act cap 80 of The Laws of Kenya and the Penal Code.

Kenya is applauded for having Kenya Computer Incidence Response Team12 (Ke – CIRT) within

the East African block13, albeit its 103 websites were compromised in one night, the requisite

10 A manager at Channel sales for East Africa under Kaspersky Lab (2013) 11 Simnikiwe Mzekandaba, ‘Kenyan businesses face ‘cyber security threat’, says Kaspersky’ [2013] ITWeb Africa <www.itwebafrica.com/security/515-kenyan-businesses-face-cyber-security-threat-says-kaspersky> (Accessed on 10th November, 2013) 12 This is a Commission brought into existence by the provisions of The Kenya Information and communications Act CAP411A. The Commission is set for purposes of addressing the issues of cyberspace activities, this will be with regards to establishing cyberspace security and respond to whatsoever cyberspace crimes. This will be inclusive of collaborating with other players outside the Kenyan Jurisdiction. <www.cck.go.ke/industry/information_security/ke-cirt-cc/functions.html> (Accessed 16th of June 2014) (as then it was, now it is www.ca.go.ke) 13 Nairobi (Xinhua) ‘East Africa states prepare ways to collaborate on ‘cyber’ security’ [2013] Coast Week <www.coastweek.com/3622_48.htm> (Accessed on 10th November 10, 2013)


question that a hypothetical person will raise is whether there is need to have CIRT – Ke, yet we

have poorly established websites and other computer related materials that are prone to

cybercrimes such as hacking. However, the Government is trying to do its best via relevant and

persuasive forums to generate ideas that will help in halting the rampant cases of cybercrime.

Currently there is the National Cyber Security Strategy Master Plan14 (NCSMP)15 that is being

borne for purposes of addressing the cybercrime issues and how to handle the same.

It is noteworthy to acknowledge that the Government is trying its best to ensure the cybercrime

perpetrators are engulfed within the requisite legal framework, but it entails a lot of underground

work that the Government has to delve into. With regards to this, the research undertaken herein

is to address the issue of computer hacking and how it can be addressed within the Kenyan legal

framework.

Some authors have been persuaded by the magnitude of the way cyber space is escalating in the

African Countries, in acknowledging that each State has its own challenges regarding the issues

relating to cyber law. This author digs deep into the Kenya’s Jurisdiction for how policies and the

legal frame work in Kenya is built. The increasing use of computers and internet in various spheres

of human activities impact both positively and negatively on social, economic, cultural and

political aspect16.

14 The sole reason of having this document is to give the Government and Private sectors the requisite guidelines of how cybercrimes can be addressed vividly. <www.cio.co.ke/news/main-stories/kenya-launches-national-cyber-security-strategy-and-master-plan> (Accessed on 16th of June 2014); see also Kenya National Cyber Security Strategy Master Plan (2013) 15 CCK, ‘Kenya Declares War on Cybercriminals’ [2013] CCK <www.cck.go.ke/news/2013/War_on_cybercrime.html> (Accessed on 10th November 10, 2013) 16 Murungi M, Cyber Law in Kenya “Abstract” (Kluwer Law International 2011)


With regards to author Murungi, there is that urgent need that the manner in which the computers

are utilized should be regulated lest the technology (use of computers and/or computer related

gadgets) becomes less viable to the society.

Geoffrey Sampson:

Computing is not yet like, say, medicine or architecture: no one is allowed to practice as

doctor or as an architect without qualifications recognized by the appropriate professional

body, but as yet there are no legal restriction on entry on the IT profession. However,

that is because our subject is still new; the situation is unlikely to last. Already IN 2006

the British Government made the first moves towards introducing statutory controls on

entry to jobs in computer security, and it seems probable that this trend will spread to

other areas of the profession17.

In scrutinizing the diction appended by Sampson, it is not disputable that anyone can utilize the

computers regardless of having the approval from a given body that certifies so, for instance in the

Legal field herein Kenya, the Law Society of Kenya certifies one to be a Practicing Advocate,

furthermore it monitors ones conducts expressly or through clients complains. Clinging on such

measures undertaken by other professions, it will be prudent that apart from having laws that give

punitive measures to cybercrime offenders, there ought to be some scheme to give persons the

rights to utilize the computers in a certain way.

With regards to the articles, publications, and/or books penned down by various authoritative

writers, it portrays that since time immemorial dealing with technological matters vis-à-vis the law

has not been easy and Kenya is no exception to be faced with the same challenges.

17 Sampson G. Law of Computing Students (Bookboon, Ventus Publishing ApS 2009) pp9


The works aforementioned have been well scripted, and for the matter to be discussed herein is

not well scripted in the Kenyan context, as compared to other jurisdictions as it will be portrayed

herein under in form of Chapters. Computer hacking is the subject matter under the microscope,

how the legal structure of Kenya is structured to attain the purpose of controlling, curbing and/or

appending surcharge on those who through their acts or omission do offend the law.

1.7 Limitation to the Study

While undertaking this research, it came into notice that, there is deficiency of books, articles or

journals that address matters relating to cyberspace substantively, regarding the Kenyan

Jurisdiction.

Due to the inefficiency of rich jurisprudence with regards to cybercrime in Kenya, there is much

reliance on precedence from other nations. Irrespective of cybercrimes being of the same nature,

there is the element of each jurisdiction to afford terms that meet their situations. It is noteworthy

that Nations do not define cybercrimes in unison.


1.8 Research Methodology

In undertaking this research, the primary sources of law will be utilized, that’s the various statutes

of the Kenyan Jurisdiction and those of the other States. Furthermore secondary sources that will

be accessible both at the library and online will be utilized for the same purpose. The secondary

sources will be inclusive of books, case laws, journals et al being soft copy or hard copy.


2.0 Chapter 2

2.1 The Legal Framework in Kenya that stipulates about Cybercrime vis-à-vis Computer

Hacking and interlinking to Privacy.

Predominantly, the law might not capture all the deviant activities that root itself within the society,

it may be out of the inadvertence of the legislators or the society’s failure to raise the red flag or

the capability of enforcing some laws may be inconvenienced by various cultural18 aspects. In

applauding the healthy Constitution that the Kenyan Government has planted through its citizenry,

the Judiciary and the advocates will have the leeway to utilize the international laws and treaties

that are available to define and prosecute some computer related crimes inclusive of the computer

hacking, and also Kenya being a Common Law State, case laws from various countries will be

utilized during the court proceedings.

Kenya is bound by laws and treaties that they have ratified and other Conventions.19

Predominantly, no State can be guided with only the International Law and meet its National

obligation, for instance despite the fact that the Constitution is termed as the Supreme Law of the

Land20 this does not mean that the Constitution can be utilized to meet all the needs of the society.

Hence, there are other laws coming into place that are required to be in conformity with the

Constitution. Concerning that, the Government has the mandate to come with laws about the

cybercrimes21.

18 The term culture is not appended and utilized in the reasonable person assumptions; this is capturing the culture that people in a given society assume unlike the ethnicity-based culture. For instance a culture of preferring to give bribes to evade the jaws of law. 19 Art 2 (6) of The CoK 20 Art 2 (1) of The CoK 21 Cybercrime is a wide division which cannot be captured by one sentence (nutshell) and this ought to be looked at with its great gravity as it portrays. Currently, the State is malnourished with regards to Lex Specialis that can supervise Cybercrimes.


2.1.1. Introduction

Arguably, various sentences and/or provisions can be regarded to have captured the terms relating

to cybercrimes within the laws born in the Kenyan Jurisdiction. Albeit, this is not an assurance of

having viable laws to define, prosecute, argue matters with regards to Jurisdiction while

prosecuting (Internet does not have jurisdiction), inviting evidence to the Courts and authentication

of the sophisticated evidence.

Under the Bill of Rights in the Constitution of Kenya (CoK) there are various rights that were, can

be, are and/or they will be infringed by utilizing the Computer. The computer crimes may violate

a great deal of Human Rights; this is inclusive of Right to Life.22 As that may appall many people,

one should consider the definition of the term “hacker23, hacking, unauthorized access of

information” et al. With the help of computers (more clarification herein under) one can

manipulate the details inscribed on medical records and eventually lead to wrong medication,

hence leading to the death or incapacitation of a person. It is obvious that computers may play a

part in the commission of nearly every form of criminal activity, from fraud to murder24 (own

emphasis).

Reed Chris:

[In] the first category is traditional types of criminal offence that may be committed using

computers as the instrument of the crime, referred to as ‘computer-related crime’, such as

fraud. The second category concerns ‘content-related crimes’, where computers and

22 Art 26 of The CoK 23 The term hacking/hacker and cracking/cracker seem to catch different meanings as some authors tend to define them, however, herein the term hacker and hacking will utilized to refer to the unauthorized access to information. 24 Reed C. Computer Law (7th ed, Oxford Press New York 2012) pp682


networks are the instrument, but the content itself is illegal, such as infringing intellectual

property and certain forms of pornography. The third category is offences that have been

established specifically of computer and communications systems, such as viruses and

other malware; ‘computer integrity crimes’.25

As stated in the book edited by Reed, it is noteworthy that various crimes do emanate when

computer hacking takes place; however, herein the subject matter is the laws that govern the crimes

that fall under cyber-crime and specifically Computer Hacking. The viability of the work’s by

Reed Chris, and clinging on his diction, is to spill the beans that the Kenyan legislators need to

discuss the Computer Hacking in Length as it is wide, and that the making of nutshell provisions

only open aisle of confusion within the Kenyan Jurisdiction.

2.2. Constitution of the Republic of Kenya

With regards to the CoK, 2010, there are no terms such as “computers, internet, cybercrime” this

does not mean that it is mandatory or even need to have them mentioned under it so as to show the

need to address the issue. However, under Chapter Four (4) of the Bill of Rights in the CoK there

are various Articles that relate to Computers either directly or indirectly and hence there ought to

be legislation that zoom on the same division for purposes of clarity.

Hon. Carl Levin:

This is in addition to what is also well known, that China hacks the accounts of human

rights activists in order to suppress human rights (own emphasis) in China.26

25 Reed C. Computer Law (7th ed, Oxford Press New York 2012) pp682 26 Chinese Hacking: Impact On The Human Rights and Commercial Rule of Law <www.gpo.gov/fdsys/pkg/CHRG-113hhrg855/pdf/CHRG-113hhrg81855.pdf> (Accessed on 8th February 2014)


With regards to diction of the United States Senator, while referring to a detailed report on the

activities of China towards Human Rights, it clearly display how hacking is utilized in different

platforms to achieve some aims that are contrary to the Rule of Law.

The applicability of the CoK may be termed to be vertical, this is because the Government is the

custodian of the same rights under the CoK and hence the Government also oversees other

organizations how they handle its citizens.

Joshua Gold:

[B]usinesses that have been hacked may face claims from Governmental authorities, such

as State Attorney Generals and consumer protection departments charged with protecting

the public from practices that are asserted to have imperiled consumers.27

This affirms that apart from the Government incubating and coming up with projects that will help

curb and control the rate of computer hacking within the country, the institution or organizations

have that mandatory duty to take requisite measures that protect the interests of its citizens28 or its

subscribers29.

When the Society is reluctant in addressing computer hacking due to ignorance, this creates the

law in action30 thus persons31 will continue to suffer from the impacts of computer hacking.

27 Joshua G. Data Breaches and Computer Hacking: Liability & Insurance Issue <www.andersonkill.com/webpdfext/ART_DataBreachesAndComputerHackingLiability.PDF> (Accessed 9th of February 2014) 28 Citizens will fall under the purview of a specified jurisdiction, herein Kenya. 29 By the terms subscribers is noteworthy to applaud that some institutions such as PayPal do offer online accounts, hence it will be prudent for the institution to come up with reasonable measures to protect its subscribers. PayPal does have access by persons from different Jurisdiction; hence, the term Subscriber is different from Citizens in this context. 30 This is a termed by Sociological School of Thought (Social Engineering), that states, despite having coded laws, there are practices in the society that have been practiced (act or omission) and are assumed to be norm. 31 The term “person” is incorporated herein due to the fact both the Artificial and Natural Persons will suffer from the effects of computer hacking. As much as terming an artificial person having Rights under the Bill of Rights of


However, the vertical relationship is not absolute as one can utilize the horizontal relationship to

make a claim where a person has the locus standi:

The Bill of Rights applies to all law and binds all State organs and all persons32.

Every person has the right to institute court proceedings claiming that a right or

fundamental freedom in the Bill of Rights has been denied, violated or infringed, or

threatened33.

As it will be discussed herein under, it is noted that the two provisions are imperative to enrich the

Kenyan Jurisprudence with regards to the Computer Hacking and other related Cybercrimes. It is

noteworthy to acknowledge the fact that, as much as the legislature is a State Organ given the

authority to make laws, the Judiciary does play a major role in making the laws be in-conformity

with the dynamic society and acknowledge the need to foresee to the future.

In Republic v Kipsigei Cosmas Sigei & Another34, it was held that despite the fact that there was

deficiency of laws with regards to the admissibility of Video Evidence, it was the obligation of the

Court to dispense justice, and hence the same will not be disregarded as much as there is no law

to that effect. The Court has the requisite mandate to determine matters on the inherent

reasonability it has and that is to apply the common sense approach.

That is one among the many instances the courts does make laws or principles so as to catch up

with the dynamic society.

the CoK will be absurd, it will not be absurd to give artificial persons some of the “Citizen Rights.” Currently, Kenya is not offering some of the Rights to Artificial Persons. Right to ask for information was denied in: Nairobi Law Monthly Company Limited v Kenya Electricity Generating Company & 6 Others [2013] eKLR 32 Article 20 (1) of the CoK 33 Ibid n15 Article 22 (1) read together with Article 22 (2) 34 [2004] 19 HC


2.2.1 Right to life

The matter has been highlighted herein above, however, just to raise the bar of the thoughts and

walking away from the main division herein, and inviting the most common cybercrime that has

led to death of various persons. This is in relation to cyberbullying. Traditionally, cyberbullying

has been regarded as to fall under the ambit of children, preteen and/ or teenagers, however it is

also affecting those above the “teen” parenthesis, but it is not regarded as cyberbullying35.

However, in the context herein, it is all about computer hacking. The umbilical cord between

Computer hacking and cyberbullying, is when one does hack into a computer or a computerized

gadget and elicit information in whatsoever form and use it against a victim (the victim is the

person and not the computer) so as to cyberbully and cyber-blackmail the person, which in some

other instances leads to committing of suicide36.

Computer hacking has more than what meets the eye. It is after effecting hacking of a computer,

server and/or a given system, then, thereon one will utilize the whatsoever data found for various

purpose(s): be it advantageous or disadvantageous to the owner or a third party, advantageous to

him/her or a third party and/or distortion of the whole data. The hacker might decide to distort

some vital information; the distortion of the information may possibly mislead the subscribers to

the source and in one way or another this can lead to infringement of various Human Rights, such

as the Right to Life37.

So far, there have been no known incidents of a hacked medical device injuring or killing a person,

but researchers have demonstrated that [these] events are possible38. This approves that as much

35 <www.kean.edu/˞schandle/Students/LNerilo/what%20is%20cyberbullying.htm> (Accessed on 16th of June 2014) 36 United States v Drew [2009] 259 FRD 449 37 Tanya L. Medical Devices Vulnerable to Hackers, New Report Says <www.m.livescience.com/39889-medical-devices-vulnerable-to-hackers.html> (Accessed 8th February 2014) 38 Tanya L. Medical Devices Vulnerable to Hackers, New Report Says <www.m.livescience.com/39889-medical-devices-vulnerable-to-hackers.html> (Accessed 8th February 2014)


as there is no reported cases over the same, the Right to Life of a person might be at stake now and

later on in future. An Australian medical clinic’s patient records have been forcibly encrypted by

attackers, who are demanding $4 200 to decrypt the data39. The holding of information at ransom

is deeply prejudicial to the patient(s), this is so because the medication that is given at intervals

can end up being administered earlier or later than it is supposed to be, hence deterring the effects

of the medication or eventually lead to death or incapacitate the victim.

Jim Finkle; ed Tiffany Wu Allen et al

He (Barnaby Jack) told Reuters last week that he could kill a man from 30 feet away by

attacking an implanted heart device…Two years ago Jack turned his attention to medical

devices, while working [with] a team at McAfee that engineered methods for attacking

insulin pumps. Their research prompted medical device maker Medtronic Inc. to revamp

the way it designs its products.40

That expounds the ideology of how hacking can lead to breach of Right to Life, and the cons of

the internet seem to play at a higher platform than the pros of the same. However, with the dynamic

society one cannot stall progress that is taking a great wave in the world. The Government should

be learning on its predecessors with regards to States that have developed on the Technology

world. As it is hard to regulate hard technology, the Government should consider how to control

soft technology and the interplay of the two technologies.

2.2.2 Human dignity and privacy

39 Mathew J. InformationWeek: Security//Attacks & Breaches ‘Hackers Hold Australian medical records Ransom’ <www.informationweek.com/attacks/hackers-hold-australian-medical-records-ransom/d/d-id/1107754> (Accessed on 8th February 2014) 40 Jim F. Reuters US ‘Famed Hacker Barnaby jack Dies A Week before hacking Convention’ <www.reuters.com/article/idUSBRE96P0K120130726?irpc=932> (Accessed on 8th February 2014)


The CoK provides that “Every person has inherent dignity and the right to have that dignity

respected and protected.”41 The same concept is raised and protected under Universal Declaration

of Human Rights (UDHR). This is among the fundamental Rights inscribed into the Constitution

and elicits its strength from various Regional and International Statutes42.

The Right to Privacy is a close relative to Human Dignity, the two are provided for under the CoK,

and there is rich Jurisprudence over the same, under the Banjul Charter and other requisite

Conventions and treaties Kenya is party to.

The importance of the right to personal privacy became self-evident in the immediate

aftermath of the horrors of the Second World War. The right to principles of human

dignity and inherently linked to many other rights such as equal treatment and free

expression (own emphasis). A society that does not pay proper regard to personal privacy

is one where dignity, autonomy and trust are fatally undermined.43

Relating the quote with the Chinese hacking Report, it purports that the Republic of China, does

infringe the privacy rights of its citizens as Mr. Wen Yunchao44 explains how the Government has

been going through his private data45.

In Kenya it was vivid to the nation that the State was with intents of perusing through its citizens

emails, however, most people called for legal framework to be put in place. With regards to South

Africa, they have specific Acts that address and provide limitations on such imperative divisions.

41 Art 28 of CoK 42 Art. 2 (5) & (6) of the CoK 43 Liberty 80, <https://www.liberty-human-rights.org.uk/human-rights/privacy/> (Accessed on 8th of February 2014) 44 Independent Journalist and Blogger 45 Chinese Hacking: Impact on Human Rights and Commercial Rule of Law (US Government Printing Office, Washington 2013)


Hacking or unauthorized access to information, irrespective of the form in which the information

in that case is stored, can lead to other cyber-crimes46 that on the onset have an impact on various

Human Rights provided under the Bill of Rights under the Constitution of Kenya. Thus, the matter

of unauthorized access to information is a vital matter that need to be addressed substantively.

Considering what happens thereon after eliciting information, there are many serious crimes that

follow. Hypothetically, when one hacks into a victim computer and elicit a person’s private images

or profile(s), the person who commits the crime might ask for monetary consideration so as not to

make the pictures public via internet or any given social media platform.

2.2.3 Right to property.

Property not only necessarily cling on physical matters, however, property also relate to ideas that

persons may have towards a certain division, this kind of property does fall under the strata of

property known as Intellectual Property. Intellectual property is an idea, a design etc. that

somebody has created and the law prevents other people from copying47.

The CoK does dictate under Article 40 on issues of property, however, the property being given a

wider view is Land. The CoK does even brush through Intellectual Property by giving the term

property the intellectual aspect48. In the so-called digitized era, it is noteworthy to acknowledge

that most persons happen to publish their intellectual Property to the internet for purposes of

reaching a large audience or subscribers to their work. However, as what happens to the physical

world, whereby persons may break into corporeal property and steal, in the internet one does hack

into the system or one accesses the computer that stores the incorporeal property and acquires the

46 Carter, E. Examining Cybercrime: Its Forms and Its Perpetrators (National University of Internal Affairs in Kiev, 2002) 47 Oxford Advanced Learners Dictionary 8th ed 48 Article 40 (5) of the CoK


property illegally49. The advantage of publishing copyrighted work on the internet, which makes

a work available to a wider audience, might also attract misuse and infringement of copyrighted

material50. This puts the owner of the expressed ideologies to suffer great loss at times irreparable

loss51.

Marco Gercke:

Digitization has opened the door to new copyright violations. The basis for current

copyright violations is fast and accurate reproduction. Before digitization, copying a record

or a videotape always resulted in a degree of loss of quality. Today, it is possible to

duplicate digital sources without loss of quality, and also, as a result, to make copies from

any copy52.

Digitalization is a process that roots itself so deep and with its fascinating nature, it is irresistible

within the great numbers of the members in the society, hence, the Government has the duty to

make reasonable and expeditious plan on how to deal with cybercrimes: computer hacking. Where

by one hacks into a system and elicits the given intellectual property (music, e-books, software’s

et al) and thereon distributes the same to an unlicensed persons for free or at a lower price.

2.3. Kenya Information and Communication Act Cap 411A

Ostensibly, the diction afforded in the Act, does raise a lot of relevant questions as to the

authentication of the documents that will be provided for. Briefly, Sec. 83G of the aforementioned

Act provides as follows:

49 Clough J. Principles of Cybercrime (Cambridge University Press New York, 2010) pp29 50 Adam J. ICT Law book: A Source Book For Information and Communication Technologies & Cyber Law in Tanzania & East African Community (Mkuki na Nyota Publishers Ltd Dar es Salaam 2010) pp218 51 Meaning of irreparable damage as per: Giella V Cassman Brown & Co. Ltd (1973) EA 358 52 Marco G. Understanding cybercrime: Phenomena, Challenges and Legal Responses (ITU Publications 2012) pp 28


Where any law provides that information or other matter shall be in writing then, notwithstanding

anything contained in such law, such requirement shall be deemed to have been satisfied if such

information or matter is:—

(a) Rendered or made available in an electronic form; and

(b) Accessible so as to be usable for a subsequent reference

The aforementioned Act does give a glimpse53 of what unauthorized access to information is and

what it entails. Such a statute does not vividly address the nitty-gritties of why cyber laws ought

to be in place. Technology is swift but complex, and it will be easy to use such channels for data

diddling and so forth, hence, this leaves a lacuna that criminals can rely on, when committing

some crimes, as the viability of prosecuting a case through their evidence might not materialize.

The ideology that appends to computer crimes vis-à-vis computer hacking is given some light

under Sections: 83G, 83M, 83P, 83W, 83X and 84F54.

With weight being placed on Sec. 83G (a)55 it is worth to appreciate that, there ought to be

authentication of the data being relied upon by the Honourable Courts. In the due course of having

the same being acted upon as valid and viable, there has to be substantive prove that what is before

the court was not supplanted. This is one of the madcaps clauses found in the law, as it is widely

uttered there is no punishment without referral law, will the Governmental institution cling to that

ideology as Kenyan Jurisprudence is being diluted!

53 This is so, as some other States have special Act(s) in place that delve into what the matter entails unauthorized access to information, for instance: Electronic Communications and Transactions Act, Interception and Monitoring Prohibition Act, South African; Wiretap, Electronic Communication Act , USA; Information Technology Act – 2008, Evidence Act, India. 54 The Kenya Information Communication Act, Cap 411A 55 The Kenya Information Communication Act, Cap 411A


The Act under this division is imperative to some extent as it stipulates on computer hacking and/or

unauthorized access to computer systems, documents et al.

Kenya Information Communication Act:

83U— Unauthorized access to computer data.

83V— Access with intent to commit offences.

83W— Unauthorized access to and interception of computer service.

83X— Unauthorized modification of computer material.

83Z— Unauthorized disclosure of password.

84A— Unlawful possession of devices and data.

84C— Tampering with computer source documents

84F— Unauthorized access to protected systems.

84G— Re-programming of mobile telephone56.

Herein above are some of the imperative stipulations of the act that touch on matters of hacking or

unauthorized access to systems, electronic gadgets and/or servers. The Act also introduces the

element of Mens Rea57, hence no strict liability. However that is per Sec. 83V, unlike Sec. 83U of

the Kenya Information Communication Act, which does not need Mens Rea, hence it is of strict

liability.

2.4 The Evidence Act, Cap 80

56 Kenya Information Communication Act 57 Guilty mind: Dean’s Law Dictionary


As Kenya and other developing States are catching up with technology, such as internet for various

purposes. Thus as most youths are regarded to acquire gadgets that can access internet for purposes

of socializing, it is noteworthy to acknowledge that most commercial enterprises are taking

advantage of the same internet to advertise, execute business and/or register or informing its clients

et al.58

Jae. K, Anique. A, & Joel. G:

[Hence,] appropriate use should always be legal, ethical, reflect academic honesty, reflect

community standards, and show restraint in the consumption of shared resources. It should

demonstrate respect for intellectual property; ownership of data; system security

mechanisms; and individuals rights to privacy and to freedom from intimidation,

harassment, and unwarranted annoyance59.

When it comes to matters relating to technology, the law enforcement bodies must be cautious on

how they admit and disregard evidence that is presented before it. In that case, the Evidence Act,

Cap 80 of the laws of Kenya, is an imperative legal document to be discussed60.

However, prior delving in the Evidence Act of Kenya, it is noteworthy to recognize that it was

amended in the year 2009 so as to fit the evidences regarded as electronic evidence61. The

amendment was introduced by the Kenya Communication (Amendment) Act of 2008 assented in

200962.

58 UNITED NATIONS OFFICE ON DRUGS AND CRIME: Vienna “Comprehensive Study On Cybercrime” 2013 59 Jae. K, Anique. A & Joel. G International Handbook of Computer Security (Glen-lake Publishing Company Ltd Chicago USA, 2000) pp204 60 Sec. 65 and Part VII - Sec. 106A – 106I of the Evidence Act, Cap 80 of The Laws of Kenya 61 Part VII - Sec. 106A – 106I of the Evidence Act, Cap 80 of The Laws of Kenya 62 Evidence Act, Cap 80 (PART VII – ELECTRONIC RECORDS): Insert the following new part in Chapter III immediately after Part VI – Kenya Communication (Amendment) Act, 2009.


Cyber-crimes have a sophisticated way of execution, and thus there ought to be laws that permeate

over the computer related crimes. In the current legislations that give measures that one should

subscribe to while intending to invite evidence in court, they are less viable with regards to the

evidence that will be tagged as those of electronics or computer nature. The Evidence Act does

have two imperative Parts that address issues relating to documentary and also electronic

evidence63.

Predominantly, the Evidence Act, Cap 80 of the laws of Kenya has given what can be termed as a

wider view on electronic evidence as compared to other Statutes. Under Section 65 (6) of the

Kenyan Evidence Act does dictate on evidentiary issues vis-à-vis computer print-out, the Act tends

to utilize terms that raise the questions such as “what if?”

[C]omputer print-out containing the statement must have been produced by the computer

during the period in which the computer was regularly used to store or process

information for the purposes of any activities regularly carried on over that

period…64(own emphasis)

The best question that one should invite in this context is that, what if one hacks into the computer

and distort the information that was stored in the storage data disk(s), and later on be printed, will

the Courts stick to the shallow view that, having the proof that the computer printout is actually

from a given computer then the information is valid. With such occurrence, there can be chances

of wrongful conviction or dismissal of matters before the court.

Herein under is an eye catching Section of the Evidence Act.

63 Sec. 65 (primary documents) and Part VII (Electronic Records) of the Evidence Act 64 Sec. 65 (6) (a) Evidence Act, cap 80 of The Laws of Ke


[T]he information contained in the statement reproduces or is derived from information

supplied to the computer in the ordinary course of business 65(own emphasis).

The accuracy of information can be distorted as some States have the tendency of filtrating the

data that is sent into their Jurisdiction. Regarding to the Report: Chinese Hacking on how the

Chinese Government managed to go through emails being sent to Mr. Wen Yunchao, by hacking

into his Gmail account,66 does approve that, at some point the information that is “supplied to the

computer in the ordinary course of business67” can be manipulated or distorted hence not being

the actual information sent or supplied in the first instance.

[The] lack of adequate training (own emphasis) of law enforcement officers will often

exacerbate68 the challenges being faced when adducing evidence for purposes of executing cases

against perpetrators. In appending the provisions of the Evidence Act and those of the Kenya

Information and communication Act, it is imperative to acknowledge that there are various stages

whereby the law enforcement officers are or will be required to have adequate skills as to dealing

with certain Crimes that emanate from the violation of certain provisions.

In Johnson Joshua Kinyanjui v. Republic69, the Honourable Courts declined to invite evidence that

were in computer print-out form, this was with regards to the fact the prosecution did not call upon

an expert to authenticate the evidence in computer print-out form.

Thus due to the deficiency of expertise in the given field to authenticate the evidence, the Court

disregarded the evidence. It is imperative for such cases to be dealt and delved upon by the

65 Sec 65 (6) (d) of the Evidence Act, Cap 80 of The Laws of Ke 66 Chinese Hacking: Impact On The Human Rights and Commercial Rule of Law <www.gpo.gov/fdsys/pkg/CHRG-113hhrg855/pdf/CHRG-113hhrg81855.pdf> (Accessed on 8th February 2014) 67 The quote does mirror the diction utilized under Sec. 65 (6) of the Evidence Act, Cap 80 of the Laws of Kenya. 68 Reed C. Computer law (7th ed, Oxford Press New York 2012) pp715 69 [2002] HC Crim App


Government effectively, for that to be done, it has (The Government) to have expertise in the

requisite field like Information Technology (hereinafter IT).

A document is defined as follows:

Notwithstanding anything contained in this Act, any information contained in an electronic

record which is printed on paper, stored, recorded or copied on optical or electro-magnetic

media produced by a computer (herein referred to as computer output) shall be deemed to

be also a document.70

Under Part VII of the Evidence Act, it provides on matters of Electronic Evidence thus from Sec.

106A – 106B. Some of the diction under Sec. 65 (6) and (7) of the same Act have been repeated

under Sec. 106B (2) and (3) respectively.

Admissibility of documents under Part VII will be with regards to Sec. 106B (2), (3), (4) and (5).

Having noted that the same does not mention the matters relating to Cybercrimes directly,

however, the stringent provisions in place try if not to stop the reliance of documents that can or

have been forged or altered for whatever reasons (this is best addressed by the Kenya Information

Communication Act, Cap 411A).

For purposes of certification of the signatures, thus if a party to a case does dispute the

authentication of the “secure signature” hence the same will have to be litigated upon so as to

prove it is valid electronic signature.

On matters relating to the proof and proof as to the verification of electronic signature, it

is provided under 106C and 106D.

Presumptions as to: gazette in electronic form, electronic agreements, electronic records

and electronic signatures and electronic messages, are provided under Sec. 106E – 106I71.

70 Sec. 106B of the Evidence Act of The Laws of Kenya 71 Evidence Act, Cap 80 of the Laws of Kenya


2.5 The Penal Code

A Penal Code is a legal instrument that provides and defines act or omissions that are regarded as

crimes, and thereon it appends the requisite punishments of the same. The Black Law Dictionary

provides that: [A Penal Code is] a compiled list that describes and defines all of the offenses, as

well as the law which can be applied and the punishments that can be given72.

The Kenyan Penal Code is deficient of the terms that can be utilized to effect the prosecution of

Cybercrimes, this being inclusive of Computer Hacking. Delving in the diction utilized by the

legislature is based on the traditional crimes as the crimes were. However, there is some alteration

made so as to capture the fact that the traditional crimes have taken a different platform. This is

with regards to the requisite fact that most of the traditional crimes which are now committed

online, happen to be committed after effecting unauthorized access or hacking of computers and

related gadgets thereon.

Herein, the argument will not be based on the types of murder as under the division of the CoK,

matters relating to Right to Life has been addressed.

In chapter thirty four (XXXIV), under division seven of the Penal Code of Kenya it provides on

definitions of terms relating to forgery of documents.

Penal Code:

Sec. 345 Forgery is the making of a false document with intent to defraud or to deceive.

Sec. 346 In this division of this Code, "document" does not include a trade mark or any

other sign used in connexion with articles of commerce though they may be written or

printed or in electronic form.73

72 Black Law Dictionary, 2nd ed. 73 The Penal Code of Kenya


The Penal Code is not silent to the type of documents, thus it does specify physical or a computer

file. For this purpose, it can be stated that the documents herein can be defined based on a given

case.

The Oxford Advanced Leaners Dictionary 8th ed. provides:

[A]n official paper or book that gives information about [something] or that can be used as

evidence or proof of [something];

[A] computer file that contains text that has a name that identifies it74.

[A document is] an instrument on which is recorded, by means of letters, figures, or marks, matter

which may be evidentially used. In this sense the term “document” applies to writing; to words

printed, lithographed, or photographed; to seals, plates, or stones on which inscriptions are cut or

engraved; to photographs and pictures; to maps and plans75.

Acknowledging the definitions given by the Dictionaries more than relating to the Black Law’s

Dictionary, is noteworthy to state that the documents under the Penal Code can be of whatsoever

nature, however, as much as the physical document will be authenticated by means such as delving

into: author’s hand writing, signatories, witnesses et al. when it comes to computer file(s) as given

under the Black Law definition of what a ‘document’ is, it is prudent to acknowledge that such

documents have a lot of complexities when it comes to authenticating the same.

In this context as provided under The Penal Code, does not directly link to computer hacking or

unauthorized access to information76. However, in some instances it is after hacking into a system

74 The Oxford Advanced Leaners Dictionary 8th ed. 75 Featuring Black’s Law Dictionary 2nd ed. <www.thelawdictironary.org/document/> (Accessed on 16th of June 2014) 76 Sec. 345 – 348 of the Penal Code of The Laws of Kenya


that the same act (forgery of documents) can be committed77. Hence, this is the reason as to why

computer hacking comes into play in the given context.

The Penal Code is flowered with requisite terms like “electronic,” just like The Kenya Information

Communications Act, which provides the same and defines other electronic and technology terms.

It will be less prudent to discuss on the punishment(s) in store for the violators of the law (computer

hacking and/or unauthorized access) that is not in existence.

2.6 The Finance Act

A society is not a stagnated structure; hence, as time goes by, there are always a variety of changes

that take place. Some being positive and others negative, some of the factors affect the law(s) in

place; hence, the legislature has the mandate to address the emanating issues. For reasons thereof,

the Finance Act does provide requisite alterations that have to be made in various statutes in Kenya;

this is also inclusive of definitions of terms and new terms being invited.

The Finance Act:

"[I]nformation technology" means any equipment or software for use in storing, retrieving,

processing or disseminating information;

"[C]omputerized motor vehicle registration system" means any software or hardware for

use in storing, retrieving, processing or disseminating information relating to registration

records of motor vehicles and trailers, the licensing of drivers, and the keeping of such

records in relation thereto as are required by this Act.78

As per the definition given to what Information Technology is, it is noteworthy that these should

be in line with the fact that the “equipment or software for use in storing, retrieving processing or

77 Carter, E. Examining Cybercrime: Its Forms and Its Perpetrators (National University of Internal Affairs in Kiev, 2002) 78 Sec. 27 of The Finance Act 2013 of the Laws of Kenya


disseminating information” can be affected by the malicious act or omissions that emanate from

the hackers. This can be by installing new software(s) that can alter the virtual information.

Linking the definition given and what Computerized motor vehicle registration system79 means in

the literal sense, when clinging to Part IV – Public Documents of the Evidence Act of the Laws of

Kenya, it sheds light on what public documents are. Public Documents are regarded to be

admissible before a Court if they certify Sec. 80 and Part V – Presumptions as to Documents (Sec.

84) of The Evidence Act.

Thus, it makes the fact that Electronic Documents can be made admissible before court and this

should be concerning the authentication. Just as the physical documents require the signature of

the holder of the document, under the electronic documents there is the electronic signature that

can be linked to the private key and public key of the sender and the receiver respectively. The

receiver utilizes the public key infrastructure to certify that actually the document is genuine, thus

concerning the authentication of the signature.

As much as the Kenyan Jurisprudence concerning Information Technology is taking short steps to

address the subject matter in it, it is also quite prudent to acknowledge all these documents can be

prone to forgery as the Penal Code provides. This Traditional Crimes take effect in the internet

after hacking or unauthorized access is made to whatsoever virtual documents, server and/or

computer.

2.7 Data Protection Act

The Data Protection Act does address the essential factors that relate to virtual data. In defining

what entails to “data,” the Act provides as follows:

79 Ibid n40


(a) is being processed by means of equipment operating automatically in response to

instructions given for that purpose;

(b) is recorded with the intention that it should be processed by means of such equipment;

(c) is recorded as part of a relevant filing system or with the intention that it should form part

of a relevant filing system;

(d) where it does not fall under (a), (b) or (c), forms part of an accessible record;

(e) is recorded information held by public entity and does not fall within any of paragraphs

(a) to (d)80;

The Data Protection Act, utilizes terms such as “processed,” “equipment operating automatically

in response to instructions,” “part or should be part of a relevant filling system” and thereon it

stipulates that in the event whereby the data does not fall under the first three provisions of what

data entails, but forms part of accessible record it will be deemed data for that purpose.

The Act does extent its arm to “recorded information held by public entity” and does not fall under

the ambit of the first four stipulations. This affirms that the Act is taking cognizance of the

unauthorized access of information whereby information is not in the virtual formality.

The aforementioned Act does provide for the protection of personal information, the extensive

definition what personal information entails is offered in the Data Protection Act.

“[P]ersonal information” means information about an identifiable individual, including,

but not limited to−

(a) information relating to the race, gender, sex, pregnancy, marital status. national, ethnic or

social origin, colour, age, physical or mental health, well-being, disability, religion,

conscience, belief, culture, language and birth of the individual;

80 Sec. 2 (1) of the Data Protection Act of The Laws of Ke


(b) information relating to the education or the medical, criminal or employment history of

the individual or information relating to financial transactions in which the individual has

been involved;

(c) any identifying number, symbol or other particular assigned to the individual;

(d) the fingerprints, blood type or contact details including telephone numbers of the

individual;

(e) correspondence sent by the individual that is implicitly or explicitly of a private or

confidential nature or further correspondence that would reveal the contents of the original

correspondence to a third party;

(f) a person’s views or opinions about another person ; and

(g) any information given in support or relation to a grant, award or prize proposed to be made

to an individual;81

The Act provides what Personal Information is, and it further provides that, the stated are not the

only type of information that can be termed as personal information. This means that whatever

personal information is, will always be discussed from case to case basis.

Owing to the sensitivity of the matter, the law does require major factors to be considered while

dealing with personal information, this includes, but not limited to consent, lawful use, store or

reserved as per the provisions of law, safeguarding of the information et al.82.

As much as the Information Technology and Law jurisprudence is quite young in the Kenyan

jurisdiction, it is valuable to note that, for the fact that laws are in existence that will help to foster

for how to solve cybercrimes mayhem and reducing chances of a State being a cyber-criminals

haven.

81 Sec. 2 (1) of The Data Protection Act of the Laws of Kenya 82 Sec. 4 of the Data Protection Act


Some countries may even see opportunities to establish themselves as ‘data havens’, providing

maximum privacy and minimal regulation of content hosted there.83

Jonathan Clough:

Accessing wireless networks, with or without authorisation, may conceal the identity of

the actual user even if the location can be identified. Data may be stored deliberately in

jurisdictions where regulation and oversight is lax…For others, particularly in the

developing world, cybercrime may simply not be a priority.84

In the words of the author it is quite clear that perpetrators of cyberspace will take advantages of

States that lack effective provisions that address the matters of cybercrime.

The recognition of the fundamental right to privacy is also enshrined in the Act. This does balance

the way in which a given institution or facility will utilize the personal information of a given

person85. It also helps in controlling the horizontal relations between citizens and other persons in

different jurisdictions, whereby each citizens has to respect the privacy of each person.

Cybercrime Strategy:

Individuals can protect themselves by controlling the amount of personal data they make

available on the internet. However, the use of privacy enhancing technology in systems can

also enhance an individual’s privacy, help reduce the risks of privacy breaches and the

significant costs associated with them and build trust between customers and clients.86

The Cyber Crime Strategy Cm 7842 of the British Government alludes that citizens can help in

controlling the chances of infringing their privacy. However, the same report does acknowledges

83 J. N. Geltzer, ‘The new Pirates of the Caribbean: How data havens can provide safe harbors on the internet beyond Governmental reach’ (2004) Southwestern Journal of Law and Trade in the Americas 433. 84 Clough J. Principles of Cybercrime (Cambridge University Press New York, 2010) 85 Sec. 4 of the Data Protection Act 86 Secretary of State for the Home Department by Command of Her Majesty. Cyber Crime Strategy Cm 7842 (2010)


the difficulties of personal initiative to protect oneself privacy. In the light of the social classes in

the society, the vast majority cannot protect oneself from electronic gadgets attacks from cyber

criminals.

Agencies are given a mandate to deal with personal information with caution; this will include

coming up with programs that will ensure such information shall be kept as per the policies of the

institution and reflecting the wishes of the laws in places.87

An agency includes public entities and private bodies.88 This means that also banks, educational

facilities, human resource in each institution, hospitals, research facilities et al.

In the event, one speculates that a given agency does have in store his or her personal information,

the person has the right to inquire over the same. However, the Freedom of Information Act will

guide the procedure and the kind of information to be elicited.89

The Act’s diction does provide that it is not advisable for an agency to assign Unique Identifiers

to individuals. However, the same statute does offer exception to the general rule. In the event the

Unique Identifier is assigned to the same individual by a different agency, it is not licit unless the

two agency are regarded as association as per the Income Tax Act, the Unique Identifier should

have been assigned to a specific individual.90

87 Sec. 8 of the Data Protection Act 88 Sec. 2 (1) of the Data Protection Act 89 Sec. 9 of the Data protection Act 90 Sec. 14 of the Data Protection Act


3.0 CHAPTER 3

3.1 Regional Legal Framework Addressing Cybercrime vis-à-vis Unauthorized Access to

Information.

3.2 African Union Convention on Confidence and Security in Cyberspace

In the light of the fact that Africa as a Region suffers from the deficiency of laws and/or policies

that address matters that relate to technology and/or cybercrimes directly or indirectly, the African

Union came up with the Draft of African Union Convention on Confidence and Security in

Cyberspace of 2012 (herein after referred to as AUCCSC). The aforementioned Convention is

expected to meet some of the contentious issues that persons, institutions and the Government do

suffer from, as concerning to the ramifications of cyberspace, (herein it is with regards to computer

hacking or unauthorized access).

Talwant Singh91 stated that, Success in any field of human activity leads to crime that needs

mechanisms to control it92. Thus as stated in the initial chapter of this document, it is noteworthy

to ascertain the AUCCSC has come up with extensive or expansive provisions to address the cons

that come along with the pros of technological factors that are now sweeping the African Region

at a high rate, hence the need to be put under the radar.

The AUCCSC is not yet effective, as there has been opposition to it. Bestowed to Strathmore

University’s Centre for Intellectual Property and Information Technology (herein after referred to

as CIPIT), there is great concern that AUCCSC gives the judges absolute power on a ground that

91 Addl. Distt. & Sessions Judge, Delhi 92 Talwant S. CYBER LAW & INFORMATION TECHNOLOGY <www.delhidistrictcourts.nic.in/ejournals/CYBER%20LAW.pdf> (5th of February 2014)


will lead to grave violation of African’s Human Rights. Thus the Right to Privacy93, hence there

is need for that to be addressed prior to planting the AUCCSC94.

Strathmore’s University CIPIT argument is viable. Delving into the AUCCSC as to how it defines

its terms, it states as follows:

Consent of data subject means any manifestation of express, unequivocal, free, specific

and informed will by which the person concerned or his/her legal, judicial or treaty

representative accepts that his/her personal data be subjected to manual or electronic

processing95 (own bold).

As with regards to that definition of what “Consent of data subject” is, it means that the concerned

person is given the first and foremost concern as to give his or her consent, however, the person

concerned is not the only person who can give consent. The consent can be earned through his/her

legal, judicial or treaty representative. Ostensibly, this affirms that irrespective of a person’s wish,

the third party players can allow the analyzing and processing of one’s data.

Owing to the fact that the CoK provides that:

Any law (own emphasis), including customary law, that is inconsistent with this

Constitution is void to the extent of the inconsistency, and any act or omission in

contravention of this Constitution is invalid96.

Thus the “Any law…” is inclusive to the laws, treaties and/or conventions provided under Article

2 (5) & (6) of The CoK. Thus if the same is read together with Article 2 (4) it is worthy to ascertain

93 Art 5 of The Banjul Charter; and Art 28 & 31 of The CoK 94 <www.itwebafrica.com/security/513-africa/231821-kenyan-bid-to-stop-flawed-au-cybersecurity-convention> (Accessed on 22nd of May 2014) 95 Part II, Section 1, Art. II – 1 (2) of the AUCCSC 96 Art 2 (4) of The CoK


that the AUCCSC where it infringes Article 31 of the CoK and other International Instruments as

provided by the CIPIT, shall be null and void to the extent of its inconsistence. The need of

cyberspace laws and/or policies to be in consistence with the national law (herein the Constitution)

and other legal instruments should be acknowledged97.

However, ignorance of the law is no defence, thus it is hypothetical for the same to be addressed

prior to the planting of the AUCCSC.

Herein the AUCCSC will be addressed in three segments as is itself partitioned into three parts98.

The discussion will not be based in all the provisions under the Convention, but delve into the

provisions that have an impact on computer hacking and/or unauthorized access to information.

AUCCSC - Part I: ELECTRONIC TRANSACTIONS

Electronic commerce means the act of offering, buying, providing of goods and services

over electronic systems such as the Internet and other networks99.

It is prudent to acknowledge that when transactions take the electronic formalities, there are

various questions as to confidentiality. Confidentiality herein is about the information that is

regarded as private towards the party hoping to undertake transactions through electronic

platform(s). Globally, cybercrime acts show a broad distribution across financial-driven acts, and

computer-content related acts, as well as acts against the confidentiality, integrity and accessibility

of computer systems100.

97 Art 6 – III : Right to Citizens of The AUCCSC 98 ELECTRONIC TRANSACTIONS; PERSONAL DATA PROTECTION; and PROMOTING CYBERSECURITY AND COMBATING CYBERCRIME of The AUCCSC 99 Part 1, Sec. I, Art. I – 1 (3) of The AUCCSC 100 UNITED NATIONS OFFICE ON DRUGS AND CRIME: Vienna “Comprehensive Study On Cybercrime” 2013


In any event the information is accessed by unauthorized persons or persons who exceed the

authority they have been afforded, it leads to violations of laws hence the same has to be addressed

vividly. The information should be protected through a process known as Cryptology101.

The rapid pace with which software is developed means that ‘bugs’ in software are inevitable, with

hackers seeking to exploit these vulnerabilities before they are rectified102. Owing to the fact that

as much as various institutions take the initiative to have the confidential information in their

systems secured, it is noteworthy to also acknowledge that hackers can compromise the system by

identifying various bugs that will allow them acquire swift access into the computer systems,

servers and electronic gadgets that have the confidential information.

In acknowledging the fact that there are various traditional crimes that can be undertaken by third

parties and/or employees in an organization103, it is prudent to try and make sure that, in the event

evidence is produced before a court, it is not to mislead the Court but represent the imperative

factors as they ought to be. Thus, when a system, server, or electronic gadget that is utilized in

electronic transaction is compromised, there can be chances that the perpetrator has caused data

diddling and/or salami attacks et al.

Hence, to make the evidence or the electronic documents presented before court for purposes of

supporting and/or defeating a given submission, the evidence or electronic documents must meet

some requisite measures, as the legislature will have provided. This is also provided by the

AUCCSC as follows:

101 Part 1, Sec. I, Art. I – 2 (10) of The AUCCSC : the science of protecting and securing information particularly for the purpose of ensuring confidentiality, authentication, integrity and non-repudiation 102 Australian High Tech Crime Centre, Malware: Viruses, worms, Trojan horses, High Tech Crime Brief no. 10 (AIC, 2006) 103 Carter, E. Examining Cybercrime: Its Forms and Its Perpetrators (National University of Internal Affairs in Kiev, 2002)


Where a written matter is required to validate a legal act, a member State may by legislation

establish the conditions for the functional equivalence of electronic communications to

paper-based documents104.

Where a matter written on paper has been subject to special legibility or presentation

requirements, a written matter in electronic form shall be subject to the same

requirements.105

With regards to the aforementioned Article of AUCCSC, it is imperative for a State to come up

with provisions that will effectively meet those standards needed so as a Honourable Court cannot

be misguided by the facts before it.

However, some documents have been qualified not to meet the provisions under Art. I – 20 of the

AUCCSC. Thus, these documents ought to be in their physical formalities as the degree of

alteration is high, thus ascertaining of the authenticity of the same documents might be a hard task

for the Courts, in case of any matter that arises such as a person(s) demises. AUCCSC provides as

follows:

Acts under the signature of a private individual, relating to family law and law of

succession; and

Acts of civil or commercial nature under the signature of a private individual, relating to

personal or real security in solidarity with domestic legislations, except where such acts

have been established by a person for the purposes of his/her profession106.

104 Art. I – 20 of the AUCCSC 105 Part 1, Sec. IV, Art. I – 20 of The AUCCSC 106 Art. I – 21 of the AUCCSC


It is quite prudent for one not to take lightly evidence that is categorized as of electronic nature as

the weight it carries is equal to that of the physical evidence or rather referred as paper based

evidence, in approving this assertions, the AUCCSC provides that:

An electronic written matter shall be admissible as proof on equal terms as paper based

written matter and shall have the same evidentiary weight as the latter, provided the person

who is source thereof can be duly identified and that it is prepared and conserved in

conditions that guarantee its integrity107.

Perusing through Art. I – 27 of the AUCCSC it raises many questions as it grants a lot of power

to a Judge or whoever will be when administering proceeding(s) that fall under the umbrella of

electronic and/or computer based. Just to preview on the same, it states as follows:

Where the legislative provisions of Member States have not laid down other provisions,

and where there is no valid agreement between the parties, the judge shall resolve proof

related conflicts by determining by all possible means the most plausible claim regardless

of the message base employed.108

AUCCSC does provide on the Certification of documents by a State authority will be effective and

it further states that, any act undertaken in the electronic form will have the same weight as that of

the act itself in the real world109. When one hacks or accesses unauthorized information and/or

exceeds his or authority, the act therein is regarded to be dealt with as matter that happened in the

real world, only the evidentiary matters are the one that will be complex.

107 Art. I – 24 of the AUCCSC 108 Art. I – 27 of the AUCCSC 109 Art. I – 28 of the AUCCSC


Matters relating to electronic signature and authentication of the same have been provided for

under the AUCCSC110. This is imperative, owing to the fact that, perpetrators can access the

documents and/or the information and hence alter it; hence, there is the requisite need to ascertain

the authenticity of the documents in this case, not only the signature but also the content.

AUCCSC - Part II: PERSONAL DATA PROTECTION

The degree of what entails ‘personal data’ will differ from time to time and case to case, as this

can be that if information which reaches the public domain or certain person or groups of persons

will be prejudicial to the victim. In many cases, persons have utilized personal data to blackmail

the victims, so as to attain a certain benefit or favour from them. On the other hand, personal data

can be used to commit traditional crimes that encompass on monetary gain; this can include crimes

such as the salami attacks111, identity theft et al.

It is prudent for various institutions, Governmental organization and persons as individuals take

the requisite measures to protect their personal data. However, the Governments should spearhead

the efforts to have policies that will help address matters that relate to personal data protection and

cybercrimes as whole.

In spearheading for policies that institutions have to observe so that can be able to protect person’s

private data, it (The Government) will take action against institutions that are reluctant to effect

the same.

The eye catching terms:

110 Art. I – 29 & 30 of the AUCCSC 111 In Ziegler Case, the principle of de minimis transfer is expressed by actions of the defendant after mounting a programme in a bank, that helped him elicit money from accounts of the bank’s clients.


Consent of data subject means any manifestation of express, unequivocal, free, specific

and informed will by which the person concerned or his/her legal, judicial or treaty

representative (own emphasis) accepts that his/her personal data be subjected to manual

or electronic processing112.

As provided for in the introductory part of this Chapter, it is quite easy to affirm that there are

chances that the information of given person will be subjected to scrutiny (data processing) without

the consent of that person. This is because there are third parties who have been given the authority

to give the consent of the same on behalf of a person.

It will be valuable if the legislature makes demarcations as to what instances the third parties can

give the consent for a person concerned, so that the personal data be scrutinized and/or processed.

Processing of personal data is as per the definition given under Art. II – 1 on Personal Data

Processing.

Personal data means any information relating to an identified or identifiable natural

person by which this person can be identified, directly or indirectly in particular by

reference to an identification number or to one or more factors specific to his physical,

physiological, mental, economic, cultural or social identity113.

It would be much more hypothetical to acknowledge artificial persons this is because there is that

information that can be regarded as exclusive to a given artificial person. Herein, a simple example

is formulas an artificial person utilizes to produce certain products.

112 Part II: Sec. 1: Art. II – 1 (2) of the AUCCSC 113 Part II: Sec. 1: Art. II – 1 (4) of the AUCCSC


In acknowledging competition in the corporate world and other institutions, it is of relevance that

the same right under Art. II – 1 (4) be given to corporations.

In Apple Inc. v Samsung Electronics Co., Ltd et al.114 , it was decided that Samsung had aped the

design and the mode in which the applications/software of the Apple gadgets are, and Samsung

was to pay for the infringement of Apple patent rights.

Looking at this context, it is vivid that a natural or artificial person115 can hack into the system of

another corporation and elicit, alter, copy and/or process the data thereof.

Section III of Part of the AUCCSC gives a picture on how States have to establish Institutions that

will help in the protection of the personal data, and thus the same data can be processed in

accordance with the domestic laws.

Each Member State of the African Union shall establish an authority with responsibility to

protect personal data.

This national authority shall be an independent administrative authority with the task of

ensuring that the processing of personal data is conducted in accordance with domestic

legislations116.

The institutions will have autonomy, in the sense that the Government should not have a hand in

how the duties of the Institution are dispensed.117 This is imperative, as it is known in many

jurisdictions the Government always taps people’s conversations and delving into person’s

114 C 11-1846 & C 12-0630 115 If the artificial person does employ a natural person to commit a given crime, it will be prudent to utilize the Principle Of Lifting The Veil, and whereby the artificial person commits a crime, the crime being committed by an employee while performing the duties given to the natural person, then the liability will be appended on the employer under the Principle Of Vicarious Liability. 116 Part II: Sec. III: Art. II – 14 of the AUCCSC 117 Part II: Sec. III: Art. II – 19 of the AUCCSC


information without consent, in the pretext of National Security matters. However, it is unknown

to the public what kind of information is elicited and how likely the information tapped will be

exposed to third parties and/or how the information will be utilized for other reasons other than

that which it was intended for. Herein under is how the Convention states:

Membership of the national protection authority shall be incompatible (own emphasis)

with membership of Government, the exercise of the functions of enterprise executive and

shareholding in enterprises of information and telecommunication technologies sector118.

Incompatible: two or more relations, offices, functions, or rights which cannot naturally, or may

not legally, exist in or be exercised by the same person at the same time119.

Clinging to that definition and reading the Article in a holistic manner, it portrays that the

Government will not be given the opportunity give directives as to how the institution will be

running.

Functions of the Institution

Under Chapter II of Part II of the AUCCSC, it provides for the functions of the institution that is

purported to be established by every State that is a member to the African Union.

The function of the anticipated institution, thus is to be born after the AUCCSC is passed, is

imperative as it touches on matter of computer hacking and/or unauthorized access of information.

As much as the institution will be entrusted by the duty to process personal data it is relevant to

acknowledge that some persons who have personal malicious intentions may exceed their authority

118 Part II: Sec. III: Art. II – 19 of the AUCCSC 119 Black Law Dictionary 2nd ed


or there are those employees who have been pushed and/or blackmailed to elicit certain

information and give to a third party.

Such cases will never cease to exist hence, as the functions of the institutions are provided for,

there ought to be surcharge in the event the same authority is violated, as in this case it leads to

unauthorized access of information which is the same as hacking.

AUCCSC - highlighting the eye catching functions of the Institution:

The national protection authority shall ensure that ICTs do not constitute a threat to public

freedoms and private life of citizens. To this end, it shall:

1) Respond to every request for opinion regarding personal data processing;

2) Inform the persons concerned and the data processing official of their rights and

responsibilities (own emphasis);

… … …

7) Undertake the audit of all processed personal data, through its agents or through

sworn agents (own emphasis);

… … …

9) Update the processed personal data directory and circulate to the public (own

emphasis);

… … …

11) Authorize cross-border transfer of personal data (own emphasis);


… … …120

Function number one, is not stating what are the limitations as to what information can be given

to the third party, and it is also valuable to note that the persons asking for information also matters

in this case. In the event the Government asks for information, institution falling under the private

sector and other regional and/or States located off Africa.

It is quite evident this function is well stipulated but to some extent it contradicts with what the

same Conventions provides when defining “Consent of data Subject”.

As per the AUCCSC, there are third parties who are regarded as agents of the institution, but it

raises eyebrows as to the number of persons the personal data passes through prior reaching the

final institution121. When the chain becomes too long it can create a lacuna in within the main

institution and those agencies. This is because one will not be able to note the employee or

employees who are acting contrary to the code of conduct and violating other laws.

Section 9 should be expounded upon as to specify what kind of information could be circulated to

the public; this is so, because if left as it, it is equivocal.

Just as other States more so the developed States tend to protect the interest of their citizens at a

higher degree, it will be valuable for the institution to put the interest of its citizens at a higher

degree. This is with regards on how Section 11 of Art. II – 23 of the AUCCSC is to be executed.

Compromising of the laws will lead to violation of the various Human Rights under the

Constitution and other subordinate laws to the Constitution.

120 Art. II – 23 of the AUCCSC 121 Sec. 7 of Art. II – 23 of the AUCCSC


It is under the violations of the functions of the Institution that the Convention has given definitive

surcharge that can be taken against any official who violates the functions as stated herein.

AUCCSC:

Where the data processing official fails to comply with the formal demand addressed to

him/her, the national protection authority may impose the following sanctions after

adversarial proceedings:

1) Provisional withdrawal of license;

2) Definitive withdrawal of license;

3) Pecuniary fine122.

The Convention does not provide for what happens to the information in possession of the

perpetrator of the provisions of how the functions of the institution ought to be observed. However,

concisely it addresses the matter as provided herein under:

In case of emergency, where the processing or use of personal data results in violation of

fundamental rights and freedoms, the national protection authority may, after adversarial

proceedings, decide as follows (own emphasis):

1) Interruption of data processing;

2) Locking up some of the personal data processed;

122 Article II – 25 of the AUCCSC


3) Temporary or definitive prohibition of any processing at variance with the provisions of

this Convention123.

It is not quite hard to state that, the National Protection Authority will be capable to initiate a

proceeding and anticipate to get a decree that will enable it meet one if not all the three remedies

available124. This is because when a person decides to hack into a system for something he or she

is not given the authority to do so, it will take quite a short period and his or her intents will have

been achieved.

As the Convention provides that after the adversarial proceedings125, meaning even prior an

interim injunction is effected, the perpetrator might have committed the crime and even try to clear

his or her tracks. Hence, this Article ought to be relooked into by the legislature. However, the

close option to this can lead to violation of Human Rights, thus even the perpetrator has rights

before the law.

The legislature can effect the policies to be such as: The officials under the National Protection

Authority shall be granted a warrant of seizure of computers and any other electronic gadget and/or

computer that is directly or indirectly linked to any computer or server that can be of relevant use

in establishing the crime that was, is or will be committed or substantiate the prosecution’s case.

This is so as considering the principle that ought to be utilizing while establishing that one’s rights

are going to be violated gravely, hence thereof, one should be granted an interlocutory Injunction,

of which is not easy to satisfy to the court expeditiously as it ought to be. In considering if, the

same interlocutory injunction might affect the rights of the respondent in that matter.

123 Article II – 26 of the AUCCSC 124 Article II – 26 of the AUCCSC 125 Art. II – 25 of the AUCCSC


Chanan Singh J. acknowledged the same in Alternative Media Limited v Safaricom Limited126,

whereby he quoted from Halsbury “an interlocutory injunction will not, however, be granted

where the plaintiff can be properly protected by the Defendant being ordered to keep an account

and the Defendant might suffer irreparable injury from an injunction restraining him from

publishing pending the trial, nor will an interlocutory injunction be granted if the plaintiff has

been guilty of undue delay in coming in the court or his conduct has amounted to an acquiescence

in the infringement, or there is any substantial doubt as to the Plaintiff’s right to succeed.”127

Considering that, the general principles of to consider prior earning an interlocutory injunction are

provided in Geilla v Cassman Brown & Co. LTD128, which provides that:

- Probability of success;

- Irreparable harm which will not be adequately compensated for in damages; and

- If in doubt then on a balance of convenience129.

Under Article II – 28, it espouses that the concerned persons whom, data processing is to be

dispensed upon will give consent; however, there are several exceptions to this general rule. For

instance where: it is a matter of public interest, compliance with legal obligation, it is in the interest

of the so affected person and safe guard the interest and fundamental rights130.

This should be regulated so that, the same cannot be used as a leeway to violate Human Rights.

126 [2004] eKLR 127 Alternative media Limited v Safaricom Limited [2004] eKLR 128 [1973] EAC 358 129 Geilla v Cassman Brown [1973] EAC 358 130 Sec. 4 of Art. II – 28 of the AUCCSC


Article II – 29 does affirm that the activities under Article II – 28 should be done in a manner that

observes legal measures, honestly and non-fraudulently131.

Article II – 30 does state that the data processing ought to be based on the objectives needed, not

to be in excess and when it comes to conservation of data, it ought to be for research and history

purposes that are in line with the law in place132.

The Convention further requires the National Authority body to deal with personal data in

accuracy, transparency, and confidentiality133.

Section V: The rights of the person whose personal data are to be processed

Chapter 1: Right to information

Article II – 42:

The data processing official shall furnish the person whose data are to be processed with the

following information, not later than the time of gathering the said data regardless of the means

and facilities utilized:

1) His/her identity and, where necessary, that of his/her representative;

2) Ultimate purpose for which the data processed will be used;

3) Categories of data involved;

4) Recipient(s) to which the data are likely to be transmitted;

5) The capacity to request to feature no longer in the file;

131 AUCCSC 132 AUCCSC 133 Art. II – 32 of the AUCCSC


6) Existence of the right of access to the data concerning the person and the right to correct

such data;

7) Duration of conservation of the data;

8) Possibility of transfer of the data to third countries134.

Herein above are some of the right of persons whom their data is due for processing, thus, if they

are not informed of the same, it will be deemed violation of their rights. In considering that, it will

be presumed that there has been violation of Human Rights, not forgetting the unauthorized access

to data135.

The person whose data is undergoing procession can request to have access to the data, contest,

and request for correction to be made where necessary136.

PART III – PROMOTING CYBERSECURITY AND COMBATING CYBERCRIME

When Part III of the AUCCSC was penned down, the legislatures did directly put in mind matters

that relate to all sorts of Cybercrimes, inclusive the division of discussion herein, which is

computer hacking and/or unauthorized access and acknowledging the one offered by the

Convention of exceed authorized access.

Exceed authorized access, means to access a computer with authorization and to use such access

to obtain or alter information in the computer that the accesser is not entitled to obtain or alter137.

134 Art. II – 42 of the AUCCSC 135 Part III Promoting Cybersecurity and Combating Cybercrime: of the AUCCSC – irrespective of the fact that one is granted the permission n to access certain information, thereon he or she exceeds the authority he or she is given, that will automatically be a cybercrime. Hence, violation of Art. II – 42 of the AUCCSC will be regarded to fall under Part III of the AUCCSC. 136 Art. II 43; 44 & 45 of the AUCCSC 137 Art. III – 1 (7) of the AUCCSC


The definition is also capturing those persons who are granted with the authority to deal with

personal data, and they happen to act in excess of the authority they are granted. That will also be

equal to unauthorized access of information, however, there will be sieving of what information

will be treated as was accessed in violation of the laws and that which was in the ambit of the

persons authority, hence, will not be utilized against the perpetrator.

The Convention, provides for the National Cyber Security Framework, Legislative Measures,

National Cybersecurity System, National cyber security monitoring structures,138 the chapters are

recommendatory in nature, whereby, they stipulate on what African Union member States are

required to consider when coming up with policies and structures that will be dealing with issues

of data processing and so forth.

AUCCSC, provides that there is need of the Harmonization of the laws and policies in place,

further more to consider establishing institutions that will take part in data exchange relating to

cyber threats with other nations both at the regional and out of the region. The Conventions goes

further and provides the names of the same as Computer Emergency Response Team (CERT) or

Computer Security Incident Response Team (CSIRTs).139

AUCCSC does provide for “Offenses specific to Information and Communication Technologies”,

it is noteworthy that the Convention does define only the types of offences that one can commit140.

Section II of chapter 1, does discuss on offences related to “attack on Computerized Data”,

introducing terms such as “intercepting or attempting to intercept”, herein the Convention is also

defining offences and giving recommendations to the African Union member States.

138 Art. III of the AUCCSC 139 Art. III – 43 of the AUCCSC 140 Part III of the AUCCSC


AUCCSC provides that: Each Member State of the African Union has to take necessary legislative

measures to ensure that the offenses defined in this Convention attract appropriate punishments

according to domestic legislations141.

There aforementioned Article does afford to state that, states will provide for the punishment to be

discharged against any persons (Natural and Artificial persons) who offend the laws in place.

141 Art. III – 46 of the AUCCSC


3.3 South Africa

As the name suggests, South Africa is a country located at southern part of the continent of Africa.

Being among the countries that are developed in Africa, it will be to the States advantage to have

embraced technology and other technological factors; hence, they are facing the cons that come

along with the technology. Herein it will be prudent to stick to the theme of discussion (computer

hacking and its incidental factors) so as to come up with a requisite conclusion of what is amiss

and where to applaud to.

South Africa has a number of statutes that address matters that relate to cybercrime, herein under

the statutes will be perused and thereon elicit relevant factors relating to the subject matter.

3.3.1 Electronic Communications and Transaction Act

Prior the birth and maturity in the Electronic Communication and Transaction Act (herein after

referred as ECT), there was existence of a statute that was brought into place to curb the flaws that

existed prior the State realising new criminal activities and admissibility of certain categories of

evidence. However, the statute was ill prepared hence it was not prudent for utilizing142.

The Computer Evidence Act No. 57 of 1983, was legislated after the ruling in Narlis v. South

African Bank of Athens143 held, a computer printout was inadmissible in terms of the Civil

Procedure and Evidence Act 25 of 1965. It was also held that, a computer is not a person144.

This was a positivistic view given to the laws that were in existence. This led to the birth of the

Computer Evidence Act of 1983, which was not ill prepared as it did quell what it was initiated

142 Snail, S., ‘Cyber Crime in South Africa – Hacking, cracking, and other unlawful online activities’, 2009(1) Journal of Information, Law & Technology (JILT), <http://go.warwick.ac.uk/jilt/2009_1/snail> 143 [1976] (2) SA 573 (A) 144 Narlis v South Africa bank of Athens [1976] (2) SA 573 (A)


for. The Computer Evidence Act seemed to make more provision for civil matters than criminal

ones. It created substantial doubts and failed the mark for complimenting existing statutes and

expansion of common principles.145

For reasons thereof, the ECT Act was introduced as a way to address the requisite matters that the

law in place had not addressed. Herein under is the discussion of the ECT Act.

Under the ECT Act, it provides the demarcation to observe while interpreting the same, in verbatim

it provides as follows:

This Act must not be interpreted so as to exclude any statutory law or the common law

from being applied to, recognising or accommodating electronic transactions, data

messages or any other matter provided for in this Act146.

This allows the Hybrid State to elicit principles from the Common Law; hence, this will help curb

the lacuna that may exist in the statute.

Under ECT Act, on how the critical data bases are to be handled ought to observe the law, thus if

the same is not considered it will lead to the violation of the laws in place, unauthorized access of

information being one of the factors, Sec 55 (1) (b).

Chapter XIII of the ECT does initiate by defining the term “access”, herein under the definition is

provided in verbatim:

145 Kufa, M (2008), ‘Cybersurfing without boundaries’, De Rebus, December, 20 146 Sec. 3 of the ECT Act of South Africa


"[A]ccess" includes the actions of a person who, after taking note of any data (own

emphasis), becomes aware of the fact that he or she is not authorised to access that data

and continues to access that data147.

Some of the hackers do not have knowledge of the data in the system; nevertheless, they may be

contended to access the data after effect an unauthorized access into a given data. As much as the

definition seems to be incapacitated, it does not bar the conviction of the violators of the law. This

is concerning Sec. 3 of the ECT Act.

Unauthorised access to, interception of or interference with data, thus the title to Sec. 86 of the

ECT Act. This is about hacking and/or an authorized access to data, information, and technological

information. Hence, the Act vividly outlines the computer hacking and other incidental

cybercrimes most of which cannot exist prior effecting computer hacking or an authorized access

of information.

Subject to the Interception and Monitoring Prohibition Act, 1992 (Act No. 127 of 1993).

A person who intentionally accesses or intercepts any data without authority or permission

to do so is guilty of an offence.

A person who utilizes any device or computer program mentioned in the subsection (3) in

order to unlawfully overcome security measures designed to protect such data or access

thereto, is guilty of an offence148.

147 Sec. 85 of the ECT Act of the South African Laws 148 Sec. 86 (1) & (4) of the ECT Act of the laws of South Africa


The first quote from the ECT does introduce a new Act that introduces a new concept apart from

that of “access”, the term being interception of data. The interception of data without ‘authority or

permission’ renders the act an offence, hence one will be held liable.

In acknowledging the existence of tools and software’s or computer programs that can be utilized

to effect these cybercrimes, the Act provides that if any person if so utilizes the aforementioned,

the perpetrator will be liable.

A person who helps to effect a crime under Sec. 86 and 87 of the ECT Act will be held liable

wholly.149

However, there are many concerns as to how the act surcharges are stipulated. The surcharge lack

the deterrent factor, as the surcharge are lenient, whereby the National Prosecuting Authority Act,

No. 32 of 1998 offers a maximum of 25 years in prison or a fine or both150, while the ECT offers

a term not exceeding 5 years.151

3.3.2 Promotion of Access to Information Act

In general the Promotion of Access to Information Act (thereon referred as PROATIA), is designed

in such a way to balance the information that will be denied from access and under what conditions

will such information be regarded as to be accessed contrary to the laws in place152.

The PROATIA does not specifically provide for the term hacking; however, it regulates the access

of information, and considering the technological factors in the society. Thus, some imperative

149 Sec. 88 of the ECT Act of the laws of South Africa 150 Sec. 40A (1) (d) of the National Prosecuting Authority Act, No. 32 of 1998 of the laws of South Africa 151 JACQUELINE F. CYBER CRIME IN SOUTH AFRICA: INVESTIGATING AND PROSECUTING CYBER CRIME AND THE BENEFITS OF PUBLIC-PRIVATE PARTNERSHIPS (Pricewaterhousecoopers, 2009) 152 Snail, S., ‘Cyber Crime in South Africa – Hacking, cracking, and other unlawful online activities’, 2009(1) Journal of Information, Law & Technology (JILT), <http://go.warwick.ac.uk/jilt/2009_1/snail> (Accessed on 6th of June 2014)


information can be under “information technology” hence, hacking can be effected. Nevertheless,

the whole Act delves on restricted information, authorized access and exceeding authorized access.

3.3.3 Interception and Monitoring Prohibition Act

The requisite provisions of the Interception and Monitoring Prohibition Act (herein after referred

as IMP Act) does address matters relating to intercepting of communication. The Act stipulations

does criminalize the act of interception of data or whatsoever conversation et al., however, the

same is not absolute.

Under the IMP Act, it stipulates as follows regarding prohibiting interception of communication:

Prohibition of interception and monitoring; (1) no person shall

(a) intentionally and without the knowledge (own emphasis) or permission of the

dispatcher intercept a communication which has been or is being or is intended to be

transmitted by telephone or in any other manner over a telecommunications line; or

(b) intentionally monitor a conversation by means of a monitoring device so as to gather

confidential information concerning any person, body or organization153.

Clinging to the diction utilized under (a) of the quote hereinabove, it displays the notion that the

law is not concerned with the intent. It is of strict liability, thus it does not require proving of Mens

Rea154.

Under (b) it quashes of use of monitoring devices to intercept conversations et al.

153 Sec. 2 of the IMP Act of South Africa 154 If the statute requires Mens Rea to be established, this will be asking for the “intents or intentions” of the

offender. However, in the case herein above, the law does not need to know the intentions; all it is concerned with is the act.


IMP Act, provides that making interception is not absolutely regarded as crime, this is because

there are exceptions to that general rule.

(2) Notwithstanding the provisions of subsection (1) or anything to the contrary in any

other law contained, a judge may direct that-

(a) a particular postal article or a particular communication which has been or is being or

is intended to be transmitted by telephone or in any other manner over a

telecommunications line be intercepted;

(b) all postal articles to or from a person, body or organization or all communications which

have been or are being or are intended to be transmitted by telephone or in any other manner

over a telecommunications line, to or from a person, body or organization be intercepted;

or

(c) conversations by or with a person, body or organization, whether a telecommunications

line is being used in conducting those conversations or not, be monitored in any manner

by means of a monitoring device155.

Under this part (2) of section 2 of the IMP Act, it is utilized to give the go-ahead to have

interception to be undertaken. However, the interception ought to be in line with the laws in place.

It therefore requires consent from the judge to effect the interception.

In R v. Secretary of State for Home Department, ex parte Ruddock and others156, held; the state

should not utilize the rights it has been given so as to offend other rights of its citizens in the

constitution. Thus, there is need to have the procedure to be followed substantively prior effecting

155 Part (2); Section 2 of the IMP Act 156 [1987] 2 ALL ER 516


rights appended to the Government. This is due to the fact that if the same is not observed, there

will be violation of the Right to Privacy157.

3.3.4 Regulation of Interception of Communications and Provision of Communication

Related Information Act

The Regulation of Interception of Communications and Provision of Communication Related

Information Act (herein after referred as RICPCRIA), defines Interception as:

Intercept means the aural or other acquisition of the contents of any communication

through the use of any means, including an interception device, so as to make some or all

of the contents of a communication available to a person other than the sender or recipient

or intended recipient of that communication, and includes the –

(a) monitoring of any such communication by means of a monitoring device;

(b) viewing, examination or inspection of the contents of any indirect communication; and

(c) diversion of any indirect communication from its intended destination to any other

destination158.

This Act does delve much deeper on matters concerning interception of data, and under what

circumstances a warrant for search can be issued. The Act addresses on revocation of licenses

where the institutions that have been trusted with certain matters such as communication end up

violating the laws in place.

RICPCRIA provides as follows,

157 R v. Secretary of State for Home Department, ex parte Ruddock and others [1987] 2 ALL ER 516 158 Sec. 1 “Definition of Terms” of the RICPCRIA


Notwithstanding any other law, a telecommunication service provider must –

(a) provide a telecommunication service which has the capability to be intercepted

(own emphasis); and

(b) store communication-related information159.

Ostensibly, due to security purposes the State may require to have some communication tapped or

intercepted, this is the sole reason for the existence of this section. On (b) of the same Section, it

enables to help on evidential matters.

Matters of interception as provided under Section 30 of the RICPCRIA, must be read in line with

Section 45 and 46 of the RICPCRIA. This is concerning the facilities that are to be utilized for

purposes of interception of communication.

Generally, interception is a violation of laws, as it is equal to call phone tapping or wiring or

hacking. Concerning matters of “interception” which is polite term for hacking, the RICPCRIA is

much stricter on applicability of the laws in place.

Unlawful interception of communication as per RICPCRIA:

(1) Any person who intentionally intercepts or attempts to intercept, or authorises or

procures any other person to intercept or attempt to intercept, at any place in the Republic,

any communication in the course of its occurrence or transmission, is guilty of an offence.

(2) Subsection (1) does not apply to the –

(a) interception of a communication as contemplated in sections 3, 4, 5, 6, 7, 8 and 9; or

159 Sec. 30 (1) of the RICPCRIA


(b) monitoring of a signal or radio frequency spectrum as contemplated in sections 10 and

11160.

Section 49 explicitly addresses on issues of intercepting without authority, it goes further to state

activities that do not fall in the ambit of unauthorized interception, this is as per (2) of Section 49

of the RICPCRIA.

160 Sec. 49 of the RICPCRIA


3.4 Nigeria

A computer crime as well as cyber survey conducted recently indicated that Nigeria is the

most internet fraudulent country in Africa. Besides, the same report further stated that the

giant of Africa is ranked third among others identified with cyber fraud and computer crime

in the world161.

Nigeria is a country located at the Western part of Africa, well known for having large oil well

reserves. The aforementioned State happens to suffer from a high number of cybercrimes of

different types; hence, it will be prudent to consider Nigeria due the hypothetical fact that, since it

is known for high rates of commission of cybercrimes. Hence, the State has to take a major step to

try to curb the atrocities that its citizens suffer from due to cybercrime and how other persons in

different jurisdiction are affected, thus, when a claim is raised over matters of forum, it will be

easy to solve.

3.4.1 The Nigerian Criminal Code Act, 1990

In Act, under Section 418 of Chapter 38, initiates by giving a wide definition on “representation”,

which states as follows:

Any representation made by words, writing, or conduct, of a matter of fact, either past or

present, which representation is false in fact, and which the person making it knows to be

false or does not believe to be true, is a false pretence162.

161 Computing: Nigeria Ranked third In The World for Cuber-crime, says Survey; Issue no 302 <www.balancingact-africa.com/news/en/issue-no-302/computing/nigeria-ranked-thrid/en> (Accessed on 2nd of June 2014) 162 Sec. 418 of the Nigeria Criminal Act, 1990


The definition herein can be termed as to only incorporate matters of fraud and/or swindles;

however, when considering the mode in which web pages are displayed, they are giving false

representation. The false impressions like the most acknowledged that of “winning lottery online”,

one is swayed by that, thereon, he or she put his or her credit card information which can or will

be used to hack into ones bank account and elicit money.

Nigeria Penal Code has been quoted using a term known as “419 scam163”. The term is regarded

to have a nexus to the Nigeria Criminal Code Act, of 1990, which states as follows:

Any person who by any false pretence, and with intent to defraud, obtains from any

other person anything capable of being stolen, or induces any other person to deliver

to any person anything capable of being stolen (own emphasis), is guilty of a felony,

and is liable to imprisonment for three years164.

If the thing is of the value of one thousand naira or upwards, he is liable to imprisonment

for seven years.

It is immaterial that the thing is obtained or its delivery is induced through the

medium of a contract induced by the false pretence (own emphasis)165.

The offender cannot be arrested without warrant unless found committing the offence.

The eye-catching statement is placed in bold, whereby, the ideology of “…any false

pretence….anything capable of being stolen…” is quite and very relevant when delving on the

matters of hacking or unauthorized access and/or exceed authorized authority. If by any chance, a

163 Chawki, M. Nigeria Tackles Advanced Fee Fraud <www2.warwick.ac.uk/fac/soc/law/elj/jilt/2009_1/chawki/> (Accessed on 2nd of June 2014) 164 Section 419 of Nigeria Criminal Code Act, 1990 165 Sec. 419 of the Nigeria Criminal Act, 1990


person does exceed authorized authority, the person can end up eliciting relevant information or

utilize a given medium, in a way that will negatively affect the concerned person.

Example:

In the event a person is only allowed to access an institution email address for purposes of

confirming if an anticipated email has been sent, and thereon the perpetrator does not revert

back to the person who sent the perpetrator, but rather he/she corresponds with the concern

person and thereon strikes a deal with the concerned person. this will fall under the

definition of crimes under Section 419 of the Nigerian Criminal Act.

By hacking into a given system or email address and then correspond to someone, him or

her assuming is addressing the owner of a given private key infrastructure, and thereon that

will be a crime under the same section of the Nigerian Criminal Act, of the year 1990.

It also invalidates the defence that it was a contract, as the same contract will defeat relevant

Contractual principles such as Legality, Consent et al.

3.4.2 Economic Financial Crime Commission Act

As the name of the Act itself provides, it is evident that it gives birth to provisions that deal with

matters relating to Economic and Financial Crimes in the Nigerian territory. Under its provisions,

Part II of the aforementioned Act stipulates as follows:

(b). the investigation of all financial crimes including advance fee fraud, money laundering,

counterfeiting, illegal charge transfers, futures market fraud (own emphasis), fraudulent

encashment of negotiable instruments, computer credit card fraud (own emphasis),

contract scam, etc. (own emphasis);


… … …

(g). the facilitation of rapid exchange of scientific and technical information and the

conduct of joint operations geared towards the eradication of economic and financial

crimes166;

Under (b) the Act portrays a vivid pictorial composition of it being of futuristic nature, thus, it will

not be engulfed to the diction but to other crimes of economy or finance that will emanate in future.

The is also a clear mention of “computer credit card fraud”, these crimes are prevalent at the

moment, hence, it is of worth notice that the same is addressed by Nigeria. As much as it is not in

detail, it is a major step as a way to try to control the cybercrimes.

The use of “etc.,” is also in relation to “future market fraud,” thus, the Act is opening doors for a

claimant in any given situation can persuade the judicial system in Nigeria to incorporate any new

viable term so as to domesticate the law under precedence. Even though to some extent it will lead

to the elusiveness of the section, it will help curb the loopholes that cybercrime perpetrators might

wish to utilize.

Under (g)167, it provides for cooperation, this is necessary as the cyberspace is owned by no State,

hence, no States can claim jurisdiction. The exchange of information, is quite necessary because

there will exchange of cybercrime data by States in a move to curb the same.

3.4.3 Advanced Fee Fraud and Related Offences Act, 2006

166 Sec. 6 (b) & (g) of the Economic Financial Crime Commission Act 167 Sec. 6 (g) of the Economic Crimes Commission Act


This Act, is majorly dedicated to address the issue of cybercrimes in Nigeria, thus it manifests

itself by utilizing the term “false pretences”, whereby the term defined to widely so as to leave no

loophole.

Advanced Fee Fraud and Related Offences Act of 2006, it provides provisions relating to

“obtaining property by false pretences, etc168. and then under the same Act, Section 4 affords the

term “Fraudulent Invitation”169.

It is not appalling to the diction the Nigerian Legislations are dipped into and utilization much of

the term “fraudulent”, as per the survey stated herein about Nigeria. It is noteworthy to appreciate

the fact that, Nigeria is well known for scammers hence the name “Scam 419”.

Unlike other cybercrimes (traditional crimes) as stated herein, they take effect after hacking and/or

unauthorized access of information or electronic gadget and/or a server, scammers tend to solicit

for information through websites, thereon the information is utilized to hack or make unauthorized

access into one’s information170.

3.4.4 Directive C/DIR. 1/08/11 on Fighting Cybercrime within ECOWAS

The Directive C/DIR. 1/08/11 On Fighting Cybercrimes (herein after the Directive) was

conceptualized to address the issues of Cybercrimes within the member States of the Economic

Community of West African States. The eleven-page document acknowledges the new forms of

crimes and also the traditional crimes finding a hospitable environment at the cyberspace.

168 Sec. 1 of the Advanced Fee Fraud and Related Offences Act of 2006 169 Advanced Fee Fraud and Related Offences Act of 2006 170 Carter, E. Examining Cybercrime: Its Forms and Its Perpetrators (National University of Internal Affairs in Kiev, 2002)


The Directive does take cognizance of computer hacking and its incidental crimes, of which herein

the incidental crimes will not be stated as they are not the major division of discussion. However,

just as an enlightening move, most of the traditional crimes or incidental crimes to hacking or

unauthorized access and/or exceed authorized authority, take effect after hacking or unauthorized

access and/or exceed authorized authority.

Objective: The objective of this Directive is to adapt the substantive criminal law and the criminal

procedure of ECOWAS member States to address the cybercrime phenomenon.171

Scope; This Directive shall be applicable to all cyber-crime related offences within the ECOWAS

sub-region as well as to all criminal offences whose detection shall require electronic evidence.172

The later acknowledges the need of substantive criminal laws that delve in cybercrimes while the

former invites the need of delving into the matters of electronic evidence. The two are imperative

to extent that by giving definitive provisions as to the technological crimes and also giving

surcharge that are of equivalent measure, then that will help deal with the crime. The former is

highly requisite to matters of authenticity of the electronic evidence as they are prone to alteration

or modification of whatsoever nature after hacking or unauthorized access of information.

Article 4, 6 & 8 of the Directive, do address on matters of hacking or unauthorized access of

information and/or electronic gadget or server et al. the hacking concept is grinded into:

Article 4: Fraudulent access to computer system;

Article 6: Interfering with operation of a computer system; and

171 Article 2 of the Directive C/DIR. 1/08/11 on Fighting Cybercrime within ECOWAS 172 Article 3 of the Directive C/DIR. 1/08/11 on Fighting Cybercrime within ECOWAS


Article 8: fraudulent interception of computer data173.

The aforementioned Directive does highlight on persons who obtain equipment to commit an

offence as follows:

Obtaining equipment to commit an offence is the act by which a person knowingly without

any legitimate reasons produces, sells, imports, possess, distributes, offers, transfers or

makes available equipment, computer programmes, or any device or data, any password,

access code or similar computer data by which they commit any offence as stipulated in

this Directive174.

This Article tends to capture the persons who instigate the effecting of cybercrimes, whereby it

delves on the fact that, some people lack the techno-know how on how to programme as system,

so it simplifies the task by offering them an opportunity to commit cybercrimes by use given

systems or software’s and/or notes.

The Directive takes cognizance that there might be a link of cybercriminals interlinking on how

they effect their activities on the victims, hence it provides as follows:

Participation in an association or arrangement to commit computer offences

Participation in an association or arrangement to commit computer offences is the act by

which the person participates in an association that is formed or an arrangement that is

established for the purpose of preparing or committing one or several of the offences

described in this Directive175.

173 Directive C/DIR. 1/08/11 on Fighting Cybercrime within ECOWAS 174 Article 14 of the Directive C/DIR. 1/08/11 on Fighting Cybercrime within ECOWAS 175 Article 15 of the Directive C/DIR. 1/08/11 on Fighting Cybercrime within ECOWAS


4.0 CHAPTER 4

4.1 States outside The African Region have framed their Laws vis-à-vis Cybercrime:

Unauthorized Access of Information

Law is not an element, but a compound, hence it is composed of many factors. It is an invalid

ideology to state that law emerges from nowhere to address a given social, economic and/or

political factors, law does act as an applauding, regulatory and/or prohibitive instrument. Laws

emanate for the sole reason to address the aforementioned factors that originate in the society.176

Hence, in this paper, it will be a poorly nurture concept to state that Kenya is the first country to

be faced with cybercrimes, it is wise to acknowledge that even our predecessors have undergone

and are still undergoing the processes of addressing matters relating to cybercrime. Thus, we can

learn various requisite issues from them.

Regarding the previous chapters, it has been noted that authors addressing IT, law and IT, countries

and AU, happen to have domesticated different definition of what entails cybercrimes177. Well,

each State does afford its own terms on what cybercrimes are, so as to make the statute capture a

lot of crimes falling under cybercrime, this helps a State to have jurisdiction over cybercrimes that

fall within a States/Courts jurisdiction and that which falls outside the States jurisdiction, but the

acts complained of emanate or have an impact in that given forum.178

176 International Covenant on Civil and Political Rights; See also, International Covenant on Economic, Social and Cultural Rights; See also, Talwant S. Cyber Law & Information Technology 2011 <www.slideshare.net/talwant/cyber-law-information-technology> (Accessed on 21st of June 2014) 177 The definition is with regards to Kenya, SA, Nigeria, AUCCSC, 178 Rosenblatt, B. Principles of Jurisdiction <www.cyber.law.harvard.edu/property99/domain/Betsy.html> (Accessed on 28th of June 2014)


It’s noteworthy, that most of the principles and laws that are being utilized to address cybercrimes

have been born by some of the developed nations, and other developing nations have undertaken

the lead in addressing the same matters. For instance, in 1945 USA had already made principles

that can be utilized to establish personal jurisdiction.179

Herein under, focus will be given to India and USA, it should be noted that, not all the statutes will

be elicited and/or mentioned, however, much credit will be given to relevant sections of the statutes

and thereon, inviting relevant precedents that have been decided upon by the relevant Courts in

each of the aforementioned jurisdiction.

179 International Shoe Co. v Washington [1945] 326 US 310: As the facts of the case are attached to matters of taxation, the principles in it have been of value of addressing matters relating to Personal Jurisdiction; See also, Rosenblatt, B. Principles of Jurisdiction (supra).


4.2 The Republic of India

As transactions were also effected in the virtual world and due to the effects of having the World

Wide Web and development of technology, it meant that the Indian Jurisdiction should find a place

to accommodate the same. Owing to the fact that technological inventions sweep the society

irrespective of having laws or not, and under no circumstance the society will have the opportunity

to stop the technological wave, it followed that the Information Technology Act was established,

seeking inspiration from The United Nations Commission on International Trade Law

(UNCITRAL). The IT 2000, is regarded to have emended the Indian Penal Code (IPC) by

introducing the term “electronic” to all relevant Sections of the IPC.180

4.2.1 Information Technology Act

Information Technology Act of 2000181, is regarded as the mother of all cyber-laws and computer

related matters in India182. It is noteworthy to acknowledge that the ITA was amended by the ITAA

in the year 2008. The ITA address a number of factors, including e-commerce, advocate for IT

oriented fields and prevent cybercrimes. However, the initial Act did not address all the relevant

matters or with the changing of times, hence there are other factors the ITA had not featured and

needed to be incorporated in it. Consequently, the ITAA introduced new definitions, which

acknowledged e-signatures et al.183

The ITA 2008 states as follows:

180 <www.iibf.org.in/Cyber-Laws-chapter-in-Legal-Aspects-Book.pdf> (Accessed on 29th September 2013) 181 The Information Technology Act of 2000, will herein after be addressed as ITA, while the Information Technology Amendment Act of 2008, will herein after be referred as ITAA or ITA 2008. 182 Duggal, P. <www.coe.int/t/dghl/cooperation/economiccrime/cybercrime/Documents/Reports-Presentations/Octopus2011/Update_sessin_pavan_duggal.pdf> (Accessed 7th of December 2013) 183 Rouse, M. ITAA (IT Act 2008) – 2010 <www.searchsecurity.techtarget.in/definition/Information-Technology-Amendment-Act-2008> (Accessed on 28th of June 2014)


"Cyber Security" means protecting information, equipment, devices, computer,

computer resource, communication device and information stored therein from

unauthorized access (own emphasis), use, disclosure, disruption, modification or

destruction.184

While incorporating what entails cyber security, the Act acknowledges the existence of

“unauthorized access” of information, equipment devices, computer, computer resource,

communication device and information stored therein.

In precise the Act does not necessarily glue to access of information as the only cybercrime, but

also the equipment, devices, computer, computer resource and communication device. This means

that irrespective of one not eliciting the information in one or all of the aforementioned, the

perpetrator will be held liable and charged as per the provisions of the ITA – 2008.

The ITA – 2008, does afford ample and wide terms that the central Government or a State

Government or any of its officer specially authorized by the Central Government or the State

Government to effect interception or monitoring or decryption of data and/or communications for

reasons that is in the interest of the State, Defence of the State, foreign friendly relations et al.185

The diction appended in statute is equivocal, the matter will be decided upon from case to case

basis.186

Pavan Duggal:

184 Sec. 2 (1) (nb) of the ITA 2008 185 Sec. 69 (1) of the ITA 2008 186 ITA 2008 (supra)


The Act has provided Indian Government with the power of surveillance, monitoring187

and blocking188 data traffic. The new powers under the amendment act tend to give Indian

Government a texture and color of being a surveillance state.189

If so, the Government of India is at the position that it will violate the Human Rights, specifically,

the right to privacy, dignity and freedom to information.

As for purposes of curbing matters relating to Cybercrimes, the ITA – 2008, provides for

establishment of an institution that will deal with cybercrimes and any matter that relates to

cybercrimes.190 The facility is pampered with the following duties:

(a) collection, analysis and dissemination of information on cyber incidents

(b) forecast and alerts of cyber security incidents

(c) emergency measures for handling cyber security incidents

(d) Coordination of cyber incidents response activities

(e) issue guidelines, advisories, vulnerability notes and white papers relating to information

security practices, procedures, prevention, response and reporting of cyber incidents

(f) such other functions relating to cyber security as may be prescribed.191

Presuming the phraseology penned under the ITAA, the CERT – In, the institution and other

persons will have to observe matters of confidentiality and privacy.192 If the persons dealing with

187 Sec. 69B of the ITA 2008 188 Sec. 69A of the ITA 2008 189 Rouse, M. ITAA (IT Act 2008) – 2010 <www.searchsecurity.techtarget.in/definition/Information-Technology-Amendment-Act-2008> (Accessed on 28th of June 2014) 190 Indian Computer Emergency Response Team (CERT - In): Sec. 70B ITA 2008 191 Sec. 70B (4) of the ITA 2008 192 Sec. 72 of the ITA 2008


the personal information, he or she must observe Sec. 72 of the ITAA. If one defeats the writings

of the aforementioned Act, the person or persons will be held liable for an offence.

With regards to matters of e-signatures, the legislators acknowledged the fact that one can tamper

with a given system and thereon have the opportunity to alter the e-signature, thus placing a

signature where it does not exist.193

The Protected System194 will only be accessed by the authorization, effected by a Gazette Notice.

Where one does purport to secure such access or secures access to a Protected System, he or she

will be charged for an offence as provided by the Act. However, some analysts of the ITAA, have

concluded that it is lenient on the surcharge it offers, making it lack the deterrent element in it.195

4.2.2 The Evidence Act

The Evidence Act is a requisite legal instrument to be delved in, this is for the sole reason that, it

gives the procedures and what type of evidence can be adduced before the Honourable Court, for

purposes of supporting or diminishing the arguments brought forward by the adversarial in a given

case.

Authenticity of the documents have been addressed by the ITA 2008196, however, the Evidence

Act ought to establish the same principles. This is to help avoid admission of evidence that falls

below the expectations of the Courts or prudent laws that are in place to secure justice. For

193 Sec. 74 of the ITA 2008 194 Sec. 70 of the ITA 2008 195 Rouse, M. ITAA (IT Act 2008) – 2010 (supra) 196 Part II – Sec. 3 of the ITA – 2008: By having digital signature and electronic signature being authenticated, it will ascertain the validity of a given document, this will be in line with ascertaining that the contents of the documents are true.


instance, matters of e-signatures can be tampered with after one does secure access into an

information store or system or documents that are purported to be of relevance in a given case.

The Evidence Act of India, was amended by the ITA – 2000, as initially the Act only based its

view on physical documents, the amendment of the Act does it invite the electronic documents.197

Admissibility of electronic evidence is provided for under Chapter V of the Evidence Act of India.

Any matter relating to proving what entails e-records, will be guided by Sec. 65B of the Evidence

At.198 The Act provides as follows:

Notwithstanding anything contained in this Act, any information contained in an electronic

record which is printed on paper, stored, recorded or copied on optical or electro-magnetic

media produced by a computer (herein referred to as computer output) shall be deemed to

be also a document.199

The amendment under the Evidence Act of India that was made by the introduction of the ITA -

2000 does have the same diction as that incorporated under Part VII – Electronic Records of the

Kenyan Evidence Act, which was amended in the year 2009.

The Indian Evidence Act, does acknowledge that documents found in the virtual form, are

admissible before the courts as long as they meet the stipulations under Sec. 65B of the Indian

Evidence Act.

197 <www.iibf.org.in/Cyber-Laws-chapter-in-Legal-Aspects-Book.pdf> (Accessed on 29th September 2013) 198 Sec. 65A of The Indian Evidence Act of India 199 Sec. 65B of the Evidence Act of India


The legal lacuna realized when mentioned under Chapter II of this discussion paper reflects the

same image of what is facing the Indian jurisprudence vis-à-vis the Indian Evidence Act200.

200 Ombo, D. Chapter II: 2.4 The Evidence Act, Cap 80 (Computer Hacking and/or Unauthorized Access: A Critical Analysis Of The Legal Framework In Kenya)


4.3 United States of America

United States of America is among the developed countries in the world, which has rich

jurisprudence on cybercrime or cyber-law. Florida had a legislation addressing cybercrimes in the

year 1978201. Having dealt with cases of cybercrime as early as 1960’s202, the country’s judicial

system stands to have well established principles that guide matters relating to cybercrimes.

However, the matter of concern is that the society is utilizing what they lack ample knowledge

towards it, hence making it hard to have cautious persons.203

Cybercrimes tend to take a different twist every time technology does change, thus as the

technology is advancing, so the cybercriminals are establishing new tactics to attain the criminal

activities. Cybercrime has taken a different lane, this is because the small groups that used to

execute cybercrimes are now forming major cartels, the cybercriminal groups tend to utilize IT

guru’s to execute the crimes.204

4.3.1 Computer Fraud and Abuse Act

In 1984, Congress hastily drafted and passed the CFAA205. At the time, the Act was widely

criticized as being overly vague and too narrow in scope. In light of these deficiencies,

Congress undertook a more careful study of computer crime and completely revised the

Act in 1986. Since then, the CFAA has been amended eight more times during its relatively

201 Kerr, ‘Cybercrime’s scope’, 1615. For a summary of state computer crime statutes see M. D. Goodman and S. W. Brenner, ‘The emerging consensus on criminal conduct in cyberspace’ (2002) UCLA Journal of Law and Technology 44. 202 LaMance, K. LegalMath Law Library: Cyber Crime <www.legalmatch.com/law-library-cyber-crime.html> (Accessed on 30th of June 2014) 203 Dr. Carl Sagan, cited in In the Matter of the Application of the United States of America for an Order Authorizing the Installation and Use of a Pen Register and a Trap & Trace Device on E-Mail Account, 416 F Supp 2d 13, 14 (D DC 2006). 204 <www.interpol.int/Crime-areas/Cybercrime/Cybercrime> (Accessed on 23rd of June 2014) 205 Computer Fraud Abuse Act


short lifespan. An appreciation of the Act’s history is necessary to understand the problems

with the current version.206

In the Computer Fraud and Abuse Act (herein after referred as the CFAA), does have a section

that addresses matters relating to unauthorized access to information.207 The Section is to be

discussed herein under as it relates to the topic of discussion of this paper.

Title 18, United States Code, Section 1030(a) (2) provides: Whoever –

(2) intentionally accesses a computer without authorization or exceeds authorized access,

and thereby obtains -

(A) information contained in a financial record of a financial institution, or of a card issuer

as defined in section 1602(n) of title 15, or contained in a file of a consumer reporting

agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15

U.S.C. 1681 et seq.);

(B) information from any department or agency of the United States; or

(C) information from any protected computer208

The definition of unauthorized access or exceeding authority that one has been offered by given

laws or statutes and/or policies have been penned herein above by the previous chapter(s).

However, in a nutshell, it is the event when one does access information without attaining consent

from the owner, the information trustee and/or any other information that is regarded as personal

206 Reid, S. Cybercrimes & Misdemeanors: A Reevaluation Of The Computer Fraud And Abuse Act (2003) 207 Accessing a Computer and Obtaining Information: 18 U.S.C. § 1030(a)(2) of the CFAA 208 Marshall J. & Michael W. Prosecuting Computer Crimes Computer Crime and Intellectual Property Section Criminal Division pp 16 – 17; See also, Title 18, United States Code, Section 1030(a)(2) of the CFAA


and/or State confidential information. The access can be in physical, however, herein, much focus

is placed on electronic information.

As a way of the CFAA providing what entails “unauthorized access to computer,” the term

intentionally is utilized. The term is very imperative, as it will help one to know where the

demarcation of the statute does commence and adjourn.

The concept behind the intent of accessing information, does only capture the one who violates

the provisions so as to acquire information, and in the event a third party does access the same

information, thus being from the person who acquired the information contrary to the law, he or

she will not be violating the law.209 However, the law does afford to acknowledge conspiracy to

commit crimes, and also the fact that, it is a crime to protect or hide criminals, when it is in one’s

knowledge that a given person is a criminal, that will lead to criminal liability.210

Thereon, after one effects the hacking or unauthorized access and/or exceed authorization, is when

the other criminal activities will follow suit. This includes the traditional crimes and ideological

crimes on cyberspace.211

Case Law

209 Role Models America, Inc. v. Jones, 305 F. Supp. 2d 564 (D. Md. 2004) 210 Marshall J. & Michael W. Prosecuting Computer Crimes Computer Crime and Intellectual Property Section Criminal Division 211 Carter, E. Examining Cybercrime: Its Forms and Its Perpetrators (National University of Internal Affairs in Kiev, 2002)


In Reynolds v. Spears212 unlike the principles of Tort law that afford one a defence of having relied

on information offered by a competent persons213, herein the courts rejected the defence that, the

defendant had solely relied on the information given by an enforcement officer.

In Williams v. Poulos214 held, the defense that one was using the gadget (intercepting gadget) and

disclosing information thereon, and believing that all was in good faith and presuming it fell under

the ambit of the statute, could not be upheld by the court.

It has been also nullified that no defence will be upheld, if it relates to good faith vis-à-vis mistake

of law.215

4.3.2 Wiretap Act

Prior having the Title III216 being effective to capture cybercrimes, thus electronic communication,

it only addressed matters relating to oral and wire communication. In the year 1986 amendments

were made, so as to have the Act accommodate communications falling under the ambit of

electronic communication.217

Intercepting a Communication 18 U.S.C. § 2511(1) (a),218

Except as otherwise specifically provided in this chapter any person who -

212 93 F.3d 428, 435-36 (8th Cir. 1996) 213 Tort law does have the element of ‘duty of care’ this element does not solely require a long term relationship between the parties: Hedley Byrne v Heller [1964] AC 465 214 11 F.3d 271, 285 (1st Cir. 1993) 215 Heggy v. Heggy, 944 F.2d 1537, 1541-42 (10th Cir. 1991) 216 Also known as the Wiretap Act; See also, Marshall J. & Michael W. Prosecuting Computer Crimes Computer Crime and Intellectual Property Section Criminal Division 217 Marshall J. & Michael W. Prosecuting Computer Crimes Computer Crime and Intellectual Property Section Criminal Division 218 Title III


(a) Intentionally intercepts, endeavors to intercept, or procures any other person to

intercept or endeavor to intercept, any wire, oral, or electronic communication

The person will be held liable for a given offence under the same Act.219

With regards to the diction utilized in the Title III, it quite evident the valuable terms are as follows:

intentionally and interception. The subject matter that is being focused on is “…any wire, oral, or

electronic communication.”

Interception

The Act provides that interception is the aural or other acquisition of the contents of any

wire, electronic, or oral communication through the use of any electronic, mechanical, or

other device.220

Interception does lead to infringement of privacy rights, this can also lead to unauthorized access

of information. Precluding the notion of “oral” and sticking to the wire and electronic mode of

communication, one will have to hack into the system, emails, phones and so forth.221

Interception is when communication between users is compromised by a third party222, where the

third party has the advantage of recording or taking note of the conversation between two people,

main targets can be fixed lines, wireless, emails et al.223 however, it has been noted that the

definition offered by the Wiretap Act vis-à-vis the definition of “intercept” to be very complex, as

it is short but very wide as it has complex terms in within it.224

219 Title 18, United States Code, Section 2511 (4) of the Wiretap Act 22018 U.S.C. § 2510(4) of The Wiretap Act: See also, Marshall J. & Michael W. Prosecuting Computer Crimes Computer Crime and Intellectual Property Section Criminal Division 221 UNITED NATIONS OFFICE ON DRUGS AND CRIME: Vienna “Comprehensive Study On Cybercrime” 2013: See also, Marco, G. Understanding Cybercrime: Phenomena, Challenge and Legal Response <www.itu.int/ITU-D/cyb/cybersecurity/legislation.html> (Accessed on 7th of December 2013) 222 United States v. Turk, 526 F.2d 654, 658 (5th Cir. 1976). 223 Marco, G. Understanding Cybercrime: Phenomena, Challenge and Legal Response <www.itu.int/ITU-D/cyb/cybersecurity/legislation.html> (Accessed on 7th of December 2013) 224 Marshall J. & Michael W. Prosecuting Computer Crimes Computer Crime and Intellectual Property Section Criminal Division pp62


The interceptor will not have a defence, that he or she did not listen or read the conversation. For

the sole reason that the interception is intentional or purposively, the defendant or the interceptor

will be held liable of the offences provided for.225

Marshall J. & Michael W.:

Applying Turk,226 most courts have held that both wire and electronic communications are

“intercepted” within the meaning of Title III only when such communications are acquired

contemporaneously with their transmission. An individual who obtains access to a stored

copy of the communication left behind after the communication reached its destination

does not “intercept” the communication.227

Precisely, it is stated that, the communication that can be intercepted, is the communication, which

is taking place contemporaneously. If the information has already been sent and received, thereon

stored, and one accesses the information, it does not fall under the ambit of what interception

means.228

However, the term contemporaneous has not been discussed that much by the USA courts.

Regardless of that, the American jurisprudence in a recent case has defined what interception is,

as being not necessarily what ‘contemporaneously with their transmission’ is.


[T]here is no timing requirement in the Wiretap Act, and judges ought not add to statutory

definitions…It stated that acquisition of a stored voice message would fall within the

definition of “interception,” and that under the statute, any acquisition of information using

225 Sanders v. Robert Bosch Corp., 38 F.3d 736, 740 (4th Cir. 1994) 226 United States v. Turk, 526 F.2d 654, 658 (5th Cir. 1976) 227 Marshall J. & Michael W. Prosecuting Computer Crimes Computer Crime and Intellectual Property Section Criminal Division pp63 228 Marshall J. & Michael W. Prosecuting Computer Crimes Computer Crime and Intellectual Property Section Criminal Division pp64


a device is an interception. It was prosecution for a violation of the Wiretap Act through

the interception of e-mail. The court found that the evidence in that case established that

the defendant intercepted e-mail contemporaneous with transmission. Consequently,

despite [that] prosecutors are advised to charge Wiretap Act violations only when the

contemporaneity requirement is present (own emphasis).229

What the courts emphasized on, was that, irrespective of the fact that there is no timing requirement

in the Wiretap Act or the contemporaneous factor of transmission in the Wiretap Act, it will be

prudent to raise claims under the same Act if the claims have an element of contemporaneity.

Intentional

The term intentional is defined as follows;


An act is done intentionally if it is done knowingly or purposefully. That is, an act is

intentional if it is the conscious objective of the person to do the act or cause the result. An

act is not intentional if it is the product of inadvertence or mistake. However, the

defendant’s motive is not relevant and the defendant needs not to have intended the precise

results of its conduct or have known its conduct violated the law.230

The intent element needed here, is not to be questioned, if it was in good faith or bad faith.231 The

matter of mens rea is not applauded to, as the court’s went further to simplify the concept by

stating, even he or she who steals food for the family or children and/or the instances that fall under

229 Marshall J. & Michael W. Prosecuting Computer Crimes Computer Crime and Intellectual Property Section Criminal Division (supra); See also, United States v. Szymuszkiewicz WL 3503506 (7th Cir. 2010) 230 Marshall J. & Michael W. Prosecuting Computer Crimes Computer Crime and Intellectual Property Section Criminal Division pp61 231 United States v. Townsend, 987 F.2d 927 (2d Cir. 1993): The case law further provides that, even if the equipment utilized was attained so as to be utilized in good faith, that will not stand as a defence.


acts that Robin-hood did, still fall under the purview of a crime, it does not matter the purpose of

why one steals or commits a crime.232

The matter of concern is whether it is within the defendants knowledge that actually the

interception is being made, thus “knowingly or purposefully.” If the interception does take place

due to “inadvertence or mistake” the defendant will not be held liable, in such an event it is upon

the defendant to convince the court that the act was out of inadvertence or mistake.233

232 S. Rep. No. 99-541, at 24 233 Based on the principle of proofing beyond reasonable doubt.


5.0 CHAPTER 5

5.1 Regional and International Organization on Cybercrime: Unauthorized Access to

Information

Under the International bodies, there are many legal instruments that address matters relating to

computer hacking and/or unauthorized access directly and indirectly.

UNCITRAL – Model laws does address matters relating e-commerce, e-signatures and also

advocated for States to acknowledge e-documents to be under the definition of documents. This

was relevant as it helped to catch up with the fact that the transactions were much more being

effected through the World Wide Web platform.234

In the event computer or electronic gadget has been hacked into or unauthorized access has been

effected, there can be a number of crimes that will follow suit ab initio and thereon after attaining

the information. This can be: Right to Life; Right to Privacy; Right to Information; Right to

Dignity; Freedom of Expression et al. this rights are acknowledged by the Budapest Convention;

AUCCSC; UDHR; ICCPR; ICESCR et al.

5.2 Budapest Convention

Recognising the value of fostering co-operation with the other States parties to this

Convention.235

Gluing and acknowledge the irrebuttable fact that no State can make laws that will administer the

whole of the Cyberspace, the Budapest Convention does affirm in its Preamble, the need to have

234 <www.uncitral.org/uncitral/en/uncitral_texts/electronic_commerce.html> (Accessed on 29th of June 2014) 235 Preamble, Budapest Convention


the harmonization of laws, that will address matters relating to cyberspace and specifically

prosecuting perpetrators of the prudent use of the cyberspace.

As stated earlier on, the prosecution of a cybercrime in a different forum will need the two States

have the matter mitigated upon, thus considering the interests of other states, the defendant, the

rule of Natural Justice and interests of the forum State.236

Despite the thirst of the European Union to have the laws to address cybercrime, the Convention

was not structured in a manner that it will overstep on other provisions or statutes in existence.

The Convention requires that as much as the States take the move to utilize the Budapest

Convention to curb matters relating to cybercrime, they ought to respect and acknowledge the

Fundamental Rights of Human Beings.237

The Convention initiates by acknowledging the aspect of Illegal Access and Illegal Interception.238

Illegal access is used to signify hacking into a system or unauthorized access and/or exceed

authorized access. These are the basic topics in this paper, hence, the same will have to be

scrutinized as to the definition and to what extent it can be used to stall cybercrimes.

Budapest Convention:

Each Party shall adopt such legislative and other measures as may be necessary to establish

as criminal offences under its domestic law, when committed intentionally, the access to

the whole or any part of a computer system without right (own emphasis). A Party may

require (own emphasis) that the offence be committed by infringing security measures,

with the intent (own emphasis) of obtaining computer data or other dishonest intent (own

236 <www.cyber.law.harvard.edu> (supra) 237 Preamble, Budapest Convention 238 Art. 2 & Art. 3 of the Budapest Convention


emphasis), or in relation to a computer system that is connected to another computer

system.239

Without Right: this term is domesticated in the Article to refer permission. Thus permission does

differ from different cases, this can be through giving of licenses to operate under certain limits

and/or a contract for a given task. In the event one does effect illegal access, this will be in violation

of this statute. The first sentence of the Article is of strict liability, thus it does not require to know

the intent of the person who wants to or is in the process to and/or acquires access the restricted

information, but for the sole reason one does purports or accesses the restricted information

without the right, the person will be held liable for the offense provided for under the domestic

law.

With intent: When the same Article of the Convention introduces the term “intent,” it goes contrary

to the first sentence of the Convention which requires no “intent.” The second sentence of the

Article requires the Mens rea of the alleged violator of law, thereon it purports the intent is with

regards to “obtaining computer data or other dishonest intent,” precisely, if a person who attains

access to a sever, computer system and other related electronic gadgets, and the persons does not

purport to commit any further crime, he or she does not fall under the diction of the second part of

the Article, the person falls under the first sentence of the Article.

When one so wishes to interpret Article 2 of the Budapest Convention, it will be of prudent to

utilize the Purposive Rule of Interpretation. The purposive rule of interpretation is utilized by the

European Court of Justice when it is has the opportunity to interpret a statute.240

239 Art. 2 of the Budapest Convention 240 The Purposive Approach to Statutory Interpretation <www.e-lawresources.co.ke/purposive-approach.php> (Accessed on 29th of June 2014)


Lord Simon:

The first task of a court of construction is to put itself in the shoes of the draftsman – to

consider what knowledge he had and, importantly, what statutory objective he had

and…being thus placed…the court proceeds to ascertain the meaning of the statutory

language.241

Thus, with the two sentences stating two different factors, they are made to acknowledge the

hacking and/or unauthorized access is a different cybercrime and whatever the crime that follows

thereon is different, hence capturing the two offences. One being without the need of Mens rea

and the other one having to establish the element of Mens rea.

The fact is that, anyone who procures illegal access, will not be able to evade the jaws of law, as

the Articles are fully equipped to make a conviction with or without intent.

However, even despite applauding to the purposive approach of interpretation, the Article raises

a lot of questions as to what “[a] party may require that the offence be committed by infringing

security measures, with the intent of obtaining computer data or other dishonest intent.”242

UNITED NATIONS OFFICE ON DRUGS AND CRIME:

Offences involving illegal access to computer systems and data differ with respect to

the object of the offence (data, system, or information) (own emphasis), and regarding

241 Maunsell v Olins [1975] AC 373; See also, <www.e-lawresources.co.ke> (supra) 242 This means that a perpetrator my offer a defence that he might lacked the license (right), but had authority from a legal personnel. This will help the perpetrator defeat the “infringing security” & “dishonest intent”, such a defence does not have a standing in the American Jurisprudence: See, Marshall J. & Michael W. Prosecuting Computer Crimes Computer Crime and Intellectual Property Section Criminal Division (supra)


the criminalization of ‘mere’ access or the requirement for further intent, such as to cause

loss or damage.243

The Convention fails to inform its States members of the degree of crime, as of the object offence.

Budapest Convention:

Each Party shall adopt such legislative and other measures as may be necessary to establish

as criminal offences under its domestic law, when committed intentionally (own

emphasis), the interception without right (own emphasis), made by technical means, of

non-public transmissions of computer data (own emphasis) to, from or within a

computer system, including electromagnetic emissions from a computer system carrying

such computer data. A Party may require (own emphasis) that the offence be committed

with dishonest intent (own emphasis), or in relation to a computer system that is connected

to another computer system.244

Article 3 does have a repetition of some terms as those of Article 2, and also incorporates a new

term “intentionally.” The concept of “dishonest intent” should be a secondary factor to the

Convention, thus whereby, one cannot argue that he or she did not violate the law for the sole

reason the persons act or omissions does not amount to dishonesty, hence, the person cannot be

held liable for having intercepted the communication.

243 UNITED NATIONS OFFICE ON DRUGS AND CRIME: Vienna “Comprehensive Study On Cybercrime” 2013 ppXX 244 Art. 3 of the Budapest Convention


Intentionally: Intent, is defined as a purpose or formulated design that is utilized to earn a certain

goal.245 Clinging to the definition offered, the perpetrator must have conclusive goal,246 whereby

the Act did not emanate without him or her having knowledge of the same.

UNITED NATIONS OFFICE ON DRUGS AND CRIME:

The requisite intent for an offence also differs in approaches to criminalization of

interference with computer systems or data. Most countries require the interference to be

intentional, while others include reckless interference. For interference with computer data,

the conduct constituting interference ranges from damaging or deleting, to altering,

suppressing, inputting or transmitting data. Criminalization of illegal interception differs

by virtue of whether the offence is restricted to non-public data transmissions or not,

and concerning whether the crime is restricted to interception ‘by technical means’

(own emphasis). Not all countries criminalize computer misuse tools. For those that

do, differences arise regarding whether the offence covers possession, dissemination,

or use of software (such as malware) and/or computer access codes (such as victim

passwords) (own emphasis). From the perspective of international cooperation, such

differences may have an impact upon findings of dual-criminality between countries.247

The Convention does restrict interception of non-public data, by way of technical means. The

Budapest not only adjust itself to tools that might be utilized for interception, however, it thereon

245 Black’s Law Dictionary 246 Irrespective of the fact that the goal of the perpetrator is not attained, it will be a crime as long as the intent is established. 247 UNITED NATIONS OFFICE ON DRUGS AND CRIME: Vienna “Comprehensive Study On Cybercrime” 2013 ppXX


prohibits of making available of tools and devices for purposes of committing a crime that fall

under Article 2 – 5 of the Convention.248

248 Art. 6 of the Budapest Convention


6.0 CHAPTER 6

Herein under, the Conclusion and the Recommendation will echo the initial questions of concern:

Statement of the Problem, Objectives of the Research, Research Questions and Justification of the

Research, the four named divisions will be related to the research done in the several Chapters

herein above.

6.1 Conclusion

In the compilation and analyzing of the requisite data that was at disposal during the penning of

this dissertation paper, it is within the knowledge of the author that, basing on the information

elicited to from the laws of Kenya, South Africa, Nigeria, African Union, United States of

America, India and The European Union, that every State or Organisation does enjoy the ‘little’

paradise they have.

Kenya as a State is in its crawling stages as per the laws that address cybercrime, it is worth to

appreciate that the laws it has afforded are quite healthy in diction and tend to paint a sensible

colour scheme that will beautify the Jurisprudence of the country. Nevertheless, the laws are

structured to address the Kenyan Jurisdiction, this defeats the reality on the ground: Cyberspace

does not have whatsoever Jurisdiction, hence, question of concern is: how will cybercrimes

initiated off the Kenyan jurisdiction be dealt with.

Just like other countries, Kenya has several laws that have an element that goes to the root of

cybercrime: computer hacking and/or unauthorized access. This can lead to a lot of conflicting

interpretation of laws whenever a matter of the same magnitude arises. Such has already been

experienced in South Africa: The Electronic Communication and Transactions Act and The


National Prosecuting Authority Act tend to give conflicting surcharge on a person found guilty on

matters of computer hacking and/or unauthorized access.

The Kenyan Judiciary is filled with able Magistrates and Judges, however, it does not fulfill the

fact that they can be apt to preside over Cybercrime Offences, this is due to the fact that there are

a handful advocates and/or Magistrates or Judges who have arrested this topic and those oriented

to it as their subject matter of interest. Without seeming to abuse their virtuoso on the Legal field,

it is valuable to note that IT and The Law is a peculiar strata, the same has to be given its own

Court, thus having peculiar Magistrates or Judges.

Too much on paper is provided, as the country has taken the initiative to have National CERT –

Ke, however, much focus is on the capability of the same institution to tackle cybercrimes and

investigate the same, owing to the high degree of forensic power that is needed: not only by having

the IT and Law wits but machinery wise too, and at the same time, having the machinery without

the wits in IT and The Law nothing is operable.

In Kenya the Data Protection Act, is quite sober on addressing the issues pertaining computer

hacking and/or unauthorized access of information: this is as the provisions of the law give the

term personal data a wider rostrum. However, the law does not take recognition of the need to

cooperate with other foreign States, as it has been stated that matters falling under cybercrime tend

to be committed off jurisdiction and no state can assume the jurisdiction of cyberspace.

Nevertheless, the same Act does acknowledge the need to play by the international practices,

hence, the same ideology of cooperation between countries can find its way in via that

‘international practice’ tag.


The Data Protection Act, alludes of Unique Identifiers to help certain Organisation in undertaking

their duties. Such initiatives should be strictly monitored: a continuum communication can lead to

distortion and also the giving away of information to a third party can happen in between, this will

leave no person to blame, hence, the victim will have suffered prejudice.

The Data Protection Act does offer feeble punishments, considering the seriousness of

cybercrimes. This makes the law treat cybercrime as a callousness matter, the degree of morality

the law portrays is feeble.

The Evidence Act and The Kenya Information Communication Act, 411A tend to address the

matter of forensics lightly. This means dispensation of justice will not be attained prudently, thus

building a poor legal jurisprudence.

Not much attention is offered to the IT profession, this is with regards to the training and the

services expected from them, as the field is directly linked to the IT and Law, hence, most of the

computer hackers and other cybercriminals are IT professions and if not, it is effected by the help

of the IT guru’s. Owing to that fact, it is prudent for Kenya to delve into regulating the Profession

and it Professionals.

Without being shy, it will not be a healthy conclusion, if the same does not take notice of the

division of Right to Privacy and Information. Kenya is a country that is sufficed with a lot grave

topics that ought to addressed, and the same makes persons ignorant of some issues of Privacy and

that of Information. As the National Intelligence Service of Kenya (herein after NIS-Ke) wishes

to have laws that allow the Organisation access to each and every Kenyans personal data

(conversation/s) indiscriminately, such schemes are very prejudicial: Countries such as Germany,

Britain, Netherlands et al. have gave in-depth thoughts over the same, as Germany regarded such


laws that ape what the NIS – Ke is requesting for, to be null and void. As regards to that, Justice

Minister Beatrice Ask said the following “[T]he German ruling showed ‘that we have been right

in that that it concerns sensitive issues that demand very difficult judgments.’”249

It is worth to appreciate that the laws have offered some sort of deterrent element as to those who

violate laws that address matters relating to hacking and/or unauthorized access of information.

However, that should not be the end of the element of deterrence as the courts ought to consider

the value: thus monetary value of the information that has been attained contrary to the lex in place.

Hence, the surcharge should reflect the monetary value of the information.

6.2 Recommendations

Rooting from the research herein above and also clinging to the Conclusion, it is vivid that the

Kenyan Laws have no element that shows the urge to acknowledge that cybercrimes can be

committed off its jurisdiction. The State should come up with laws and/or policies that can help

address the same issue. For instance: In International Shoe Co. v Washington (supra), there are

viable principles as further expounded by Darrel Menthe:

- Personal Jurisdiction: The Personal Jurisdiction does not demand the physical

presence of a person, rather it arises from the Contacts one does make with the given

State or the purported Forum State. The contact can be physical or virtual (use of

networks and/or internet).

- Prudent Minimum Contacts: When one makes any contact with a given foreign State,

the person is bound by the laws of the State. In the event it is an Inconsistent Contact,

249 Melissa E. & Verena S. Security: German Court Overturns Phone, e-mail data law: 2010 <www.nbcnews.com/id/35672314/ns/technology_and_science-security/t/german-court-overturns-phone-e-mail-data-law/> (Accessed on 23rd day of August, 2014)


the claim raised will be glued to that very act or omission that one commits against the

State, while when it is Consistent Contact that is Continuous, the defendant will be held

liable of the direct subject matter and also the incidental crimes.

- Forum State: Predominantly, this is the State that assumes jurisdiction when an

offence has been committed against its persons. However, the same is not absolute as

the Rules of Fair Hearing and/or Natural Justice will be applied; by having such

applied, it helps build an international law (through case law) that is sober and can be

adopted by other States, also the same helps consider the Status (mostly economic) of

the defendant.

Currently, The Constitution of Kenya, 2010; Evidence Act, Cap 80; The Kenya Information and

Communication Act, Cap 411A; The Penal Code, Cap 63; The Finance Act, 2012; and Data

Protection Act, 2013 et al. are requisite laws that address elements that go to the root of the

ramifications of cybercrimes. The laws need to be harmonized, not literally, but the textual context

of each should applaud the other. This will raise a sober jurisprudence within the Country.

Just like there is a Land Law Court and an Industrial Court of which is to be rebranded as the

Labour Relations Court, there is need to have a peculiar court that will delve into matter of IT and

The Law, more so, cybercrimes. Owing to the fact that IT and The Law tend to hold on other

divisions of law (Tort Law, Contract Law, Evidence Law et al.), it will not be worth to aver that

calling a Court “Cybercrime Court” will be prudent. Having an “IT and The Law Court” will be

more prudent, however, the same should not have both the Civil and Criminal Jurisdiction. The

“IT and The Law Court” should have the Criminal Jurisdiction only. Such a Court will not demand

new laws as the schemes of the Penal Code and Criminal Procedure Code will be viable as long

the laws are ‘up-to-date’ with the IT and The Law provisions.


Regardless of the fact that Kenya has some laws that can be utilized to prosecute cybercrimes, it

should be noted that that will not stall the committing of the cybercrimes. The need to strengthen

the CERT – Ke by having virtuosos persons in the IT and IT and The Law field, not forgetting the

need to have installed the most prudent machinery in place to monitor and also receive complains

from the public, through: emails, calls and noting the email-bombers. This will help curb the rate

at which cybercrimes are committed.

As The AUCCSC and The Budapest Convention provide that there is need for cooperation within

States to address the vice, this is by exchanging of information and how prosecutions will be

undertaken, the Kenyan Government should take an initiative and make laws to that effect. This

will help have a sober discussion with other States on matters of Jurisdiction whenever a

cybercrime emanates or there is some intent of committing the same.

A human being is a social creature and that should be within the knowledge of the law drafters. As

the issue of letting a third party assume the duties of a given person on delving into personal data,

is opening the doors of having a person’s privacy (personal data) infringed. Each facility should

have its own Unique Identifiers or the Government should allow private firms that wish to be

Unique Identifiers to strictly applaud to the ethics of Professionalism inclusive of the wishes of

the Constitution.

The Criminal concept of the Data Protection Act, has made it that a surcharge will be of five

hundred thousand Kenyan Shillings or a maximum sentence of two years during conviction. This

is treating the issue of cybercrime with great callousness. Owing to the same being a serious white

color crime, the need to advance the deterrence element is prudent. The ECT Act of South Africa

offers the same punishment as the Data Protection Act of Kenya, while the National Prosecuting

Authority Act of South Africa offers a maximum sentence of twenty five years in prison. The


Kenyan legislature should review the sentence offered under the Data Protection Act, since Sec.

349 of the Penal Code also offers a feeble surcharge of three year imprisonment on forgery matters:

forgery can be effected after hacking or unauthorized access.

IT and The Law and Forensics are relatives. There is need of acknowledging the same in Kenya,

this will be a prudent step to address offences falling under the Cybercrime and/or IT and The

Law. Subjects such as e-contracts, e-signature, mirroring of Hard disk and other information

storage facilities et al. will always demand the highest degree of forensics. As opined herein above

in Chapter II under the Evidence Act and The Kenya Information Communication Act of Kenya,

that one can hack into a server and/or system and thereon alter the information and owing to the

fact the e-signature is not changed, the same will presumed to be the document on the grounds of

the viable signature. Hence, unearthing of the initial information will be the initial step of attaining

the truth that will lead to a reasonable adjudication.

As Geoffrey Sampson asserts, that the need to have IT Professional and its professionals regulated

just as the Medicine, Architect, Advocates et al. are regulated and their actions and inactions

undergo scrutiny. This will provide room to observe the acts and omissions of the Professionals

and also have ethical standards that they will subordinate to. As much as it will not totally stop the

cybercrimes, it will help bring sobriety into the IT Profession field, as the IT gurus are the most

likely to commit the crimes and also generate tools and/or software’s that can effect the committing

of cybercrimes. Laws to provide how minor offenders will be dealt with, as the paper by Edward

Carter portrays how minors are taking advantage of their age bracket to commit cybercrimes

because the laws have always been lenient towards them.

There are matters of National Interest of which if they are effected they can gravely be prejudicial

to all the citizenry Rights as provided under The Bill of Rights in The CoK and also other Regional


and International Legal instruments Kenya is party to. The NIS – Ke demands to have access to

all Kenyans personal data (conversation/s), its quest is abuse of the Grund-norm. The need to

wiretap and go through the conversation of Kenyans, ought to be objective, hence it must be

discriminatively, reasons whereof, if it is indiscriminative there will be lax of democracy, freedom

of expression, freedom to information et al. in precise the political wing of the Government in a

given regime will be curtailing the Fundamental Rights so as to have an environment that suits its

personal interests.

Reflecting the ideology of traditional crimes finding way into the cyber world, it is worth to note

that hacking and/or unauthorized access of information can be under the same strata. Thus, the

information elicited after hacking and/or unauthorized access could have monetary value. For

instance, when cybercriminals steal information for purposes of gaining pecuniary benefits from

it. This means that the same information should be investigated by the courts, by doing so, the

court will know the value of the information prior giving the sentence or surcharge to the accused

person. Edward Carter states that some American Courts tend to evaluate the value of the

information prior giving a sentence and/or surcharge.


Reference:

Black’s Law Dictionary

Deans Law Dictionary

Oxford Advanced Learners Dictionary 8th edition

<www.cck.go.ke> (Accessed 16th of June 2014) –as it was then, currently, rebranded to

<www.ca.go.ke>

<www.iibf.org.in/Cyber-Laws-chapter-in-Legal-Aspects-Book.pdf> (Accessed on 29th

September 2013)

<www.interpol.int> (Accessed on 23rd of June 2014)

<www.itwebafrica.com > (Accessed on 22nd of May 2014)

<www.kean.edu > (Accessed on 16th of June 2014)

<www.thelawdictironary.org> (Accessed on 16th of June 2014)

Adam J. ICT Law book: A Source Book For Information and Communication

Technologies & Cyber Law in Tanzania & East African Community (Mkuki na Nyota Publishers

Ltd Dar Es Salaam 2010)

Australian High Tech Crime Centre, Malware: Viruses, worms, Trojan horses, High Tech

Crime Brief no. 10 (AIC, 2006)

Carter, E. Examining Cybercrime: Its Forms and Its Perpetrators (National University of

Internal Affairs in Kiev, 2002)

Case Law


Chawki, M. Nigeria Tackles Advanced Fee Fraud <www2.warwick.ac.uk> (Accessed on

2nd of June 2014)

Chinese Hacking: Impact On The Human Rights and Commercial Rule of Law

<www.gpo.gov/fdsys/pkg/CHRG-113hhrg855/pdf/CHRG-113hhrg81855.pdf> (Accessed on 8th

February 2014)

Clough J. Principles of Cybercrime (Cambridge University Press New York, 2010)

Computing: Nigeria Ranked third In The World for Cyber-crime, says Survey; Issue no

302 <www.balancingact-africa.com/news/en/issue-no-302/computing/nigeria-ranked-thrid/en>

(Accessed on 2nd of June 2014)

Dennis Mbuvi, ‘103 Government of Kenya websites hacked overnight’ [2012] CIO East

Africa <www.cio.co.ke> (Accessed 2nd of November 2013)

Duggal, P.

<www.coe.int/t/dghl/cooperation/economiccrime/cybercrime/Documents/Reports-

Presentations/Octopus2011/Update_sessin_pavan_duggal.pdf> (Accessed 7th of December

2013)

J. N. Geltzer, ‘The new Pirates of the Caribbean: How data havens can provide safe harbors

on the internet beyond Governmental reach’ (2004) Southwestern Journal of Law and Trade in the

Americas

JACQUELINE F. CYBER CRIME IN SOUTH AFRICA: INVESTIGATING AND

PROSECUTING CYBER CRIME AND THE BENEFITS OF PUBLIC-PRIVATE

PARTNERSHIPS (Pricewaterhousecoopers, 2009)


Jae. K, Anique. A & Joel. G International Handbook of Computer Security (Glen-lake

Publishing Company Ltd Chicago USA, 2000)

Jim F. Reuters US ‘Famed Hacker Barnaby jack Dies A Week before hacking Convention’

<www.reuters.com> (Accessed on 8th February 2014)

Joshua G. Data Breaches and Computer Hacking: Liability & Insurance Issue

<www.andersonkill.com/webpdfext/ART_DataBreachesAndComputerHackingLiability.PDF>

(Accessed 9th of February 2014)

Judy Nguta ‘Central bank of Kenya website hacked’ [2013] Standard Digital

<www.standardmedia.co.ke> (Accessed 2nd of November, 2013)

Kerr, ‘Cybercrime’s scope’, 1615. For a summary of state computer crime statutes see M.

D. Goodman and S. W. Brenner, ‘The emerging consensus on criminal conduct in cyberspace’

(2002) UCLA Journal of Law and Technology

Kufa, M (2008), ‘Cybersurfing without boundaries’, De Rebus, December, 20

Legal Instruments

Legal Sociology School of Thought

Liberty 80, <https://www.liberty-human-rights.org.uk> (Accessed on 8th of February

2014)

Marco G. Understanding cybercrime: Phenomena, Challenges and Legal Responses (ITU

Publications 2012)

Marshall J. & Michael W. Prosecuting Computer Crimes Computer Crime and Intellectual

Property Section Criminal Division


Mathew J. InformationWeek: Security//Attacks & Breaches ‘Hackers Hold Australian

medical records Ransom’ <www.informationweek.com> (Accessed on 8th February 2014)

Murungi M, Cyber Law in Kenya “Abstract” (Kluwer Law International 2011)

Nairobi (Xinhua) ‘East Africa states prepare ways to collaborate on ‘cyber’ security’

[2013] Coast Week <www.coastweek.com> (Accessed on 10th November 10, 2013)

Okuttah Mark, ‘80% of Kenyan websites vulnerable to cyber attacks, says report’ [2012]

Business daily Africa <www.businessdailyafrica.com> (Accessed 2nd of November, 2013)

Reed C. Computer Law (7th ed, Oxford Press New York 2012)

Reid, S. Cybercrimes & Misdemeanors: A Reevaluation of The Computer Fraud And

Abuse Act (2003)

Rosenblatt, B. Principles of Jurisdiction <www.cyber.law.harvard.edu> (Accessed on 28th

of June 2014)

Rouse, M. ITAA (IT Act 2008) – 2010 <www.searchsecurity.techtarget.in> (Accessed on

28th of June 2014)

Sampson G. Law of Computing Students (Bookboon, Ventus Publishing ApS 2009)

Secretary of State for the Home Department by Command of Her Majesty. Cyber Crime

Strategy Cm 7842 (2010)

Simnikiwe Mzekandaba, ‘Kenyan businesses face ‘cyber security threat’, says Kaspersky’

[2013] ITWeb Africa <www.itwebafrica.com> (Accessed on 10th November, 2013)


Snail, S., ‘Cyber Crime in South Africa – Hacking, cracking, and other unlawful online

activities’, 2009(1) Journal of Information, Law & Technology (JILT), <http://go.warwick.ac.uk>

Talwant S. CYBER LAW & INFORMATION TECHNOLOGY

<www.delhidistrictcourts.nic.in/ejournals/CYBER%20LAW.pdf> (5th of February 2014)

Tanya L. Medical Devices Vulnerable to Hackers, New Report Says

<www.m.livescience.com> (Accessed 8th February 2014)

Tommy Doc, “First Hacks” ‘The Evolution of hacking’ [2013] ehow <www.ehow.com>

(Accessed on 10th November 10, 2013)

UNITED NATIONS OFFICE ON DRUGS AND CRIME: Vienna “Comprehensive Study

On Cybercrime” 2013

Yatindra J Singh, Cyber Laws (5th ed, Universal Law Publishing Company, 2012)