Recent events in Kenya have sparked widespread civic education about our laws, many of which remain unknown to the public. You’ve probably heard the saying, “ignorance of the law is no defense.” As a protester, whether you’re demonstrating on the streets or advocating online, it’s crucial to know that your rights are protected by the Constitution.
However, it’s equally important to understand that these rights come with certain limitations.
We have witnessed a surge in online activity, with some individuals finding themselves arrested and charged under various laws. This highlights a critical point: while we demand accountability and transparency from our leaders, we must also hold ourselves to the same standards. What applies to the governing should equally apply to the governed.
In today’s discussion, let’s focus on the Computer Misuse and Cybercrimes Act No. 5 of 2018.
The objectives of this Act are to:
- Safeguard Privacy and Security: Protect the confidentiality, integrity, and availability of computer systems, programs, and data.
- Prevent Cybercrimes: Stop the unlawful use of computer systems.
- Support Law Enforcement: Aid in the prevention, detection, investigation, prosecution, and punishment of cybercrimes.
- Uphold Constitutional Rights: Ensure the protection of privacy, freedom of expression, and access to information.
- Foster International Cooperation: Facilitate global efforts in combating cybercrimes.
Which court has jurisdiction to try offences under this Act
Any court in Kenya can try offences under this Act if the offence was committed in Kenya. An offence committed outside Kenya is treated as if it were committed in Kenya if:
- The person is a Kenyan citizen or ordinarily resides in Kenya.
- The act is against a Kenyan citizen, Kenyan government property outside Kenya, or to compel the Kenyan government to act.
- The person is present in Kenya after committing the act.
Can the court order forfeiture of equipment used to commit offence under this Act?
If convicted, the court can order the forfeiture of any equipment used in the offence to the relevant authority.
What if there are other laws with conflicting provision on cybercrimes?
If there’s a conflict between this Act and any other law on cybercrimes, this Act takes precedence.
A sound understanding of the offences under these Acts and their penalties will helps us navigate our actions responsibly and stay within the bounds of the law while advocating for change using online fora. The following are the offences prescribed under the Act:
Unauthorized Access
Access is unauthorized if the person:
- Does not have the right to control access to the program or data.
- Does not have permission from someone who has the right to access the computer system.
Please note that it does not matter that the unauthorized access was not aimed at
a specific program or data or any type of program or data or a particular computer system.
If you intentionally bypass security measures to access a computer system without authorization, you commit this offence and if convicted of it, you may face a fine up to five million shillings or a jail term of up to three years in prison, or both.
Access with Intent to Commit a Further Offence:
It is an offence for you to accesses a computer system intending to commit another offence. If convicted you can be fined up to ten million shillings, imprisoned for up to ten years, or both.
Please note that it doesn’t matter when the further offence is committed, whether at the same time as the unauthorized access or later.
1. Unauthorized Interference:
The interference is unauthorized if the person if you the person who has caused the interference is not entitled to cause the interference or you do not have consent from someone entitled to access the system.
Intentionally interfering with a computer system, program, or data without authorization is an offence whose penalty upon conviction could be up to ten million shillings fine or up to five years imprisonment, or both.
There are instances when the interreference causes serious Consequences such as significant financial loss, threatens national security, causes injury or death, or threatens public health/safety, the penalty increases. In this case if convicted the fine will be up to twenty million shillings or up to ten years imprisonment, or both.
Again, it is important to note that it doesn’t matter if the interference is directed at a specific system, program, or data, or if its effects are temporary or permanent.
2. Unauthorized Interception:
Intercepting data transmission to or from a computer system without authorization is an offence whose penalty upon conviction could be up to ten million shillings fine, a jail term of up to five years imprisonment, or both.
Where the interception causes significant financial loss, threatens national security, causes injury or death, or threatens public health/safety, the penalty increases the fine could be up to twenty million shillings, a jail term of up to ten years imprisonment, or both.
It doesn’t matter if the interception is directed at a specific system or data, or if its effects are temporary or permanent.
3. Illegal Devices and Access Codes:
Manufacturing, adapting, selling, or distributing devices, programs, or access codes for committing offences is illegal and would earn one if convicted a fine of up to twenty million shillings fine, a jail term of up to ten years imprisonment, or both.
It is illegal to be found in possession of such items with intent to commit an offence. The penalty is a fine of up to ten million shillings fine, a jail term of up to five years imprisonment, or both. For clarity purposes possession includes having a computer system, data storage device, or control over someone else’s possession of such items.
Now the law here has made exceptions to this offence as follows:
- Activities for authorized training, testing, or protection of computer systems are not offences.
- Using these items as per a judicial order or legal authority is also not an offence.
4. Unauthorized Disclosure of Password or Access Code
If you knowingly and without authority disclose a password, access code, or other means of accessing a computer system you commit an offence for which upon conviction, the penalty is up to five million shillings fine, a conviction of up to three years imprisonment, or both.
If the disclosure of the password or access code is done for wrongful gain, unlawful purposes, or to cause loss, the offence will attract a penalty of up to ten million shillings fine, a jail term of up to five years imprisonment, or both.
5. Enhanced Penalty for Offences Involving Protected Computer Systems:
Committing offences 1, 2,3 and 4 above on a protected computer system attract a penalty of up to twenty-five million shillings fine, of up to twenty years imprisonment, or both.
Protected Computer System are systems related to security, defense, international relations, critical infrastructure, public safety, national registration, and as designated by the Cabinet Secretary.
6. Cyber Espionage:
If you gain access or intercept data from critical databases or national infrastructure to benefit a foreign state then if convicted you face a penalty of up to twenty years imprisonment, up to ten million shillings fine, or both.
If these offence of espionage causes physical injury the penalty shall be up to twenty years imprisonment. However, if it causes death then the penalty is life imprisonment.
7. Unauthorized Possession or Communication:
Possessing, communicating, delivering, or making data available to benefit a foreign state attracts a penalty of up to twenty years imprisonment, up to ten million shillings fine, or both.
8. Access to Exempt Information:
Accessing or intercepting state data that is exempt from information laws to benefit a foreign state attracts a penalty of up to ten years imprisonment, up to five million shillings fine, or both.
9. Publishing False Information
Publishing false, misleading, or fake data with intent to deceive is a crime whose penalty is up to 5 million shillings or up to 2 years in prison, or both.
There will be a limit to your freedom of expression if false information does the following :
- Propagates war or incites violence
- Constitutes hate speech
- Advocates hatred, ethnic incitement, vilification, or discrimination
- Negatively affects others’ rights or reputations
10. False Publications Leading to Panic or Chaos
Publishing false information that causes panic, chaos, violence, or harms someone’s reputation is a crime whose penalty is a fine up to 5 million shillings or up to 10 years in prison, or both.
11. Child Pornography
Creating, sharing, or possessing child pornography is a crime whose penalty is a fine up to 20 million shillings or up to 25 years in prison, or both. The defenses to this offence exist and include if the publication was for a legitimate public good purpose (e.g., science, literature).
12. Computer Forgery
Altering data to appear authentic for legal purposes is a crime and its penalty is a fine up to 10 million shillings or up to 5 years in prison, or both.
If the computer forgery is done for financial gain or to harm others, the penalty is a fine up to 20 million shillings or up to 10 years in prison, or both.
13. Computer Fraud
Using computers to fraudulently gain or cause loss is a crime and upon conviction a attracts a penalty of up to 20 million shillings or up to 10 years in prison, or both.
14. Cyber Harassment
Harassing someone online causing fear, harm, or offense is a crime whose penalty is a fine up to 20 million shillings or up to 10 years in prison, or both. Please notes courts have power to order stoppage of the harassment.
15. Cybersquatting
Using someone else’s name, trademark, or domain name online without permission is a crime whose penalty is a fine up to 200,000 shillings or up to 2 years in prison, or both.
16. Identity Theft and Impersonation
Fraudulently using someone else’s electronic signature, password, or ID is a crime that attracts a penalty of a fine up to 200,000 shillings or up to 3 years in prison, or both.
17. Phishing
Creating websites or sending messages to steal personal information is a crime whose penalty is a fine up to 300,000 shillings or up to 3 years in prison, or both.
18. Unlawful Destruction of Electronic Messages
Destroying or intercepting electronic communications or money transfers is a crime attracting a penalty in form of a fine up to 200,000 shillings or up to 7 years in prison, or both.
19. Willful Misdirection of Electronic Messages
Misleading electronic messages is a crime whose penalty may be a fine of up to 100,000 shillings or up to 2 years in prison, or both.
20. Cyber Terrorism
Using computers for terrorist activities is a crime whose penalty is a fine up to 5 million shillings or up to 10 years in prison, or both.
21. Inducement to Deliver Electronic Message
Inducing someone to deliver electronic messages meant for someone else is a crime.
Penalty: Fine up to 200,000 shillings or up to 2 years in prison, or both.
22. Intentionally Withholding Electronic Messages
Keeping electronic messages not meant for you is a crime.
Penalty: Fine up to 200,000 shillings or up to 2 years in prison, or both.
23. Fraudulent Use of Electronic Data
Using electronic data to cause loss or misrepresent facts is a crime.
Penalty: Fine up to 200,000 shillings or up to 2 years in prison, or both.
24. Publication of Intimate Images
Sharing intimate images of someone without consent is a crime.
Penalty: Fine up to 200,000 shillings or up to 2 years in prison, or both.
25. Fraudulent Use of Electronic Data
Manipulating electronic data to cause loss or gain is a crime.
Penalty: Fine up to 200,000 shillings or up to 2 years in prison, or both.
26. Issuance of False Electronic Instructions
Issuing false electronic instructions in financial transactions is a crime.
Penalty: Fine up to 200,000 shillings or up to 2 years in prison, or both.
27. Reporting of Cyber Threats
Must report cyber threats or attacks to authorities within 24 hours.
Penalty for non-compliance: Fine up to 200,000 shillings or up to 2 years in prison, or both.
28. Employee Responsibility to Relinquish Access Codes
An employee must give up access codes to employer’s system after leaving a job.
Penalty for non-compliance: Fine up to 200,000 shillings or up to 2 years in prison, or both.
29. Aiding or Abetting Cybercrime
Helping or attempting to commit a cybercrime is a crime.
Penalty: Fine up to 7 million shillings or up to 4 years in prison, or both.
30. Offences by a Body Corporate
Companies committing cybercrimes can be fined up to 50 million shillings.
Responsible officers can also be fined up to 5 million shillings or imprisoned for up to 3 years, or both.
31. Confiscation or Forfeiture of Assets
Courts can confiscate assets gained from cybercrimes.
32. Compensation Orders
Courts can order compensation for losses caused by cybercrimes.
33. Additional Penalties for Other Offences
Committing other crimes using computers attracts additional penalties.