ICOs world over have received rejection due to their unregulated activities. Governments have not stopped at anything to render them illegal and ban any offerings to the market. However, this does not mean that all is lost for the supporters of the digital currencies. Last week Akon the musician announced that he would be building the ‘Real Wakanda City’, a crypto city which will be using his own digital currency called Akoin. He was given a 2000 acre piece of land by the President of Senegal to construct it. In Kenya, cryptocurrencies were banned in one year and allowed in the same one, this back and forth shows the lack understanding that is in the market as to how to safely transact in the currencies, Bitcoin being the most common one.

All said and done, the largest challenge such currencies will have is to gain the trust of the African, in a continent where Ponzi schemes have rendered people deeper into poverty and that internationally there are crypto exchanges that have collapsed. Despite all these there are still optimists who believe that the digital currency craze is not just a bubble but is here to stay, with that in mind let us consider the basics of the process of investing in the currencies.

An Initial Coin Offering (ICO) is the process of launching a cryptocurrency where supporters (early investors) are invited to contribute money to the development of the currency. Before an investor decides to participate in an ICO many things need to be considered but a few are paramount. This however, does not constitute legal advice rather it is legal information.

  1. Token legal design

Before investing in an ICO, it is prudent to know whether it is being launched as a security or a utility. Tokens can be used as currency, asset, company share, method of payment etc. As a security, an ICO is a tool for raising capital to get money to develop the currency so that once it is developed and acquires value it can be used to purchase commodities and at this point it has utility.

As security, the tokens will be representative of shares in a business hence you own an asset but cannot take possession. In the U.S. the SEC suggested that to categorise a token as a security it must pass the Howey Test which includes:

  • an investment of money or assets
  • the investment of money or assets in a common enterprise
  • an expectation of profits from the investment
  • profit come from the efforts of a promoter or third party i.e. the investor has no control over how the profit comes from the investment


As utility tokens, the ICO will be offering the token as a service/product that can be purchased. Utility tokens as the name suggests have a use. Akon’s proposed Akoin edges on being a utility token as he intends to use Akoin as the official currency of the city. The price of such tokens increases when the demand for a service or product goes up.

As a security token, there is limitation on who can launch an ICO and is associated with fewer legal risks than utility tokens. The bipolar nature of crypto currencies is important to understand.


  1. Simple Agreement for Future Transfer(SAFT)

A SAFT is an investment contract where an investor agrees to purchase tokens even before they are created with the future hope that once it is created and in use its value will increase. The investor is allowed to sell the tokens at a future date when the token price increases and this is how they make their money. This is a legal safeguard for early investors as proof that they gave out money to the issuer for some future benefit.

  1. Whitepaper

A whitepaper provides information to potential investors on the philosophy behind the coin. A typical ICO whitepaper contains the following categories: introduction, problem to be solved, use of the token, how to purchase the ICO, how the funds will be used and the team behind the creation. As an investor this should be sufficient preliminary information to prepare your mind on whether to invest or not. Sample statements of most whitepapers: on use of funds; “80 percent of funds will go to the development of the platform and 20 percent of funds will be distributed to the market”. However, a whitepaper should not be the reason you invest in an ICO, whether a company has users, a product or traction are vital questions to ask. In the paper, it is mandatory that it states that in the event the intended amount is not raised all the raised money is returned to the owners.


  1. Tokenomics

This means how does the token operate i.e. its usage and the underlying business model and it is close to the legal design. It involves the rights accruing with the token, the value exchange, the toll, how the earning will be made and the currency.

  1. Know Your Customer Policy

That cryptocurrencies are likely target for use for money laundering and other illegal activities is not news, what is news however is the fact that jurisdictions are coming up with their own lists of accredited investors thus not anyone can be an investor. KYC policies are necessary to verify investors. Your policies should however stick to the jurisdictions privacy laws. With the GDPR in force it is important to put safeguards on how the investors’ information will be processed and stored.

With investor confidence ICOs are set to increase and be successful. Governments should embrace the currencies rather than seeing them as a threat to the centralized financial system. As one William Mougayar said, “The stone age did not end for lack of stones”. Central players such as Central Banks will not go away rather appreciation of block chain enabled innovations could see an integration with the current financial system.

Cyber Law Series: #2 Cyber Espionage

In this article allow your mind to wander and to think about forensics, hacking and any other related terms because the discussion will follow this course.

Section 21 of the Act provides for the crime of cyber espionage and states that any person who performs an act that results in gaining access or intercepting data unlawfully commits a crime and is liable for a term not exceeding twenty years. Additionally, the Act criminalizes unauthorized access by infringing security measures so as to gain access. The focus for today shall be on persons who commit such acts which are translated as hacking.

In Kenya cases of hacking with an intent to gain access to systems are not new. Last year we were treated to news that KRA system had been hacked and a staggering 4 billion made away with. The man behind the alleged electronic fraud was Alex Mutuku. When the arrest was made police disconnected and took away every gadget with a memory; mobile phones, computers, hard drives, digital video recorders and servers. While the story has taken different twists, what is certain is that evidence to prove the case is a necessary component otherwise, the allegations hold no water.

In Kenya, the laws dealing with electronic fraud are the Kenya Information Communication Act under section 84B and now the Computer Misuse and Cybercrimes Act, 2018. When faced with a case where evidence would be digitally presented, the court is guided by section 78A of the Evidence Act. In the case of Republic v Mark Lloyd Stevenson (2016) eKLR the emails were not authenticated by giving their technological footprint hence were not admissible in court. Authentication is necessary to prohibit tampering which is common in e-evidence and could render an allegation invalid.

The case of Oquendo where the accused was recently found guilty of killing her step daughter, the investigators produced geolocation information extracted from a mobile device but the judge expected a more scientific treatment of the evidence while casting doubt on the reliability of the digital traces this can be loosely translated to mean, more evidence to the authenticity of the e-evidence.

In both cases, the importance of e-evidence to try a matter is clear as well the risk of tampering or falsification is evident hence the need to clearly preserve the evidence.

Why is tampering a risk? E-evidence is highly volatile hence can be changed or manipulated through file deletion softwares, viruses, and botnets. Once manipulated it is difficult to detect and trace it unless with the help of a forensics expert. While in fact the duty of making decisions is the reserve of the judge, the role of an expert testimony cannot be undermined at all costs as they help judges to understand forensic findings and their value in a case.

The role of an expert is not to make decisions but to give an assessment hence it is important for the expert not to present the material as facts such that it gives no room for exploring the alternatives. This will also help curb bias.

There is need for a standardized approach to expert evidence with an insistence on them acting as assessors. The law being in place already points to a need for regulating the cyberspace hence more needs to be done on the procedure of producing expert evidence as we expect more of evidence to be presented in this manner.  The standalone laws should be made in consultation with computer forensics experts to establish a nomenclature for digital evidence.



CYBER SERIES FOR CYBERLAWYER: #1 Information Sharing Agreements and International Cooperation

The Computer Misuse and Cybercrimes Act, 2018 was assented to on 16th May 2018 and came into force on 30th May 2018. The law which makes certain acts punishable by law aims at regulating the many things that could go wrong on the cyberspace. As expected, and of course, as a matter of genuine concern the law came under strict scrutiny from the public which led to the suspension of 26 sections of the Act. The Act was accused among other things of attempting to gag media freedom.

At Legal Hub we shall begin a CyberLaw series to expound more on the legislation which can silently have far reaching consequences for its offenders. The series will borrow from past cyber incidents and potential cyber events that Kenya suffered and how to avoid such pitfalls in the future.

During a court hearing or in pleadings it is common to hear/ read an advocate saying “section 2 of … read together with section 6 of …” This is exactly how this post will proceed by reading section 12 of the Act together with Part V of it. Section 12 provides for international cooperation between a private and public entity for information sharing on critical infrastructure and states the conditions of such an agreement. It limits sharing of two categories of data; of a person not directly related to a cyber crime and health status information. Part v of the Act provides how to go about the process of information sharing with regards to a cyber crime.

Information sharing in this context is in a bid to avert or prosecute a cyber crime and as such the process must be handled with utmost care to preserve the confidentiality, integrity and availability of the data. While not involving trans-border crimes, the case of tampering with digitally stored records in the just concluded elections should be a lesson that alteration is a possibility and any interested parties will go to whatever lengths to do that. Internationally, the case of Gutman v Klein is proof (no pun intended :-)) of how electronics tampering of evidence can affect discovery in the event that a cyber crime goes to trial. In this case, the respondent destroyed electronic evidence by “downloading a file deletion program, backdated specific programs and files and then reinstalled computer software on his laptop prior to producing it during discovery”. This is important in the case where such information sharing is done over insecure networks posing the risk of eavesdropping and stored in insecure areas such a public cloud. Faced with such ever evolving risks, there will be need for comprehensive regulations that adhere to standard practices for the sake of preserving the CIA of information.

What is impressive about the Act is that it highlights a kind data sharing code by requiring:

  1. That only relevant information is shared.
  2. The name of the offence that is the subject of a criminal investigation.
  3. The authority that will deal with the information be stated.
  4. That how the data being sought is linked to alleged crime be revealed.
  5. Reasons why that information needs to be preserved.
  6. The intention to seek mutual cooperation to be stated.
  7. The requesting authority to have conducted some due diligence before making a request by requiring that they give any information they have with regards to the stored computer data and location of the system they want.


Big Data and Microfinance in Kenya: Privacy Concerns in Alternative Credit Scoring Models

The era of digitisation has ushered in the development of many new technologies that have improved the way in which business is undertaken. One such improvement is in the area of data. Data-driven companies are likely to be the most competitive in this current era. This has attracted efforts from the government and private sector in collecting and sharing data from various sectors. There is a lot of personally identifiable information that is collected and archived in data stores; all of which is taking place in a regulatory environment devoid of a national data protection law.

Big data is defined as the voluminous, high velocity and different variety of information requiring specific technology and analytical methods for it to be transformed into value. The advantage of big data in the business world cannot be overemphasized with its importance ranging from cutting operating costs such as storage to determining how products should be tailored for advertising. Creating value out of these disparate data sets has been made possible using powerful data analytics tools such as Hadoop.

One particular way in which big data continues to be useful is in the Kenyan financial sector through Alternative Credit Scoring Models. One of the key drivers of economic change in Kenya is Small Medium Enterprises but one challenge these SMEs all face is access to financing. In response, there has been an increase in micro finance lending institutions which, unlike the brick-and-mortal banking sector, do not need collateral rather use different data points to assess one’s credit-worthiness. One such company is Tala which establishes a user’s financial identity by gathering 10,000 data points in a few seconds. As a result, information other than previous credit history is used to assess credit-worthiness.

Kenyans generate data from limited sources the most common one being their mobile phones and social media activity; noting that publicly available data is not detailed enough to assist in making decisions such as eligibility for a loan. These other data points may include mobile money payments and exam scores.  Branch, a digital lender uses an individual’s GPS data, SMS, call log data and contact list to determine ones loan size. While all these may be a noble attempt at ensuring that persons not previously eligible for loans receive credit to enhance their daily lives it does so in the face of numerous data privacy concerns.

The question of how data is sourced, stored and shared remains unclear to borrowers. This concern is further aggravated by the lack of a national law and regulations on data protection. Undoubtedly, there exist industry specific regulations on dealing with data however, a stand-alone piece of data protection legislation is necessary since industry specific regulations such as those applicable to Interswitch which is PCI-DSS compliant are tailored based on international requirements. This is not to mean that the Kenyan government has not made efforts at developing a national data protection law. The rise of big data has seen the government intervene in an attempt to offer protection to Kenyans with regards to how their data is used. Aside from the Kenya Information and Communication Act which has provisions on data protection, a draft Data Protection Bill is in the pipeline.

The draft bill has important provisions which will protect the data generated by Kenyans. One such provision is on data processing which relinquishes power to data subjects by requiring their consent in order to process their information. The Bill further provides for the adherence to the principles on data protection. It will be interesting to see how it all plays out given that some data controllers have terms and conditions that cause a data subject relinquish his/her right to consent. The Bill also deals with the commercial use by requiring that a person obtains express consent from the data subject before such data is commercialised. Data controllers have found a way to circumvent this provision even before enactment of the law through the already set terms and conditions that a user has to accept before using a product. Of course, an argument that organisations should be tasked with the duty of securing personal data through secure mechanisms in their databases may be raised but this duty cannot be wholly delegated to organisations to self-regulate. A more inclusive approach involving the government through its legislative arm would create more certainty in enhancing the right to data privacy.

The absence of consent has led to the usage of data in Kenya for a multitude of purposes even unrelated to those for which the data was provided. By giving people the opportunity to give consent and control how their data is used, the right to privacy is enhanced. Power to the data subjects will ensure that data ethics are maintained as we await a comprehensive piece of legislation. Concerted efforts from the various stakeholders; government bodies and private bodies need to ensure that the laws to be enacted are comprehensive. With the issues of privacy and consent not well addressed, Big Data is sure to cause Big Problems!

Originally posted in CIPIT Blog

Tobacco Regulations, 2014: Balancing the Protection of Trade Secrets and the Right to Privacy.

Part III of the regulations provides that the tobacco industry must provide the following information about their products:

  1. List of ingredients in tobacco products and tobacco product components;
  2. Reasons for including the ingredients;
  3. All the toxicological data available to the manufacturer about the ingredients of the tobacco products and their effects on health and information on the characteristics of the leaves i.e. their type, percentage, percentage when expanded and changes made about tobacco product ingredients.

These requirements are a replica 2009 US law that granted the Food and Drug Administration (FDA) powers to direct tobacco companies to disclose ingredients in new products and changes to existing products. They also adhere to article 9 and 10 of the WHO Framework Convention on Tobacco Control (FCTC).

Whether the information that tobacco companies want to protect qualifies to be trade secrets is disputable. The law of confidence which is rooted in equity and legislated under article 39 of the Agreement on Trade- Related Aspects of Intellectual Property Rights (TRIPS) to which Kenya is a signatory to protects trade secrets. Article 39 of the Agreement stipulates that the following requirements must be met for information to be regarded as trade secrets: secrecy, commercial value and reasonable efforts to maintain secrecy.

The information held must be of a secretive nature though not absolutely secret. Employees, business partners and other persons can know the particulars, provided they keep them secret. Besides, ordinary and mundane information can be the subject of confidence so long as the information is private to the compiler. This was illustrated in Coco v AN Clark (Engineers) Ltd [1969] where the Court found that information that is common knowledge to a group of persons (in this case tobacco manufacturers) is part of the public domain and is not confidential. Therefore information regarding ingredients must be confidential to qualify as a trade secret.

Secondly, the information must have commercial value i.e. there must be some utility obtained from the information being secret. The manufacturer must be able to use it to acquire a business advantage over other manufacturer(s) in the same industry. Therefore, the information must only be known to the manufacturer to have commercial value. Disputably, players in the tobacco industry could argue that the information they guard has commercial value to them as it is what gives one company an edge over a competitor that uses different ingredients and manufacturing processes

Lastly, the owners of the secrets must carry out steps to ensure that the information is well secured. According to WIPO, some of the reasonable steps that can be taken to secure trade secrets include: non-disclosure agreements, training and capacity building with employees, instituting an information protection team, having a trade secret SWAT team, establishing due diligence and continuous third-party management procedures among others.

Kenya, as a signatory to TRIPS, is obligated to protect trade secrets. These regulations do not however protect trade secrets and business ‘know-how’ once it is revealed; meaning once revealed it loses its secrecy. This leaves trade secrets and business ‘know-how’, such as the list of ingredients and percentage of leaves expanded, vulnerable to appropriation.

In taking the role of devil’s advocate, it is worth considering whether the information that the tobacco industry is required to reveal under Part III really falls within the scope of trade secrets. Let us go back in history to understand the situation as it was that caused the emergence of such requirements. In 1998, 35 million pages of what was considered confidential information were revealed as a result of the Minnesota’s Tobacco Trial in the US. This information was on the harmful ingredients that tobacco companies used in the products. In what was considered the Master Settlement Agreement, the U.S. agreed not to sue the corporations in exchange of the corporations revealing all documents considered to be confidential to the public. It is important to note that one of the companies involved in the Supreme Court application to throw out the regulations was implicated in this law suit for failing to reveal to consumers harmful ingredients contained in their tobacco products.

Moreover, research carried out between 1937 and 2001 of tobacco companies, some of which operate in Kenya, revealed that tobacco ingredients are not secret rather the companies simply reverse engineer their competitor’s brands to create their own. This report argues that since the reverse engineering process is done routinely, it does not meet the threshold of secrecy for information to be a trade secret. The report implicates some multinationals that operate in Kenya. If this is anything to go by, then it negates the fact that the information in question has commercial value and is secret.

It is thus important to strike a balance between consumer protection measures and the protection of corporations’ intellectual property. Overzealous consumer protection regulations result in laws that infringe on corporations right to privacy and violate their intellectual property rights, to the detriment of their revenue and the country’s economy as a whole. Since the appeal was dismissed at the Supreme Court, it will be interesting to see whether the manufacturers will abide by the regulations.

Originally posted at CIPIT Blog.


The Finnovation Fintech series events organized by Ethico Live had a session in Nairobi last week at the Radisson Blu in Nairobi. The event meant to steer conversations around financial innovation in the banking sector brought together key players in the industry including banking leaders, policy makers, investors and most importantly the innovators driving the change for financial inclusion. As part of the discussion one idea became prominent; the need for collaboration between the old and new; the banks and fintechs respectively. This need takes me back to the article by Sunny Bindra’s article here where he tackles the importance of staying analogue as much as it is important to go digital for the sake of progress. Collaboration was seen as a key factor to drive the agenda of financial inclusion as the banks are endowed with resources among other advantages while the fintechs operate within little to no regulation which encourages innovation among other advantages.

This article shall discuss issues discussed that touched on regulation. As the end customer of these businesses, the aspect of consumer protection was explored with regards to the emerging fintech apps available in the Kenyan market and claims that some of them charge abnormal interest rates for lending. Additionally, the apps were faulted for giving out loans without scrutinizing whether the same person had borrowed a loan on another app calling for a review of lending policies. Consequently, people borrow loans to repay loans borrowed on other apps; not surprising that these money lending apps were among the most downloaded apps in Kenya according to BAKE. In this light, it was agreed that some due diligence ought to be exercised by the apps before lending to ensure that credit is obtained for purposeful reasons. In what has been dubbed ‘fintech fueled lending craze’ that has seen almost 2.7 million users negatively listed by the Credit Reference Bureau, the government of Kenya intends to bring sanity into this area. Currently, a draft Bill (Financial Markets Conduct Bill, 2018) to regulate the lending has been proposed which among other things will seek to cap the lending rates of the different lending apps. In matters of regulating the lending apps it was agreed that it is important to not add other levels of regulators which would consequently increase the cost of compliance.

The question of whether regulation would be an enabler or a threat to financial innovation was addressed. The good example of M-pesa and how it is has grown largely unregulated as a financial services provider was given; the challenge here remains whether it should be regulated as financial services provider or under telecommunications. Despite the fear of the stifling effect of regulation, it was well agreed that it is mandatory to regulate the multi-faceted fintech space due to the various ways it is affected; systems security, cybercrime, adherence to sector standards such as PCI-DSS where a company stores, transmits and processes card information and IFRS reporting. One of the self-regulation practices that financial institutions that carry out digital banking may be involved in is the Know Your Customer procedures (eKYC), this was highlighted as a way of lenders to shield themselves from risk. In Kenya, KYC regulations are legislated only for money laundering under the Proceeds of Crimes and Anti Money Laundering Regulations.

The State of the Internet report 2017 by BAKE indicated the importance of sound regulation as regulation can affect public perceptions; progressive regulations have the potential of bringing about good perceptions hence there may be more adoption of the technology.


Having discussed the importance of policy and regulation in the fintech world, it will be mandatory to ensure that these should be formulated to enable investments. The Nigerian market was used as a good example of how policy can be used as a propeller of growth. One such regulation is the Venture Capital (Incentives) Act that gives companies engaging in venture projects incentives to operate in the country.

The issue of regulation lagging behind due to rapid technological advancements was raised. This was met by a suggestion of real time regulation in these times where lending is done in a faster way than before and as more products continue to infiltrate the market. In practical terms, the regulations should ensure that such innovations come with transparency in terms of how it works and reveal the interest rates that are charged on a monthly basis this will curtail enterprises that charge exorbitant rates to unknowing customers.

The aspect of cloud computing adoption by banks was explored. Several emerging cloud trends which legislation could have a bearing on were also highlighted such as data localization. Data localization laws are crucial because they would inform where customers’ data would be stored. Thus, informing certain business decisions such as whether to open data centres in the region. However, for now Kenya has no data protection laws and such decisions are the sole reserve for organisations.

Discussion around data analytics were held as this is as a key factor driving these fintech which use alternative credit scoring methods most of which are data driven as opposed to the brick and mortar banks which largely perform collateral based lending. Indeed, from a legal perspective, this raises data privacy issues, especially the contention around hideous terms and conditions which force users to give up data privacy to be able to use the apps.

Lastly, the issue of security of wallets (a software that facilitates the transaction of digital currencies by storing the private and public keys necessary to conduct a transaction) was addressed. It was stated that as more adoption of cryptocurrency continues it will be necessary to get a trusted wallet provider for safe transactions.