The Computer Misuse and Cybercrimes Act, 2018 was assented to on 16th May 2018 and came into force on 30th May 2018. The law which makes certain acts punishable by law aims at regulating the many things that could go wrong on the cyberspace. As expected, and of course, as a matter of genuine concern the law came under strict scrutiny from the public which led to the suspension of 26 sections of the Act. The Act was accused among other things of attempting to gag media freedom.
At Legal Hub we shall begin a CyberLaw series to expound more on the legislation which can silently have far reaching consequences for its offenders. The series will borrow from past cyber incidents and potential cyber events that Kenya suffered and how to avoid such pitfalls in the future.
During a court hearing or in pleadings it is common to hear/ read an advocate saying “section 2 of … read together with section 6 of …” This is exactly how this post will proceed by reading section 12 of the Act together with Part V of it. Section 12 provides for international cooperation between a private and public entity for information sharing on critical infrastructure and states the conditions of such an agreement. It limits sharing of two categories of data; of a person not directly related to a cyber crime and health status information. Part v of the Act provides how to go about the process of information sharing with regards to a cyber crime.
Information sharing in this context is in a bid to avert or prosecute a cyber crime and as such the process must be handled with utmost care to preserve the confidentiality, integrity and availability of the data. While not involving trans-border crimes, the case of tampering with digitally stored records in the just concluded elections should be a lesson that alteration is a possibility and any interested parties will go to whatever lengths to do that. Internationally, the case of Gutman v Klein is proof (no pun intended :-)) of how electronics tampering of evidence can affect discovery in the event that a cyber crime goes to trial. In this case, the respondent destroyed electronic evidence by “downloading a file deletion program, backdated specific programs and files and then reinstalled computer software on his laptop prior to producing it during discovery”. This is important in the case where such information sharing is done over insecure networks posing the risk of eavesdropping and stored in insecure areas such a public cloud. Faced with such ever evolving risks, there will be need for comprehensive regulations that adhere to standard practices for the sake of preserving the CIA of information.
What is impressive about the Act is that it highlights a kind data sharing code by requiring:
- That only relevant information is shared.
- The name of the offence that is the subject of a criminal investigation.
- The authority that will deal with the information be stated.
- That how the data being sought is linked to alleged crime be revealed.
- Reasons why that information needs to be preserved.
- The intention to seek mutual cooperation to be stated.
- The requesting authority to have conducted some due diligence before making a request by requiring that they give any information they have with regards to the stored computer data and location of the system they want.