Zero Rating of the Internet and its Impact on Net Neutrality

Mobile phone penetration in the Kenya has increased tremendously over the years. The Communication Authority of Kenya (CA), in its first quarter 2017/2018 financial year report placed mobile and Internet subscriptions in the country at 41 and 51 million subscriptions respectively. In spite of this increased mobile and Internet penetration, the high cost of accessing the Internet continues to be a constant hindrance to a majority of mobile users in Kenya.

Private companies, in response to this issue, have attempted to provide ‘free’ or subsidised Internet through what has come to be known as zero-rating of the Internet. In this practice, providers of zero-rated Internet, partner with Internet service providers (typically mobile networks) to subsidise access to the Internet. Access to the Internet under such programs is however limited to the zero-rated Internet providers’ website. Examples of such services include: Free Basics by Facebook and Wikipedia’s Zero.

These services are however extremely controversial due to concerns about their impact on net neutrality and effectiveness as a long-term policy for improving Internet access.

Proponents of zero-rated Internet claim that such services connect people who previously did not have access to the Internet especially in emerging markets in Africa and Asia. While connectivity may increase, the fact remains that Internet service providers and companies that engage in this service derive immense financial benefits from such services. For example, mobile Internet providers use free access to the Internet as an on-boarding strategy. Secondly, access to the Internet under this practice is limited to one or a few popular sites depending on the zero-rated Internet service in question. This calls to question the supposed ‘benevolence’ of such services especially in light of their detrimental impact on net neutrality, which holds that all content and users be treated equally so as to ensure free flow of information online.

While zero-rating can be viewed as beneficial to consumers as they do not incur data charges when visiting zero rated websites, it is detrimental as it in a sense changes the “face of the Internet” by limiting the number of websites which users can access. It effectively operates as an information control principally in the event that such services become ubiquitous and to the extent that they are the first point of entry to the Internet for millions and potentially billions of people.

Furthermore, zero-rating of the Internet jeopardizes freedom of expression online. The forums on which Internet users can freely develop and express their opinions are limited and to a great extent controlled by the parties that subsidize access to the Internet. The ideological underpinnings of the internet, and its role as a medium for advocacy on the protection of civil rights, is at danger of being obfuscated in this paradigm.

Moreover, zero-rating greatly reduces the incentive for content creators who do not have the required financial muscle to continue producing content. It is therefore no surprise that companies like Microsoft and other tech giants are at the forefront of championing zero rating. This is however highly ironic seeing that companies such as Wikipedia and Facebook would not have been able to transcend the ‘start-up’ stage had the Internet at their time of inception been limited through zero-rating. Again, the undermining of the right of Internet users to freedom of expression and uninhibited access to the Internet cuts to the core of this issue.

The impact of zero rated Internet is best gleaned through an analysis of the areas where it is widely offered as illustrated below.

Binge On™, is a video streaming service provided by T-Mobile, a mobile telecommunications company. Binge On™ provides zero-rated streaming for specific content providers while limiting the capacity of “non zero-rated” content providers from streaming its platform. “T-Mobile’s Binge On Violates Key Net Neutrality Principles” a report done by Stanford Law School found that T-Mobile, through its zero-rated service, stifled innovation by barring content creators who did not meet its substantial technical requirements. This exposes the fallacy of the perceived ‘altruism’ behind such services i.e. through the commercialization of information and innovation by extension. This further underscores the importance of maintaining ‘diversity of expression’, in the current knowledge economy, where large tracts of information are generated and disseminated online.

Proponents of this practice argue that zero rating is necessary if we are to achieve universal connectivity. The discussion above however, pokes serious holes into this argument. While universal connectivity is necessary to bolster communication, such hopes shall be relegated to a pipe dream as companies that cannot afford to zero rate their services are unable to fairly compete and reach consumers.

It is with this in mind that a need for a comprehensive legal and policy framework to address zero rating arises. Zero-rating should not be used as a substitute for Internet access. Openness, which is a central tenet of the Internet, must be legally protected. While, there are no country specific laws that deal with the effects of zero rating on freedom of expression, article 33(1a) of the Constitution of Kenya provides for the freedom to seek, receive and impart ideas. Internationally, article 19(2) of the International Covenant on Civil and Political Rights (ICCPR) provides for the freedom of expression.

The Internet is and should remain a bastion of freedom of expression. Kenya is thus bound to enact laws and policies that specifically protect this right ‘out of the normal context of speech’ seeing as Internet based modes of protection are protected under the ICCPR.

Originally posted in cipit.org

Cyber Law Series: #2 Cyber Espionage

In this article allow your mind to wander and to think about forensics, hacking and any other related terms because the discussion will follow this course.

Section 21 of the Act provides for the crime of cyber espionage and states that any person who performs an act that results in gaining access or intercepting data unlawfully commits a crime and is liable for a term not exceeding twenty years. Additionally, the Act criminalizes unauthorized access by infringing security measures so as to gain access. The focus for today shall be on persons who commit such acts which are translated as hacking.

In Kenya cases of hacking with an intent to gain access to systems are not new. Last year we were treated to news that KRA system had been hacked and a staggering 4 billion made away with. The man behind the alleged electronic fraud was Alex Mutuku. When the arrest was made police disconnected and took away every gadget with a memory; mobile phones, computers, hard drives, digital video recorders and servers. While the story has taken different twists, what is certain is that evidence to prove the case is a necessary component otherwise, the allegations hold no water.

In Kenya, the laws dealing with electronic fraud are the Kenya Information Communication Act under section 84B and now the Computer Misuse and Cybercrimes Act, 2018. When faced with a case where evidence would be digitally presented, the court is guided by section 78A of the Evidence Act. In the case of Republic v Mark Lloyd Stevenson (2016) eKLR the emails were not authenticated by giving their technological footprint hence were not admissible in court. Authentication is necessary to prohibit tampering which is common in e-evidence and could render an allegation invalid.

The case of Oquendo where the accused was recently found guilty of killing her step daughter, the investigators produced geolocation information extracted from a mobile device but the judge expected a more scientific treatment of the evidence while casting doubt on the reliability of the digital traces this can be loosely translated to mean, more evidence to the authenticity of the e-evidence.

In both cases, the importance of e-evidence to try a matter is clear as well the risk of tampering or falsification is evident hence the need to clearly preserve the evidence.

Why is tampering a risk? E-evidence is highly volatile hence can be changed or manipulated through file deletion softwares, viruses, and botnets. Once manipulated it is difficult to detect and trace it unless with the help of a forensics expert. While in fact the duty of making decisions is the reserve of the judge, the role of an expert testimony cannot be undermined at all costs as they help judges to understand forensic findings and their value in a case.

The role of an expert is not to make decisions but to give an assessment hence it is important for the expert not to present the material as facts such that it gives no room for exploring the alternatives. This will also help curb bias.

There is need for a standardized approach to expert evidence with an insistence on them acting as assessors. The law being in place already points to a need for regulating the cyberspace hence more needs to be done on the procedure of producing expert evidence as we expect more of evidence to be presented in this manner.  The standalone laws should be made in consultation with computer forensics experts to establish a nomenclature for digital evidence.

 

 

CYBER SERIES FOR CYBERLAWYER: #1 Information Sharing Agreements and International Cooperation

The Computer Misuse and Cybercrimes Act, 2018 was assented to on 16th May 2018 and came into force on 30th May 2018. The law which makes certain acts punishable by law aims at regulating the many things that could go wrong on the cyberspace. As expected, and of course, as a matter of genuine concern the law came under strict scrutiny from the public which led to the suspension of 26 sections of the Act. The Act was accused among other things of attempting to gag media freedom.

At Legal Hub we shall begin a CyberLaw series to expound more on the legislation which can silently have far reaching consequences for its offenders. The series will borrow from past cyber incidents and potential cyber events that Kenya suffered and how to avoid such pitfalls in the future.

During a court hearing or in pleadings it is common to hear/ read an advocate saying “section 2 of … read together with section 6 of …” This is exactly how this post will proceed by reading section 12 of the Act together with Part V of it. Section 12 provides for international cooperation between a private and public entity for information sharing on critical infrastructure and states the conditions of such an agreement. It limits sharing of two categories of data; of a person not directly related to a cyber crime and health status information. Part v of the Act provides how to go about the process of information sharing with regards to a cyber crime.

Information sharing in this context is in a bid to avert or prosecute a cyber crime and as such the process must be handled with utmost care to preserve the confidentiality, integrity and availability of the data. While not involving trans-border crimes, the case of tampering with digitally stored records in the just concluded elections should be a lesson that alteration is a possibility and any interested parties will go to whatever lengths to do that. Internationally, the case of Gutman v Klein is proof (no pun intended :-)) of how electronics tampering of evidence can affect discovery in the event that a cyber crime goes to trial. In this case, the respondent destroyed electronic evidence by “downloading a file deletion program, backdated specific programs and files and then reinstalled computer software on his laptop prior to producing it during discovery”. This is important in the case where such information sharing is done over insecure networks posing the risk of eavesdropping and stored in insecure areas such a public cloud. Faced with such ever evolving risks, there will be need for comprehensive regulations that adhere to standard practices for the sake of preserving the CIA of information.

What is impressive about the Act is that it highlights a kind data sharing code by requiring:

  1. That only relevant information is shared.
  2. The name of the offence that is the subject of a criminal investigation.
  3. The authority that will deal with the information be stated.
  4. That how the data being sought is linked to alleged crime be revealed.
  5. Reasons why that information needs to be preserved.
  6. The intention to seek mutual cooperation to be stated.
  7. The requesting authority to have conducted some due diligence before making a request by requiring that they give any information they have with regards to the stored computer data and location of the system they want.

 

Big Data and Microfinance in Kenya: Privacy Concerns in Alternative Credit Scoring Models

The era of digitisation has ushered in the development of many new technologies that have improved the way in which business is undertaken. One such improvement is in the area of data. Data-driven companies are likely to be the most competitive in this current era. This has attracted efforts from the government and private sector in collecting and sharing data from various sectors. There is a lot of personally identifiable information that is collected and archived in data stores; all of which is taking place in a regulatory environment devoid of a national data protection law.

Big data is defined as the voluminous, high velocity and different variety of information requiring specific technology and analytical methods for it to be transformed into value. The advantage of big data in the business world cannot be overemphasized with its importance ranging from cutting operating costs such as storage to determining how products should be tailored for advertising. Creating value out of these disparate data sets has been made possible using powerful data analytics tools such as Hadoop.

One particular way in which big data continues to be useful is in the Kenyan financial sector through Alternative Credit Scoring Models. One of the key drivers of economic change in Kenya is Small Medium Enterprises but one challenge these SMEs all face is access to financing. In response, there has been an increase in micro finance lending institutions which, unlike the brick-and-mortal banking sector, do not need collateral rather use different data points to assess one’s credit-worthiness. One such company is Tala which establishes a user’s financial identity by gathering 10,000 data points in a few seconds. As a result, information other than previous credit history is used to assess credit-worthiness.

Kenyans generate data from limited sources the most common one being their mobile phones and social media activity; noting that publicly available data is not detailed enough to assist in making decisions such as eligibility for a loan. These other data points may include mobile money payments and exam scores.  Branch, a digital lender uses an individual’s GPS data, SMS, call log data and contact list to determine ones loan size. While all these may be a noble attempt at ensuring that persons not previously eligible for loans receive credit to enhance their daily lives it does so in the face of numerous data privacy concerns.

The question of how data is sourced, stored and shared remains unclear to borrowers. This concern is further aggravated by the lack of a national law and regulations on data protection. Undoubtedly, there exist industry specific regulations on dealing with data however, a stand-alone piece of data protection legislation is necessary since industry specific regulations such as those applicable to Interswitch which is PCI-DSS compliant are tailored based on international requirements. This is not to mean that the Kenyan government has not made efforts at developing a national data protection law. The rise of big data has seen the government intervene in an attempt to offer protection to Kenyans with regards to how their data is used. Aside from the Kenya Information and Communication Act which has provisions on data protection, a draft Data Protection Bill is in the pipeline.

The draft bill has important provisions which will protect the data generated by Kenyans. One such provision is on data processing which relinquishes power to data subjects by requiring their consent in order to process their information. The Bill further provides for the adherence to the principles on data protection. It will be interesting to see how it all plays out given that some data controllers have terms and conditions that cause a data subject relinquish his/her right to consent. The Bill also deals with the commercial use by requiring that a person obtains express consent from the data subject before such data is commercialised. Data controllers have found a way to circumvent this provision even before enactment of the law through the already set terms and conditions that a user has to accept before using a product. Of course, an argument that organisations should be tasked with the duty of securing personal data through secure mechanisms in their databases may be raised but this duty cannot be wholly delegated to organisations to self-regulate. A more inclusive approach involving the government through its legislative arm would create more certainty in enhancing the right to data privacy.

The absence of consent has led to the usage of data in Kenya for a multitude of purposes even unrelated to those for which the data was provided. By giving people the opportunity to give consent and control how their data is used, the right to privacy is enhanced. Power to the data subjects will ensure that data ethics are maintained as we await a comprehensive piece of legislation. Concerted efforts from the various stakeholders; government bodies and private bodies need to ensure that the laws to be enacted are comprehensive. With the issues of privacy and consent not well addressed, Big Data is sure to cause Big Problems!

Originally posted in CIPIT Blog

Tobacco Regulations, 2014: Balancing the Protection of Trade Secrets and the Right to Privacy.

Part III of the regulations provides that the tobacco industry must provide the following information about their products:

  1. List of ingredients in tobacco products and tobacco product components;
  2. Reasons for including the ingredients;
  3. All the toxicological data available to the manufacturer about the ingredients of the tobacco products and their effects on health and information on the characteristics of the leaves i.e. their type, percentage, percentage when expanded and changes made about tobacco product ingredients.

These requirements are a replica 2009 US law that granted the Food and Drug Administration (FDA) powers to direct tobacco companies to disclose ingredients in new products and changes to existing products. They also adhere to article 9 and 10 of the WHO Framework Convention on Tobacco Control (FCTC).

Whether the information that tobacco companies want to protect qualifies to be trade secrets is disputable. The law of confidence which is rooted in equity and legislated under article 39 of the Agreement on Trade- Related Aspects of Intellectual Property Rights (TRIPS) to which Kenya is a signatory to protects trade secrets. Article 39 of the Agreement stipulates that the following requirements must be met for information to be regarded as trade secrets: secrecy, commercial value and reasonable efforts to maintain secrecy.

The information held must be of a secretive nature though not absolutely secret. Employees, business partners and other persons can know the particulars, provided they keep them secret. Besides, ordinary and mundane information can be the subject of confidence so long as the information is private to the compiler. This was illustrated in Coco v AN Clark (Engineers) Ltd [1969] where the Court found that information that is common knowledge to a group of persons (in this case tobacco manufacturers) is part of the public domain and is not confidential. Therefore information regarding ingredients must be confidential to qualify as a trade secret.

Secondly, the information must have commercial value i.e. there must be some utility obtained from the information being secret. The manufacturer must be able to use it to acquire a business advantage over other manufacturer(s) in the same industry. Therefore, the information must only be known to the manufacturer to have commercial value. Disputably, players in the tobacco industry could argue that the information they guard has commercial value to them as it is what gives one company an edge over a competitor that uses different ingredients and manufacturing processes

Lastly, the owners of the secrets must carry out steps to ensure that the information is well secured. According to WIPO, some of the reasonable steps that can be taken to secure trade secrets include: non-disclosure agreements, training and capacity building with employees, instituting an information protection team, having a trade secret SWAT team, establishing due diligence and continuous third-party management procedures among others.

Kenya, as a signatory to TRIPS, is obligated to protect trade secrets. These regulations do not however protect trade secrets and business ‘know-how’ once it is revealed; meaning once revealed it loses its secrecy. This leaves trade secrets and business ‘know-how’, such as the list of ingredients and percentage of leaves expanded, vulnerable to appropriation.

In taking the role of devil’s advocate, it is worth considering whether the information that the tobacco industry is required to reveal under Part III really falls within the scope of trade secrets. Let us go back in history to understand the situation as it was that caused the emergence of such requirements. In 1998, 35 million pages of what was considered confidential information were revealed as a result of the Minnesota’s Tobacco Trial in the US. This information was on the harmful ingredients that tobacco companies used in the products. In what was considered the Master Settlement Agreement, the U.S. agreed not to sue the corporations in exchange of the corporations revealing all documents considered to be confidential to the public. It is important to note that one of the companies involved in the Supreme Court application to throw out the regulations was implicated in this law suit for failing to reveal to consumers harmful ingredients contained in their tobacco products.

Moreover, research carried out between 1937 and 2001 of tobacco companies, some of which operate in Kenya, revealed that tobacco ingredients are not secret rather the companies simply reverse engineer their competitor’s brands to create their own. This report argues that since the reverse engineering process is done routinely, it does not meet the threshold of secrecy for information to be a trade secret. The report implicates some multinationals that operate in Kenya. If this is anything to go by, then it negates the fact that the information in question has commercial value and is secret.

It is thus important to strike a balance between consumer protection measures and the protection of corporations’ intellectual property. Overzealous consumer protection regulations result in laws that infringe on corporations right to privacy and violate their intellectual property rights, to the detriment of their revenue and the country’s economy as a whole. Since the appeal was dismissed at the Supreme Court, it will be interesting to see whether the manufacturers will abide by the regulations.

Originally posted at CIPIT Blog.

HIGHLIGHTS FROM ICT WEEK 2018

The annual event brought by Communication Authority was meant to coincide with the day when the International Telegraph Convention was signed establishing the International Telegraph Union, 17 May 1865 where Kenya is a member state. The event focused on emerging technologies and how they can be used to drive the recently unveiled Big 4 agenda; food security, manufacturing, universal health and affordable housing. The post shall address the legal perspective of these technologies that were addressed.

First, the technologies in discussion were Artificial Intelligence (AI), Internet of Things (IoT) and block chain. The first day began with a panel discussion comprised of the AI and block chain taskforce led by Mr. Bitange Ndemo.  Of importance emphasis was the way such technology continues to be used unregulated. However, Bitange was quick to state that technology should be allowed to thrive before the law could come to govern so as to avoid stifling technological development in the country. That way it becomes possible to know the various ways which the technology can be used before such usage can be restricted or allowed.

The rate of absorption of technology by various sectors was highlighted. One key highlight was the decision to use block chain in the land registry to deal with the challenges of land transaction in Kenya. In terms of ranking, the legal sector was ranked the last due to the resistance by lawyers in the fear that such usage of technology would cut off their revenue streams. Despite such opposition, the reality of having to deal with disputes associated with these emerging technologies was discussed and this was posed as a new opportunity for such lawyers. Other benefits included enjoying economies of scale, since with technology carrying out the repetitive, time-consuming and unambiguous legal tasks, the lawyer will be able to handle more cases at the substance level rather than procedural that can be delegated to machines. The most expected challenge would be the lack of capacity to deal with such cases at the judiciary level.

Cybersecurity was at the forefront of the discussion especially with the Cybercrime and Computer Related Act that was passed. Additionally, as more activities are expected to be carried out in the cyberspace in fulfillment of the Agenda it will be necessary to ensure such safety online. The greatly contested piece of legislation was seen as a solution to deal with ever evolving threat in the cyberspace.

There were presentations on how the various emerging technologies are being used to implement the Agenda. Two presentations that stood out in their use of technology for service delivery. One was by M-health, a telehealth company that provides medical services by utilizing mobile technology. The company uses mobile messaging services to remind patients to take their drugs, when to go to their clinics among other services to the patients and caregivers. Another one was Acre Africa that gives crop insurance to farmers. In this case, farmers purchase seeds from agrovets licensed by Acre Africa, in the packaging there are scratch card like tokens which the farmers scratches and sends to the number written on it. Using this method the company is able to know which farmer bought their seeds, where they planted them, the weather at the time among other details that will determine the particulars of the insurance taken out. Therefore, in case of crop failure, they are able to know the amount lost and pay back the farmer. Among the technologies used are satellite imaging to locate the farmers and mobile payment to pay out the cash.

Concerns of data privacy were highlighted, in light of possible adoption of such technologies. One example was in the use of Internet of Things to collect data that will drive other technologies such as machine learning and block chain. The concerns were mainly because of the lack of a data protection regime in the country and the lack of comprehensiveness of the Bill that once existed. Up until such laws are established organisations were urged to come up with self-regulatory policies that would guide how data driven organisations handle data. The progress of having such a legislation is currently pegged to the recently formed Taskforce on the Development of the Policy and Regulatory Framework for Privacy and Data Protection in Kenya led by Mercy Wanjau. There was consensus that such laws on data privacy would do better if more public participation was done as a tool of consumer protection; at this point I got the chance to introduce the audience to the site Jadili to add their input for ICT and IP related policy laws that are currently before Parliament.

Lastly, in terms of expertise to propel the technological turbine in Kenya, it was stated that more people need to enter the technical sphere and acquire the knowledge to use the technologies to tackle our unique issues to increase homegrown solutions. Indeed, the challenges to be surmounted in Kenya could benefit a huge deal from the use of these emerging technologies. However, such activities need to thrive under regulation that promotes their use.

 

 

PART 1: INTRODUCTION TO THE DUBAI INTERNATIONAL FINANCIAL CENTRE

So for those who I have interacted with in the last few weeks must have heard a mention of the word ‘DIFC’. This opportunity was accorded to us during the international law school trip where we paid a visit to the centre. The DIFC stands for Dubai International Financial Centre, located in Dubai it is a host to more than 1853 registered companies. The Centre acts as a meeting point for most foreign investors coming to set shop in Dubai. Two factors make this place lucrative for the businesses; the registration process and the legal framework in use at the Centre which are among the top factors in allocating the ease of doing business index. DIFC has an authority other than the state authority that assists in registration of businesses, administration and strategic development.

On the legal side of it, there are two limbs; the current courts and a new division to be established dubbed “Courts of the Future”. The article shall focus on the Courts of the Future project. The project is quite ambitious in my opinion due to two factors namely; the intended operation of the courts and the cases which it intends to take up.

The courts will conduct all its transactions on a paperless basis. This means that from the point of instituting a claim to the point of receiving a judgement all activities will be conducted online. More details on how the online activities will be performed shall be highlighted on the rules of the court.

In terms of the cases to be dealt with DIFC is taking the bold move to deal with innovations and the liability that can arise out of the use of new technologies such as Artificial Intelligence, autonomous cars, 3D printing (it is interesting to note that DIFC buildings are the world’s first 3D printed buildings), block chain technology and though not an innovation, it will deal with cybersecurity issues. The courts will deal with such matters only when the parties have submitted to their jurisdiction.

The courts have also developed the “Part 40,000 Principles” which are the foundation of the operation of this division of the court. Interestingly, the court will apply these technologies that it seeks to adjudge on. One such example is the option where a successful litigant could opt to have their interim/ final payment made in cryptocurrency or online assets instead of fiat money.

During the short but impactful visit to the Centre the presenter, Mr. Charlie Riggs gave good insights on how these innovative technologies can be used to deliver justice in the court system and I could not help but think of how such technology could be utilized in Kenyan courts. First, in a bid to reduce the back log of cases in the courts, AI can be used to settle small and simple claims. The government through the Small Claims Court Act, 2016 under section 23 provides that proceedings can be carried out through electronic means, this is a step in the right direction. However, the efforts to speed up court processes could be bolstered by introducing AI supported mechanisms for adjudicating; it would be expeditiously resolve cases.

Additionally, courts can use block chain technology to store evidence to prevent evidence tampering and also for sharing and effecting judgements throughout various jurisdictions especially in private international law where the law has evolved to permit judgements of one country to be recognized in other countries in civil and commercial matters. The case of DNB Bank ASA v Gulf Eyadah Corporation and Gulf Navigation Holdings PJSC which involved enforcement and recognition of a foreign judgement order that the DIFC courts were granted jurisdiction to enforce the order. In this case which involved a dispute over the payments of a ship, the respondents had vacated the one of the ships away from the jurisdiction of the English courts to UAE jurisdiction, it is on these grounds that the case was submitted to the Dubai jurisdiction and later on to DIFC courts which operates under common law. The case had to deal with the legality of submitting the matter to DIFC. However, had the countries mutually agreed to share such judgements using distributed ledgers, it would have been easier to enforce the judgements.

This discussion will set the base for the next article that shall delve more into the foundational Part 40,000 principles” as we break down the terms and the tackle the legal aspects therein.