Examining the 2024 Computer Misuse and Cybercrimes Amendment Bill Proposals

Introduction

The Computer Misuse and Cybercrimes Act, 2018 (herein ‘the Act’) has experienced considerable activity since its enactment. In a previous analysis, we examined the High Court of Kenya’s judgment that suspended several contested provisions of the Act following a legal challenge by the Bloggers Association of Kenya (BAKE). The Act has been instrumental in preventing the unlawful use of computer systems and facilitating the prevention, detection, investigation, prosecution and punishment of cybercrimes.¹ A notable example is the case of Omundo v Republic², where the appellant was charged under the Act for identity theft and impersonation, unauthorized access, and access with intent to commit an offense. The Court of Appeal dismissed the appeal, affirming the appellant’s conviction.

Since the enactment of the legislation, there have been attempts to amend it. In 2021, the Computer Misuse and Cybercrimes (Amendment) Bill, 2021 was introduced before the National Assembly.³ The Bill sought to amend provisions prohibiting the sharing of pornography via the internet, restricting the use of electronic platforms to promote terrorism, extremist religious ideologies, or cult activities, and expanding the mandate of the National Computer and Cybercrimes Coordination Committee to recommend websites for potential restriction within the country.⁴

However, a key concern was that its adoption could infringe on rights protected under Chapter 4 of the Constitution of Kenya, 2010, as well as international human rights law.⁵ For instance the mandate given to the National Computer and Cybercrimes Coordination would contradict Principle 38 of the Declaration of Principles on Freedom of Expression and Access to Information in Africa, which prohibits unjustified restrictions on individuals’ digital access and expression. The proposed amendments were submitted to the Departmental Committee on Communication, Information, and Innovation, which reviewed them and presented a comprehensive report through its chairperson.⁶

Despite the review, the Bill did not progress to enactment in its proposed form. Instead, a fresh legislative process was initiated, culminating in the introduction of the Computer Misuse and Cybercrimes (Amendment) Bill, 2024 which was published on 9th August 2024 by the National Assembly.⁷ The Bill seeks to introduce new clauses aimed at defining key cybersecurity and cybercrime terms, strengthening cybercrime provisions, and addressing emerging threats such as unauthorized SIM swap fraud. It has been circulated for comments in accordance with Article 118 (1) (b) of the Constitution of Kenya 2010 which requires Parliament to facilitate public participation and involvement in the legislative process. This article will critically examine the key proposals in three main areas; the definition of key terms, the strengthening of cybercrime provisions, and protections against SIM swap fraud, all intended to enhance the proposed law and improve its effectiveness in addressing emerging cyber threats.

Unpacking the Key Proposals under the 2024 Amendment Bill

1. Definition of Key Terms

The Bill aims to amend section 2 of the Act by introducing new definitions, such as “asset,” “identity theft,” “SIM card,” “terrorist act” and “virtual account,” to enhance the Act’s scope and clarity. While these definitions are essential in addressing emerging cyber threats, they may not be sufficiently comprehensive to keep pace with the rapidly evolving technological landscape, particularly in the cases of “asset” and “virtual account,” where broader or more precise definitions may be necessary.

According to the Bill, an asset includes all forms of property that are movable, immovable, physical or virtual, as well as estates, rights, choses-in-action, money, and goodwill, whether in Kenya or abroad.⁸ However, this definition does not explicitly mention digital assets, which are particularly crucial in the context of cybercrime, given their growing role in online transactions, cryptocurrencies, and digital economies. In a study conducted by Lin William Cong et al, Bitcoin was linked to an average of 5,000 cybercrime reports per month.⁹ The most frequently reported offenses included sextortion, blackmail scams, and ransomware, which collectively accounted for 94.4% of all documented incidents.¹⁰ This highlights the significant role of digital assets in cybercriminal activities and underscores the need for their explicit recognition in the proposed Bill.

The Bill defines a virtual account as a digital account acquired through virtual representation.¹¹ However, it does not clarify the nature or scope of this representation, creating ambiguity regarding its application and coverage. The term “virtual representation” is overly broad and undefined, potentially encompassing anything. This lack of specificity could create legal loopholes that cybercriminals may exploit to justify their actions, ultimately making prosecution more challenging. In a nutshell, a virtual account can be defined as a temporary online bank account linked to a real account, enabling automated payment tracking, reconciliation, and financial process optimization for businesses.¹² Given that virtual accounts are primarily used in the financial services sector, amending the provision to encompass a broader range of digital finance tools and platforms would enhance clarity and ensure comprehensive regulatory coverage.

Further, the Bill reiterates some definitions from the Act. One such example is the definition of “password” which according to the Act means any data by which a computer service or a computer system is capable of being obtained or used.¹³ As it is, the definition is too broad and fails to emphasize the role of a password in authentication. Additionally, its ambiguity could lead to misinterpretation, potentially encompassing any data associated with a computer system. A clear and precise definition is essential, particularly for prosecuting cybercrimes, as vague provisions may create loopholes that cybercriminals could exploit. A more comprehensive definition is provided in the National Institute of Standards and Technology (NIST) glossary, which defines a password as a protected or private string of letters, numbers, and/or special characters used to authenticate an identity or authorize access to data.¹⁴ Although this definition is not included in legislation, it emphasizes the role of a password in authentication.

Ultimately, the rapid advancement of emerging technologies has significantly altered the landscape of cybercrime. This underscores the need for legislative frameworks to evolve accordingly, ensuring they address offences facilitated by technologies such as Artificial Intelligence. A notable example is deepfake technology, which, when effectively deployed, can generate hyper-realistic content portraying individuals engaging in actions they never performed or even creating entirely fictional identities.¹⁵ Some of the criminal activities facilitated by deepfake technology include falsifying online identities, perpetrating extortion and fraud, engaging in online child sexual exploitation, and distributing disinformation, among others.¹⁶ To effectively combat this emerging cyberthreat, the proposed Bill should incorporate a clear definition of deepfake technology and explicitly address its potential misuse in cybercrimes.

2. Strengthening Cybercrime Provisions

The proposed Bill seeks to amend section 27(1) (b) of the Act, which deals with cyber harassment and states that a person commits an offence if they intentionally communicate, alone or with others, either directly or indirectly, in a way that detrimentally affects another person. It proposes adding the phrase ‘or is likely to cause them to commit suicide’ immediately after the word ‘person’ in that section.¹⁷ This amendment strengthens the existing provision by recognizing the serious psychological harm that cyber harassment can cause and ensures greater accountability for those responsible.

Cyber harassment can take various forms like bullying or stalking through social media, threats of violence or harm, doxxing, online impersonation or harassment through online gaming, among others.¹⁸ Besides suicide, which occurs in extreme cases, it can have a profound impact on individuals, leading to emotional distress, depression, and anxiety.¹⁹ It may also manifest in physical symptoms such as headaches and sleep disturbances and, in some cases, may hinder a victim’s ability to engage with technology and social media, affecting their daily life and social interactions.²⁰ To strengthen the provision, it is essential to clarify the scope of “detrimentally affects” in the Act by providing concrete examples. Given the rapid advancement of technology, this could include the use of artificial intelligence or automated systems to generate or disseminate harassing or offensive content.

(c) Protections against SIM Swap Fraud

Sim swapping is a type of identity theft involving a phone account takeover with the intention of stealing money from the victim’s bank account²¹ or other financial services.The Act defines identity theft as the fraudulent or dishonest use of another person’s electronic signature, password, or any other unique identification feature.²² Sim swap is a new form of cyber fraud and it occurs when scammers take advantage of an existing weakness in the two factor authentication and verification by gaining unauthorized control of the victim’s phone number, then use that number to access financial accounts belonging to the victim.²³ The scammers involved contact the mobile phone provider of the person being scammed then trick them into activating a sim card that the scammers already have.²⁴

In 2024, it was reported that SIM swap requests remained high, with approximately 28,000 swaps processed daily.²⁵ To curb the crime, the proposed Bill introduces a new section 42A to the Act, making it an offence to intentionally alter and unlawfully take possession of another person’s SIM card without authorization, with the intent to commit an offence.²⁶ However, to effectively address the issue, the new section should mandate reporting to ensure that law enforcement is promptly alerted to suspected unauthorized SIM swaps, enabling swift intervention to prevent financial losses and identity theft. Additionally, enhancing information sharing among mobile network operators, financial institutions, and law enforcement agencies would improve coordination and fraud detection, allowing for proactive measures to prevent SIM swap scams before they cause harm.

Conclusion

In conclusion, the Computer Misuse and Cybercrimes (Amendment) Bill, 2024 represents a significant step towards updating Kenya’s legal framework to address evolving cyber threats. The proposed amendments, particularly those concerning the definition of key terms, strengthening cybercrime provisions, and protections against SIM swap fraud, demonstrate a commitment to enhancing cybersecurity and protecting citizens. However, as technology continues to advance at a rapid pace, it is crucial that the legislation remains agile and adaptable. Continuous review and refinement will be necessary to ensure its effectiveness in combating both current and future cyber challenges.

The image is AI generated via Gencraft.