The Computer Society of Kenya

Since 1986


Friday February 16th 2018

The Computer and Cybercrimes Bill of 2017 is before Parliament and undergoing public consultations. Whereas it does contain contentious clauses, we must be careful not to throw out the baby with the bathwater.

This is because the Cybercrimes Bill is one of the four pending bills that are required to usher in a true digital economy for Kenya. The other three are the Data Protection Act, the Electronic Transactions Act and the Copyright Act.

As the country gets more and more digitised, new forms of threats and crimes emerge. These crimes present challenges to the authorities in terms of investigations, prosecution and judicial adjudication, since the old legal frameworks do not adequately apply.

A legal framework covering crimes against and using computer systems is therefore a welcome development and would go a long way in making Kenya a safer place.


A quick glance at the proposed Computer and Cybercrime Bill shows that it is based on the European Union benchmark, commonly known as the Budapest Convention on Cybercrime.

This convention expects countries to upgrade their laws to reflect new digital crimes such as hacking, cyber-espionage, false publications, online child pornography, computer forgery, computer fraud, cyberstalking, and cyberbullying.

The cybercrime convention also requires countries to make provisions for international cooperation or mutual assistance when it comes to fighting cybercrime, given its global nature.

The final expectation from the cybercrime convention relates to the investigative procedures that includes searching and seizing computer systems as surveillance of computer networks.

In general, the Kenyan cybercrime bill has tried to be consistent with the Budapest Convention, but as KICTAnet has found out in its preliminary study, the devil is truly in the details.


There are some clauses in the bill that try to empower police authorities to move onto private and business premises without an express court order. This is against the generally accepted principle that expects judicial oversight on police activities.

There are also some clauses that may go against the principles of freedom of expression by attempting to criminalise people — mostly bloggers — who may knowingly or unknowingly publish false information.

Whereas everyone agrees that the amount of vitriol, rumours and insinuations currently flying across our social media platforms is on the extreme, we must also wonder why the prevailing libel or defamation laws are not sufficient to address these issues.

We should not forget that a few years back a high court ruled against a similar clause that the state has repeatedly used to crack down on bloggers. It is therefore likely that some provision may immediately trigger court action as human rights entities launch petitions.

On a much broader level, the bill lacks the supporting governance framework under which it can be adopted. Specifically, issues to do with capacity building in the police and judicial wing are not covered, meaning that implementation of the law will face serious challenges.


There is a need to have an overarching body such as a National Cyber Security Council that would then define and actualize the supporting ecosystem within which the cybercrime law would then become effective.

Indeed most of the details would be in the subsequent regulations but the substantive law must point to some of these issues, such as the need to have information security professionals supporting the investigative agencies execute their tasks.

Failure to have this input from professionals will imply that conviction of cybercriminals will remain a pipe dream simply because digital evidence was either mishandled or too complex for the regular cop on the street.

Share this page