Disquieting news, from a short piece in IT News Africa yesterday, which outlined some of the measures in the Kenya Communications Amendment Act 2008, which is intended to supplant the Act of 1998.
Given the progress that has been made in the sector, it’s understandable that the Act would aim to protect the mobile sector. As such, if you should fiddle around with any “mobile phone equipment identity” without permission, you could find yourself liable to a Ksh1 million fine or five years enjoying the hospitality at Kamiti.
What is more troubling, in my view, is the upside-down logic of the other offences described in the article. Apparently, the Kenya ICT Federation (KIF) asked Mr Michael Murungi or Kenya Law Reports to review the legislation. He offered this gem:
Unauthorized access to or interception of computer services are lesser offences and should not attract higher fines and jail terms than an act which impairs the operation of the computer system.
That’s nice, dear. So essentially, I can install spyware on as many computers as I please, run a botnet, harvest sensitive data and basically run amok on a network, provided I don’t actually impede any other processes. Fabulous! It’s like a hacker’s charter. Don’t even think about jailbreaking your imported iPhone, though, or you’ll feel the long arm of the law.
I can’t help but feel that perhaps KIF would have been better off if they had asked Mr Murungi to go through the proposed legislation with a fine tooth comb and then decide what they considered to be the most important aspects of the legislation. Just as KIF would be close to useless if asked about tort law, so a lawyer is going to be as valuable as a chocolate teapot when dealing with IT matters.
So many people are dependent on mobile phones in Kenya today that compromising the telecoms system would obviously have the potential to cause massive disruption. That, however, shouldn’t preclude people from doing whatever they please with their own handsets. At the very most, all they have done is invalidate their warranties and/or break the terms of their contract with their service provider. That’s not a matter for the government, nor should it be a matter for the courts.
On the other hand, the “lesser offences” Mr Murungi describes are activities that could very well cripple not just an individual but an entire network of computers, and could release an untold amount of destructive software to futher victims. Unauthorized access to a machine is usually only the starting point. Now, I’m not saying that every jealous boyfriend who tries to hack into his girlfriend’s email should go to jail (just maybe to counselling), but it is important that those in charge understand that what seem like innocuous data breaches have the potential to become far more serious.
From the short report given, it does seem as though the KIF might be asleep at the wheel, and that they may not have thought through all the implications for their desired changes, nor the dangers of downgrading the risk from activities that may at first seem frivolous. Because if this is the quality of the legislation that is being passed now, heaven help us when Kenya suffers its first big techno-crime.
[Image by Aphrodite]