KENYA: Offences under the Computer Misuse and Cybercrimes Act, 2018
hacker-2300772_640
OffencesThe lawComments
Unauthorised access

Occurs when a person knows they do not have the authority to access certain information but makes effort to access the information.

The important question is whether the person accessing the information does have the authority to do so.

 
Access with intent to commit further offenceOccurs when one unlawfully or lawfully gains access and commits an offense or facilitates commission of an offence.The provision is interlinked with the one for “Unauthorised Access”. Whereby one gains access and commits an offence. However, the provision also provides that one can commit an offense even if access to the system was secure/authorised.
 
Unauthorised interferenceTakes place when a person’s action is intentional and without authorization, not to mention it leads to a certain interference.The provision provides that Unauthorised Interference can only take place on condition that there exists “intention” and “lack of authority”.

 

 
Unauthorised interceptionTakes place when a person’s action is intentional and without authorization, which leads to intercepting or causes interception whether directly or indirectly and leads to transmission of data.The provisions adopt the conjunctive word “and”. Therefore, there is the need for intention and lack of authority. In addition, there is a loophole of what happens if there is no transmission of data.

 

 
Illegal Devices and Access CodesIt is an offence for one to provide or receive any device or access codes that can lead to any of the offenses mentioned in Part II of the Act (the offenses highlighted in the newsletter).The act of providing or receiving the device or access codes ought to be from a point of being aware that the device or access codes are for purposes of committing a certain offense.
 
Unauthorised Disclosure of Password or Access Codes

 

A person who knowingly and without authority discloses password or access codes will be held liable.There must be an aspect of knowledge and lack of authority.
 
Cyber espionageOccurs when a person unlawfully and intentionally performs, authorizes or allows one to perform any of the offenses for purposes of gaining access, and intercept data.

Anyone who uses National critical information for the benefit of another State against Kenya will be held liable.

Also, in this case, the person ought to have acted unlawfully and intentionally.
 
False publicationThe intentional act of publishing false, misleading or fictitious information with the intent of it being acted upon as authentic, will lead to an offence.The two important factors are “intention to publish the information” and having the “intent that it should be believed to be true”.

 

 
Publication of False InformationIt only occurs when false information is published in print, broadcast, data or over computer system with the main aim of causing panic, chaos or violence among citizens of Kenya or likely to lead to discrediting a person’s reputation.

 

One has to knowingly publish false information, and there must be the aim to discredit a person’s reputation, cause panic, chaos or violence.
 
Child pornographyPublishing, Producing, or Possessing child pornography is an offense.

 

It does not matter whether the information is in audio, or visual format.

The provision uses a disjunctive, therefore, any of the three applies separately, but can also be applied conjunctively.

 

There are certain statutory defences, for instance, holding them in good faith for scientific research, medical or law enforcement.

 

 
Computer forgeryA person who deletes or distorts computer data with the view of presenting alternative data as authentic will be deemed to have committed an offence under the Act.It does not matter whether a person has been given such authority as long as the act is intentional and meant to present inauthentic computer data as authentic.

 

 
Computer fraudOccurs when a person with fraudulent or dishonest intent unlawfully gains, causes unlawful loss, or attains an economic benefit through the other offenses mentioned, the person will be held liable.

 

The offenses are restricted to what the Act is providing, and it is also important that there is an element of fraud or dishonesty that is coupled with intent.
 
Cyber harassmentIt takes place when an individual or as a group of persons do communicate (directly/indirectly), willfully, to a person they know in a manner that will cause fear towards a person. In addition, it is important that the person knows or ought to know that their conduct will cause such fear.

 

The communication ought to be willfully. Also, the Act provides a leeway for a person to justify whether they knew their conduct could result towards a certain outcome, in this case cyber harassment.
 
CybersquattingThis occurs when one intentionally uses a name, business name, trademarks, domain name among similar information and use them as their own without seeking permission – usually through registering a domain name similar to the name, trademark or confusingly similar to the name or trademark, not to mention using it in bad faith.

 

There is an element of intention that has to be established. Such issues have been highly referred to as Domain Disputes, and have been heavily addressed through the Uniform Domain Name Dispute Resolution (UDRP) which is as per the Internet Corporation for Assigned Names and Numbers (ICANN).
 
Identity Theft and ImpersonationWhen one fraudulently or dishonestly utilizes identification details of a person.

 

There must be an element of fraud or dishonesty.
 
PhishingIt occurs when a person sets up and operates a system with the intention to make its users or recipients of certain messages to reveal their identifiers for the system operators to effect their unlawful course or gain unauthorized access.

 

The key issues are intention to induce, use the personal identifiers for unlawful use or gain unauthorized access.
 
Interception of electronic messages or money transferTakes place when one taps into an electronic messages or money transfer and unlawfully destroys or aborts such processes or systems.

 

The key word is unlawfully destroying or aborting the process or system.
 
Willful misdirection of messagesOccurs when one willfully sends a message to a wrong person.

 

The main areas of focus are “willful” and “wrong person”.
 
CyberterrorismTakes place when a person accesses or enables one to access a computer for purposes of carrying out a terror attack.

 

It is a strict liability provision. The lack of intent does not matter.
 
Inducement to deliver electronic messageWhen a person persuades anyone in charge of electronic devices to deliver any electronic message not meant for him.

 

The key words are: persuade, in charge of electronic devices, and delivery of messages not meant for that person.
 
Intentionally withholding message delivered erroneouslyIf a person, intentionally hides or detains any electronic mail, message, electronic payment, credit and debit card that was found by that person or delivered by mistake.

 

One must intentionally hide or detain and must be the person who found it or was delivered to the person.
 
Unlawful destruction of electronic messagesWhen one unlawfully destroys or aborts any electronic mail or processes through which money or information is conveyed.

 

The act is basically unlawfully. What is unlawful is as per the Act or basically any other law concerning computers.
 
Wrongful distribution of obscene or intimate imagesOccurs when a person transfers, publishes, or disseminates, including presenting it in digital format for distribution or downloading of the images.

 

The Act makes the objective of the provision quite wide as it uses the term “including”.
 
Fraudulent use of electronic dataIt involves deletion or distortion of information; misrepresentation; intend to defraud, franks electronic message, instructions, etc.; manipulation of a computer, among others.

 

It is a combination of other factors already addressed by the Act.
 
Issuance of false e-instructionsAny individual who uses a computer or an electronic device for financial transactions, and issuance of electronic transaction will be held liable if the individual issues false e-instructions.

 

It is a strict liability provision.
 
Reporting of cyber threatA person operating a computer system is required to report any case of cyber-attacks of whatsoever nature.

 

Creates an obligation for the Chief Technology Officers (CTOs) among other persons holding similar positions to always report cases of cyberattacks.

 

 
Employee responsibility to relinquish access codesBased on the employer-employee contract separation clause, the employee is expected to give up their rights to computer networks or systems. Nevertheless, the provisions of the Act will supersede.

 

The process is guided by the law save where a contract provides otherwise.
 
Aiding or abetting in the commission of an offenceOccurs when a person knowingly and willfully assists commission of any offenses in the Act.

 

The key element is “knowingly” and “willfully”.
 
Offences by a body corporateAny offense, under the Act, committed by a corporate will be pinged on the respective office holders unless they prove that they exercised caution to prevent such an offense from taking place.

 

It provides room for the employees to act as per the law and not hide behind the corporate veil/ personality – to a certain degree.
 
Offences committed through use of computer systemsWhen a person commits an offense under a different law but with the use of a computer, the person will also be punished through this Act separately.

 

This is not an alternative but concurrent punishment to that provided by another law.