By Allan Ong’ato

Introduction

The world has seen remarkable transformation with the advent of internet-based activities. This is because goods and services are routinely purchased and delivered electronically, leading to significant changes in various industries like journalism, travel, and banking. Significantly, a majority of the people, especially in developed and the elite in developing economies, rely on the Internet, either directly or indirectly, for most services. This trend is not expected to slow down soon especially with ever increasing globalization. Concomitant to this phenomenal growth of the Internet is the fact that it has occasioned a number of challenges most of which revolve around its universal and trans-territorial character allowing direct, instantaneous and multifaceted exchange of information among literally tens of millions of users over global computer networks.[1]

The Internet has revolutionized local and global communication given its transnational and ubiquitous nature. A combination of these features and the anonymity embedded in its use has made the Internet an attractive tool for those with propensity to engage in unlawful acts. This presents significant challenges to governments and law enforcement agencies in regulating online activities. It is feared that should current trends continue, the perception by users that the Internet is unsafe and therefore unsuitable for everyday use may become widespread and eventually lead to a loss of faith in “the system”. It is believed that cybercrime, and other cyber-issues are the one area that could cause this type of loss of faith in the safety of the Internet.[2]

Cybercrime could be loosely defined as crime relating to computer systems or criminal offences committed by means of a computer system. Cybercrime is a huge concern for the Kenyan economy. It is estimated that in 2013, the Kenyan economy lost Kshs. 2 billion to Cybercrime.[3] In 2018, it is estimated that the economy lost more than Kshs. 29.5 billion from Cyber-attacks.[4] According to the Quarterly Statistic Report (July–September 2020) published by the Communications Authority of Kenya (CA), Kenya experienced a 152.9% increase in cyberthreats between July and September 2020. This was mainly attributed to the increase in e-commerce, cashless payments through mobile money platforms and the shift towards remote working, among other factors.[5]

In addition to this, the report indicates that there has been significant increase in cases of online child abuse, cyberbullying, internet trolling and internet fraud.

From this analysis, it is evident that cyber-attacks is a pertinent issue in Kenya currently. It’s therefore imperative that there are in place adequate measures to deal with cyber-attacks and data breaches.

Cyber crimes

To satisfy the requirement for fair hearing under Article 50 of the Constitution, it is critical that the crime one is accused of is an offence under the Kenyan Statute books. Such crime must have been specifically prohibited.

Because of the insufficiency of the Penal Code Cap. 63 of the Laws of Kenya in addressing cyber crimes which had become a new phenomenon and were evolving, it became necessary to come up with a law to provide for cybercrimes.

The primary law enacted by the legislature to deal with incidences of cybercrime is the Computer Misuse and Cyber Crimes Act No. 5 of 2018 (“the Act”) whose preamble states that it is enacted to provide for offences relating to computer systems; to enable timely and effective detection, prohibition, prevention, response, investigation and prosecution of computer and cybercrimes; to facilitate international co-operation in dealing with computer and cybercrime matters; and for connected purposes.

This law was an initiative of the Office of the Director of Public Prosecutions.[6] It sought to equip law enforcement agencies with the necessary legal and forensic tools to tackle cybercrime.

The offences provided for in the Act cover three of the main categories of cybercrimes identified in the Budapest Convention on Cybercrime:

1. Offences against the confidentiality, integrity and availability of computer data and systems – These are offences that have as their object computer systems, data and communications. Examples of these offences in the Bill are the offences of unauthorised access and unauthorised interference of computer systems and data;
2. Computer related offences – These are offences that have as means of perpetration of the crime the use of a computer system. Examples of these offences in the Bill include cyber-bullying and cyber stalking and computer related fraud and forgery; and
3. Content related crimes – These offences concern the content of computer storage and internet transmission. Examples of these offences in the Bill include child pornography and false publications (fake news!)

Amongst others, the objects of the Act are listed as facilitating the prevention, detection, investigation, prosecution and punishment of cybercrimes and facilitating international co-operation on matters covered under the Act.

At part III, the Act provides for the offences, which include –

1. Unauthorized access – where a person causes a computer system to perform a function that infringes security measures with intent to gain access, knowing such access is unauthorized. The fine is 5 million or imprisonment for a term not exceeding 5 years or both.[7]
2. Access with intent to commit further offence – where a person engages in unauthorized access with intent to commit a further offence. The fine is 10 million or imprisonment for a term not exceeding 10 years or both.[8]
3. Unauthorized interference – Where a person intentionally and without authorization does any act which causes an unauthorized interference, to a computer system, program or data. The fine is 10 million or imprisonment for a term not exceeding 5 years or both.[9]
4. Unauthorized interception – where a person intentionally and without authorization does any act which intercepts or causes to be intercepted and causes the transmission of data to or from a computer system over telecommunication system. The fine is 10 million or imprisonment for a term not exceeding 5 years or both.[10]
5. Illegal devices and access codes – where a person knowingly manufactures, adapts, sells, procures for use, imports, offers to supply, distributes or otherwise makes available a device, program, computer password, access code or similar data designed or adapted primarily for the purpose of committing any offence. The fine is 20 million or imprisonment for a term not exceeding 10 years or both [11]
6. A person who knowingly receives, or is in possession of, a program or a computer password, device, access code, or similar data from any action specified under subsection (1) and intends that it be used to commit or assist in commission of an offence. The fine is 10 million or imprisonment for a term not exceeding 5 years or both [12]
7. Unauthorized disclosure of password or access code – A person who knowingly and without authority discloses any password, access code or other means of gaining access to any program or data held in any computer system commits an offence. The fine is 5 million or imprisonment for a term not exceeding 3 years or both. If it’s for wrongful gain, unlawful purpose or to occasion any loss, the fine is not more than 10 million or imprisonment for a term not exceeding 5 years or both.
8. Cyber espionage;[13]
9. False publications;[14] – This is the most prominent cybercrime. It arises when a person intentionally publishes false, misleading or fictitious data or misinforms with intent that the data shall be considered or acted upon as authentic. It attracts a fine not exceeding five million shillings or to imprisonment for a term not exceeding two years, or to both.
10. Publication of false information;[15] – It arises when person knowingly publishes information that is false in print, broadcast, data or over a computer system, that is calculated or results in panic, chaos, or violence among citizens of the Republic, or which is likely to discredit the reputation of a person. It attracts a fine not exceeding five million shillings or to imprisonment for a term not exceeding ten years, or to both.
11. Child pornography;[16]
12. Computer forgery;[17]
13. Computer fraud;[18]
14. Cyber harassment;[19]
15. Cyber squatting;[20] – It is the acquisition of a domain name over the internet in bad faith to profit, mislead, destroy reputation or deprive another from registering the same. In most cases, the cybersquatters register, sell or use the domain name with the intent of profiting from the goodwill of someone’s trademark.[21] Punishment is a fine not exceeding two hundred thousand shillings (200,000/-) or imprisonment for a term not exceeding two (2) years or both.
16. Identity theft and impersonation;[22]
17. Phising ;[23] – This is where a person creates or operates a website or sends a message through a computer system with the intention to induce the user to disclose personal information for an unlawful purpose or to gain unauthorized access to a computer system. It attracts a penalty of a term not exceeding 3 years or a fine not exceeding Kshs. 300,000.00 or both.
18. Interception of electronic messages or money transfers;[24]
19. Wilful misdirection of electronic messages;[25]
20. Cyber terrorism;[26]
21. Inducement to deliver electronic message;[27]
22. Intentionally withholding message delivered erroneously;[28]
23. Unlawful destruction of electronic messages;[29]
24. Wrongful distribution of obscene or intimate images;[30]
25. Fraudulent use of electronic data;[31]
26. Issuance of false e-instructions;[32]
27. Failure to report a cyber-threat;[33]
28. Failure by an employee to relinquish access codes;[34]
29. Aiding or abetting commission of an offence;[35]

A number of other laws equally provide for offences related to cybercrimes for example the Kenya Information and Communication Act No. 2 of 1998. It provides for offences such as

1. Obtaining service dishonestly;[36]
2. Improper use of system;[37]
3. Modification etc. of messages;[38]
4. Interception and disclosure;[39]
5. Tampering with telecommunication plant;[40]
6. Severing with intent to steal.[41]

Similarly, the Data Protection Act No. 24 of 2019 provides for offences of unlawful disclosure of personal data by data controllers, data processors or any other person.[42] A general penalty of a fine not exceeding three million shillings or to an imprisonment term not exceeding ten years, or to both applies to a person who is in breach of the Act.

Prosecution

Prosecution is defined as the process of proving in Court that somebody is guilty of a crime.  It involves the process of being officially charged with a crime in Court.

Prosecution is a function bestowed upon the Office of the Director of Public Prosecutions under Article 157 of the Constitution. Prior to mounting a prosecution there has to be an investigation into the offence allegedly committed. Investigation is defined as the careful search or examination with an intention to discover facts. This may include questioning of witnesses, forensic examination, investigation of financial records etc. The investigation will show the origins, the cause, the motives, the offenders and the surrounding circumstances of the offence.

The Act[43] sets out investigation procedures aimed at facilitating the collection of the requisite evidence by police officers for use in prosecution of cybercrimes. Any searches or seizures can only be effected through an Order of the Court.

Cybercrime so often has a transnational element to it. It is often committed across state boundaries and therefore has to be investigated across multiple countries. The Act[44] also provides for an avenue of international co-operation between Kenyan and foreign agencies during investigations. In this regard, the Communications Authority of Kenya may make a request: for mutual legal assistance in any criminal matter to a requested state for purposes of undertaking investigations or proceedings concerning offences related to computer systems, electronic communications or data; for collecting evidence of an offence in electronic form; or for obtaining expeditious preservation and disclosure of traffic data, real-time collection of traffic data associated with specified communications or interception of content data

Some investigations may reveal insufficiency of evidence to warrant a prosecution in court in which event the matter is closed. Other investigations may reveal sufficient evidence to warrant a prosecution yet a prosecution may not be mounted for reasons of public interest.

Powers of the ODPP

Under article 157(6) of the Constitution, prosecutorial authority is vested in the Director of Public Prosecutions. He has powers to:

1. Institute and undertake criminal proceedings against any person before any court (other than a court martial) in respect of any offence alleged to have been committed.
2. Take over and continue any criminal proceedings commenced in any court (other than a court martial) that have been instituted or undertaken by another person or authority, permission of the person or authority.
3. Discontinue at any stage before judgment is delivered any criminal Proceedings instituted by the Director of Public Prosecutions or taken over by him.

It is the state through the Director of Public Prosecutions who is bestowed with the power of controlling criminal prosecutions. This means that the Director of Public Prosecutions has a special Constitutional role in the conduct of Prosecutions and he is under duty to take into account and safeguard the public interest.

In exercise of his power the Director of Public Prosecutions is not to be directed or controlled by any person or Authority. See Article 157(10) of the Constitution.

However the Director of Public Prosecutions may not exercise that discretion arbitrarily and is expected to have regard to the public interest, the interest of the Administration of justice and the need to prevent and avoid abuse of the legal process Article 157 (11).

The Director of Public Prosecutions may not discontinue a prosecution without the permission of the court see article 157(8) of the Constitution. This is a significant departure from the absolute sway formally held by the Attorney General in the previous constitution, in the discontinuation of a prosecution through Nolle prosequi.

These powers may be exercised by the DPP in person or by officers subordinate to him acting in accordance with his general or special instructions and the said powers in so far as they relate to the taking over, continuation or termination of criminal proceedings, are so exercisable to the exclusion of any other person or authority, see article 157 (9) of the constitution.

The decision to prosecute or discontinue a prosecution is the most important decision that a prosecutor makes in the criminal justice process.

It is the most problematic role of a prosecutor, unlike other areas of law where it is possible to resort to reported or unreported authorities, there are no such authorities to guide a prosecutor in reaching a decision as whether to mount a prosecution or not, more so in an emerging area like cybercrime.

The mere fact that the investigators believe that there is a prosecutable case does not necessarily bind the DPP. As is rightly recognized by Sir Elwyn Jones in Cambridge Law Journal April 1969 at page 49:

“The decision when to prosecute, as you may imagine is not an easy one. It is by no means in every case where a law officer considers that a conviction might be obtained that it is desirable to prosecute. Sometimes there are reasons of public policy which make it undesirable to prosecute the case. Perhaps the wrongdoer has already suffered enough. Perhaps the prosecution would enable him present himself as a martyr. Or perhaps he is too ill to stand trial without great risk to his health or even to his life. All these factors enter into consideration”

There is no doubt that prosecutions that are not well founded in law or facts which do not serve the public interest may unfairly expose citizens to the anxiety, expense and embarrassment of a trial while the failure to effectively prosecute guilty parties can directly impact public safety.

Wrong decisions tend to undermine the confidence of the community in the criminal justice system.

The National Prosecution Policy at paragraph 4(B) (2) require the public prosecutors in applying the evidence test should objectively assess the totality of the evidence both for and against the suspect and satisfy themselves that it establishes a realistic prospect of conviction before making decision to mount a prosecution against the accused (the emphasis is mine).

In R. vs. Attorney General exp Kipngeno Arap Ngeny High Court Civil Application No. 406 of 2001 it was held:

“A criminal prosecution which is commenced in the absence of proper factual foundation or basis is always suspect for ulterior motive or improper purpose. Before instituting criminal proceedings, there must be in existence material evidence on which the prosecution can say with certainty that they have a prosecutable case. A prudent and cautious prosecutor must be able to demonstrate that he has a reasonable and probable cause for mounting a criminal prosecution otherwise the prosecution will be malicious and actionable.”

It follows therefore that the burden is on the prosecutor to show by way of admissible evidence that he is in possession of material that disclose the existence of a possible case.

Prosecutorial discretion has to be exercised once a police report, invariably made by the DCI (Director of Criminal Investigations) has been presented to DPP and a suspect arrested or his arrest is contemplated. The prosecutor is required to apply his mind to evidential and public interest tests in deciding whether or not to prosecute. Both tests must be satisfied for the ensuing prosecution to be seen as justified.

In terms of Prosecutorial powers, the Director of Public Prosecutions may pursuant to Article 157 (4) of the Constitution, direct the inspector General of the National Police service to investigate any information or allegation of criminal conduct and the Inspector-General shall comply with any such directions, pursuit to section 35 (L) of the National Police service Act.

The Inspector General of police may direct the Director of Criminal Investigations to execute the directions given to the Inspector- General by the Director of Public Prosecutions pursuant to Article 157 (4) of the Constitution. Clearly therefore there is a clear chain of command set out herein above.

When it comes to the exercise of prosecutorial powers, as between the three entities, the Director of Public Prosecutions has the last word. In other words, no public prosecutions may be undertaken by or under the authority of either the Inspector- General of police or the Director of Criminal Investigations without the consent of the Director of Public Prosecutions.

What the foregoing provides is that each of the three entities must of necessity stay on their respective lanes. Any attempt by any of them to trespass onto the other’s lane can only end up in disaster.

In simple terms an attempt by the Director of Criminal Investigations to charge a person with a criminal offence without the consent of the Director of Public Prosecutions is ultra vires the power and authority of the Director of Criminal Investigations and amounts to abuse of his powers. It is therefore null and void ab initio.

It should be understood that the DPP is not bound by the actions undertaken by the police in preventing crime or bringing criminals to book. He is however, under Article 157(11) of the constitution, enjoined to have regard to the Public interest, the interests of the Administration of Justice and the need to prevent and avoid abuse of the legal process. In other words the DPP ought not to exercise his/her constitutional mandate arbitrarily.

The independence of the DPP is anchored both in the constitution and in the legislation under Article 157 (10) of the Constitution and section 6 of the office of the Director of Public Prosecutions Act, 2013.

Challenges in prosecution of cybercrime offences

1. Inadequate provision for training in Technology among Investigators, Prosecutors and Judicial Officers;
2. Complexity occasioned by the foreign element of cybercrimes;
3. Inadequate resources;
4. Shortage of personnel;

Strategies for improvement of prosecution

1. Thorough investigation into the offence allegedly committed should be carried out to enable the prosecutor to make appropriate decision to mount prosecution against the suspect. 

• Considering Prosecutors place a lot of reliance on the results of investigations, it is very important that Prosecutors work closely with investigators and that new strategies invented or adopted by Prosecutors are also replicated by the Investigators.

• As critical players in the Justice System, Prosecutors have a duty to prepare and conduct cases in accordance with the Constitution and all enabling legislation, policies, practice directions and guidelines issued by the DPP or the Court.

• The prosecutors should exercise the highest standard of integrity and care when making decision to prosecute. They should not be influenced by irrelevant considerations such as individual, sectional or political interests and media pressure.

• The prosecutors must take reasonable steps to maintain and enhance their professional knowledge and skills and keep themselves well informed of relevant legal developments.

• Prosecutors should avoid prosecuting cases in which they, their families or business associates have personal interest.

• When presenting cases in court, prosecutors serve as officers of the court and therefore have a duty to act independently and in the interest of Justice

• If Prosecutors are to work more effectively, investigators must also be empowered to work effectively as well. 

• There’s need for prudence while introducing evidence based on technology to comply with provisions of the Evidence Act, Cap 75 of the Laws of Kenya on admissibility of such evidence. 

1. Private Prosecutions system should be enhanced to complement the work of public prosecutors in the prosecution of accused person.

1. Plea bargaining should be applied as a strategy in the prosecution of cybercrime cases. Its aim is for the accused to enter into an agreement or plead guilty in exchange for some concession by the prosecution.  The result of this is reduction of backlog in court and increase in the chances of securing a conviction.

Given the nature of cybercrimes, there’s extremely scanty local judicial pronouncements on the various breaches.

Collection of evidence is likely to be in electronic form and there’s need to ensure that all the requirements to ensure safety of such evidence under the Evidence Act is complied with.

It is also important to note that the Act at Section 46 requires the Court to consider the following when sentencing person convicted of a cybercrime –

1. the manner in which the use of a computer system enhanced the impact of the offence;
2. whether the offence resulted in a commercial advantage or financial gain;
3. the value involved, whether of the consequential loss or damage caused, or the profit gained from commission of the offence through the use of a computer system;
4. whether there was a breach of trust or responsibility;
5. the number of victims or persons affected by the offence;
6. the conduct of the accused; and
7. Any other matter that the court deems fit to consider.

To effectively prosecute, the prosecutor must note to ensure these elements are brought out with sufficient clarity during trial.

Conclusion Cybercrime, not unlike other forms of crime, is a multi-faceted and ever-changing problem. The conventional definition relates it to crime that involves a computer and a network. Ordinarily, the computer may be a platform for the commission of a crime or it may be the target. In its broader sense cybercrime boils down to criminal exploitation of the Internet. Because of this it is a complex area that will pose a lot of challenges to suc

---

[1] https://www.unafei.or.jp/publications/pdf/RS_No97/No97_IP_Kenya.pdf

[2] Ibid

[3] Report by Article 19 analysing the first draft of the Cybercrimes and Computer related crimes Bill in Kenya.

[4] Report by Serianu, a Pan African based Cyber Security and Business Consulting Firm.

[5] https://practiceguides.chambers.com/practice-guides/cybersecurity-2021/kenya/trends-and-developments

[6] Article 19

[7] Section 14

[8] Section 15

[9] Section 16

[10] Section 17

[11] Section 18 (1)

[12] Section 18 (2)

[13] Section 21

[14] Section 22

[15] Section 23

[16] Section 24

[17] Section 25

[18] Section 26

[19] Section 27

[20] Section 28

[21] https://www.nolo.com/legal-encyclopedia/cybersquatting-what-what-can-be-29778.html

[22] Section 29

[23] Section 30

[24] Section 31

[25] Section 32

[26] Section 33

[27] Section 34

[28] Section 35

[29] Section 36

[30] Section 37

[31] Section 38

[32] Section 39

[33] Section 40

[34] Section 41

[35] Section 42

[36] Section 28

[37] Section 29

[38] Section 30

[39] Section 31

[40] Section 32

[41] Section 33

[42] Section 72

[43] See part IV

[44] See part V