Encryption is important for privacy but Kenya currently lacks comprehensive encryption laws. The Kenyan constitution guarantees privacy for citizens but does not provide specific guidance on encryption use. While some laws touch on encryption, there are no overarching laws regarding rights to encryption, licensing, or obligations to assist authorities. If Kenya enacts encryption legislation, it should balance privacy rights with law enforcement needs and involve input from technology companies, civil society groups, and citizens.
1. CC BY-NC-SA 4.0
State of Encryption in Kenya
Encryption Everywhere
@Collins Kimathi, Internet Society Kenya Chapter
internetsociety.ke
@ISOC_Kenya
Introduction
Modern age has come with improvements in many areas of our lives. One of this is the ease with which
we can communicate with one another. The use of technological services such as email, chat platforms
and social media has become an integral part of our day to day lives. One can even argue that they have
become a part of us. With such deep levels of integration; the right to privacy that people are entitled to
on a non-tech communication should be extended to these platforms. Encryption is the process where
information passed through communication technologies is converted into an unreadable form and
transmitted to the recipient who can convert the unreadable form back to the original message. This
greatly reduces the risk that the real information can be understood by unintended recipients hence
protecting the data for those who are the intended viewers. That way sensitivity of any information shared
remains safeguarded.
Right to Privacy
Encryption is a technological solution that is used to guarantee privacy; and where there is a legal right to
privacy it complements the law. Most communication platforms offer end to end encryption by default to
ensure privacy; this is where message encryption happens in the sender’s device, on the transit channels
and on the recipient’s device. This leaves the clear text version of the message only available to the
sender and recipient while using the application.
The Kenyan constitution guarantees privacy for its citizens. The constitution clearly states that every
person has the right to privacy which includes the right not to have their person, home or property
searched; their possessions seized; information relating to their family or private affairs unnecessarily
revealed and the privacy of their communication infringed.1
However there are situations where this right
can be infringed upon by state actors i.e. intelligence agencies and police. With encryption, some of the
situations where state actors are required to infringe on privacy; whether legally sanctioned or not are
almost impossible and some governments all over the world are considering ways to bypass encryption.
Encryption is mentioned in the Data Protection Act of 2019, whereby a data controller or data processor
is expected to protect personal identifiable data by considering encryption as a measure.2
While this is
specific to personal data there is no guidance on the specifics in terms of use of encryption in the country.
1
Article 31 Privacy, Constitution of Kenya
2
Section 41, Data Protection Act
2. State of Encryption In Kenya – Encryption Everywhere
CC BY-NC-SA 4.0
2
internetsociety.ke
@ISOC_Kenya
Encryption Laws
The use of cryptography is one that needs to be protected and guided by the law where possible. It’s in
this ambiguity that people take advantage of digital rights that should be aligned to human rights on
freedom of expression and the right to privacy. The use of encryption will support human rights
principles and governments have an opportunity to set proper baselines on how encryption can aid these
principles in the digital era. According to the Travel Guide to Encryption Policy, governments should not
impose a blanket ban on encryption as it would be against human rights principles.3
There is still a big
risk of infringement when the government sets licensing requirements for encryption use or weak
technical standards for encryption. Some governments have even put controls on import and export of
encryption tools which inherently means that encryption standards used within their countries can be
intentionally weak or have already been compromised by the government.
In comparison to other countries, Kenya seems to have no specific laws that touch on encryption.
According to Global Digital partners,4
Kenya misses the laws that are part of a baseline on the encryption
legal framework. These are:
a. General right to encryption
Laws that allow people to utilize encryption products and services. This implies there are no legal
requirements for one to use encryption; but they can use it within their own terms.
b. Mandatory minimum or maximum encryption strength
Laws that set down either minimum or maximum standards for encryption products and services.
c. Licensing/registration requirements
Laws that require providers (or users) of encryption products or services to be licensed or registered
in some manner for use within the country.
d. Import/export controls
Laws that set out limitations or conditions on the lawful importation or exportation of encryption
products or services. This can be to limit sale or acquisition of encryption services or products to and
from some specific countries.
e. Obligations on providers to assist authorities
A law that requires private entities to assist state authorities to access the content of encrypted
communication.
f. Obligations on individuals to assist authorities
Laws that provide for state authorities to be able to require individuals to decrypt (or assist in the
decryption) of encrypted communications.
National Public Key Infrastructure
The Public Key Infrastructure (PKI) is a set of roles, policies, and procedures needed to create, manage,
distribute, use, store, and revoke digital certificates and manage public-key encryption according to the
East Africa Communication Organization. 5
In Kenya, the Communications Authority (CAK) has the
technical infrastructure that hosts Kenya’s National Public Key Infrastructure (NPKI). NPKI uses public
key encryption to ensure that digital signatures and encrypted content can be traced back to identifiable
users and/or organizations. The aim of the NPKI is to facilitate the secure electronic transfer of
information for a range of network activities such as e-commerce, internet banking and confidential
email.6
3
https://www.gp-digital.org/wp-content/uploads/2017/09/TRAVELGUIDETOENCRYPTIONPOLICY.pdf
4
https://www.gp-digital.org/world-map-of-encryption/
5
http://www.eaco.int/admin/docs/publications/STANDARDS%20ON%20NATIONAL%20PUBLIC%20KEY%20INFRASTRUCTURE.pdf
6
http://icta.go.ke/the-national-public-key-infrastructure-npki/
3. State of Encryption In Kenya – Encryption Everywhere
CC BY-NC-SA 4.0
3
internetsociety.ke
@ISOC_Kenya
The CAK has set a Root Certification Authority in the country that can license other entities to become
Electronic Certification Service Providers.7
The CAK has been granted this authority by the Kenya
Information and Communications Act of 1998, which grants it powers to license providers of Electronic
Certification Service Providers. However, it is worth noting that there are no laws on the services of
digital signatures and encryption.
Stakeholders
With the possibility of various laws being enacted on the use of encryption, several stakeholders will need
to be brought on board for an effective legal framework to be set up. The establishment of a legal
framework for the use of encryption will likely begin as a legislative process which lies solely in the
hands of parliament. If the members of parliament lack clear knowledge on what encryption entails, it
will be the responsibility of other stakeholder groups such as civil societies, non-governmental
organizations, technology companies and knowledgeable citizens to champion for a law that does not
weaken or compromise human rights. There have been several countries where proposed encryption laws
have been highly contested since they disregarded human rights, e.g. in Australia the TOLA (Assistance
and Access) Act 2018 had clauses that came with heavy protests from civil society and technology
companies leading to changes in the initial proposal.8
In Kenya, participation from non-government stakeholders has been seen in previous proposed laws such
as the Computer Misuse and Cybercrimes Act, 2018 whereby contentious clauses have had to be
amended.9
It is in the same spirit that any proposed encryption law in Kenya should be scrutinized for its
usefulness to the citizens to prevent the law from becoming a tool for the government to use in oppressive
ways.
Conclusion
The Kenyan legal framework may not address the use of encryption, but there are laws to protect the right
to privacy of individuals. The role of encryption in the country does not necessarily need a legal
framework; but with the Office of a Data Commissioner being available, some guidelines on its use could
be helpful. The concerns of whether the government can break encryption or weaken cryptographic
techniques when it becomes a challenge for law enforcement should be raised through consultative
channels with all stakeholders. It is up to all stakeholders especially those in the Internet Society to
advocate for strong and useful encryption laws that cannot be used against privacy rights and rights to
personal information. Kenya needs to enact an encryption legislation as this will provide individuals with
a degree of surety that their personal information; wherever it has been collected, stored, used or
communicated to other persons can be kept secure and private.
7
https://ca.go.ke/industry/e-commerce-development/national-public-key-infrastructure/
8
https://digitalrightswatch.org.au/2019/12/04/major-amendments-to-encryption-laws-are-a-step-in-the-right-direction/
9
https://cipesa.org/2018/05/sections-of-kenyas-computer-misuse-and-cybercrimes-act-2018-temporarily-suspended/
4. State of Encryption In Kenya – Encryption Everywhere
CC BY-NC-SA 4.0
4
internetsociety.ke
@ISOC_Kenya
About the author
Collins Kimathi is an Information Security Specialist who works with organizations
to design and implement Cyber Security Architecture around their infrastructure. He
has worked for 6 years as an information security consultant. He has experience in
setting up architecture to support information security compliance standards, threat
intelligence and business continuity. In the last 2 years he has been focusing on
Cloud architecture and security for fintech services.
He’s part of ISOC Global Volunteer Training Program hoping to make a positive
change to the internet community.
The Internet Society
Internet Society Kenya Chapter is an Internet technical community chartered by the
Internet Society and registered in the Republic of Kenya. It seeks to provide
leadership on Internet policy, technology standards and future development of the
Internet in Kenya. The Chapter establishes and promotes principles that are intended
to persuade governments and other stakeholder to make decisions that are right for
the citizens and the nation’s future.
Internet Society is the world's trusted independent source of leadership for Internet
policy, technology standards, and future development. The Society has for many
years been the champion for Internet advancement and open resource usage. More
than simply advancing technology, we work to ensure the Internet continues to grow
and evolve as a platform for innovation, economic development, and social progress
for people around the world.
Preparing a new generation to succeed as Internet technology, policy, and business
leaders is a key objective for the Internet Society. To be successful, the next
generation of Internet leaders will require a wide range of skills in a variety of
disciplines as well as the ability and experience to work with people at all levels of
society.
For more information, please visit the Internet Society Kenya Chapter website at:
www.internetsociety.ke
Follow us: @ISOC_Kenya