Cyber bill set to tackle Fake News

A new law set to tackle the scourge of fake news is expected to be introduced to Parliament in due course. The Computer and Cybercrimes Bill (the bill) gazetted on 16th June 2017 introduces the following language in clause 12:

“(1) A person who intentionally inputs, alters, deletes, or suppresses computer data, resulting in inauthentic data with the intent that it be considered or acted upon for legal purposes as if it were authentic, regardless of whether or not the data is directly readable and intelligible commits an offence and is liable, on conviction, to fine not exceeding ten million shillings or to imprisonment for a term not exceeding five years, or to both.

 (2) A person who commits an offence under subsection (1), dishonestly or with similar intent—

(a) for wrongful gain;

(b) for wrongful loss to another person; or

(c) for any economic benefit for oneself or for another person, is liable, on conviction, to a fine not exceeding twenty million shillings or to imprisonment for a term not exceeding ten years, or to both.”

The bill attempts a catch-all situation but mostly describes the sensationalizing of news as well as individuals manipulating their academic credentials. It makes more sense in trying to curb this which has put a number of politicians in the spotlight as well as a few cases involving a fake doctor, a fake lawyer and a fake CEO).

Fake news is defined as falsehoods presented as news. The use of this term has been applied to legitimate news sources, whose primary asset is their credibility. But perhaps the biggest reason in pushing for gazettement must have come from the fake news factor that many believe impacted the 2016 United States presidential election. If interpreted politically, the bill could result in a chaotic free-for-all of mudslinging with candidates and others being accused of crimes at the slightest hint of hyperbole, exaggeration, poetic license, or common error and thus a recipe for amendment. And campaigns heating up, bloggers and social media administrators should be careful.

The bill awaits Parliamentary approval.

 

Protected: Brexit: Effects on the Electronic Communications market in the UK

This content is password protected. To view it please enter your password below:

Your device, your privacy: the who, what and the how of mobile privacy

Lest we forget, digital secrecy does not exist. We may not realize it but we are kept on a close electronic leash and tracked, followed, observed and monitored on a very large scale and we are actively participating in this through our use of mobile phones.

Before you write me out as some paranoid cyber security lawyer, be aware that your personal data, behaviour, tastes and relationships form the basis of the economic models adopted by the free app providers making your information even more lucrative. With an attention span shorter than a Goldfish, we don’t bother going through the End User License Agreements, it’s just a pain.

So you go about your normal day sending business and personal e-mails, downloading apps, or updating your social media status, a little pop-up appears that has nothing to do with what you’re actually doing. Then it dawns on you. You may have seen this product page before. A simple search you did in the past has come searching back for you.

Accessing user information both for legitimate and malicious purposes is no longer uncommon in the digital age, where you do just about everything using a mobile device. But can breaching one’s privacy be stopped? What should you do to protect your privacy from mobile threats like this?

  • Who

The right to mobile privacy

We all have the right to privacy. But this easily gets violated whenever someone tries to access our personal information on any platform, without our consent or any given lawful reason. Breaching could be as simple as a friend spying on your social media account to marketing agencies deliberately studying the types of websites you visit and barraging your inbox with unsolicited alerts or offers.

With everything going mobile these days, it’s not surprising that some, if not most of us, often disregard the value of privacy. Sometimes, we ourselves, enable ‘data leaks’ failing to log out of sites leaving cybercriminals more than happy to take advantage of our oversight.

In social media alone over-sharing has become a springboard for more severe types of cybercrime like identity theft with the creation of a number of malicious apps engineered to steal sensitive user data.

  • What

Your device settings

Your default device settings serve as suggestions you can use to increase protection. By familiarizing and modifying these settings to suit your mobile needs, you can be assured that no one has easy access to your mobile device. Getting familiar with these settings could gain you more security.

Visiting malicious sites and drive-by downloads

Symantec security defines a malicious website as a site that attempts to install malware (a general term for anything that will disrupt computer operation, gather your personal information or, in a worst-case scenario, gain total access to your machine) onto your device. Malicious websites often look like legitimate websites and sometimes ask you to install software that your device appears to need.

Drive-by downloads are malware that can be installed on your device simply by looking at an email, browsing a website or clicking on a pop-up window with text designed to mislead you, such as a false error message.

So don’t open that email or click on that pop up message if you think it is malicious; guys, there’s no swimsuit model in Russia who thinks you’re hot – trust me.

Your mobile behaviour 

Owning a mobile device gives you the freedom to access the online world more frequently. But does it change your behaviour when it comes to security? This freedom often makes mobile users more vulnerable to threats through mobile activities like social networking, shopping and banking.

Cybercriminals are stepping up the production of threats that affect social networking sites, online stores, and even banks—and they won’t just stop at creating apps that could easily be mistaken for legitimate ones.

Why – money is the driving force

Mobile devices have impressively centralized one’s online activities. But at the same time, it has opened doors to vulnerabilities exploited by cybercriminals driven by one agenda: money.

Kenya Cybercrime firm Serianu estimates that Kenya lost more than KES 17 billion to hackers in 2016. Not only did the number grow, the sophistication and capabilities associated with these threats grew as well. Cybercriminals are always on the lookout to steal information stored in smart phones and tablets that can be used for profit.

How

apps.jpg

They’re called free apps for a reason

It is so easy to get lost in the number of free apps you can download these days. One click and you can enjoy the game everyone is talking about or that app that filters your photos to the stone age. But remember that there’s always a trade-off. If they don’t charge you for using their app, chances are they could be earning by reselling your personal information. How about that!

Device loss or theft

No matter how careful you are with what you store in your mobile device, once it gets lost or stolen, you have little to no control over what happens with the sensitive files or data you have in them.

End-User License Agreements (EULAs)

EULA.png

You know that little checkbox you click that says you’ve read the terms of the agreement? That’s what the online service developers use to look out for themselves, they’re called EULA’s. You see it on the terms they ask you to agree with that they can change at any time, with or without notice. Before saying yes to these EULAs, you should read up and familiarize yourself with what’s stipulated. You may end up allowing them to sell your photos, track your online activities or hand over information to authorities without your knowledge.

Bring Your Own Device (BYOD)

Employers are now turning the tide with regards to personal devices for work related activities. Companies are now investing in their own devices and top of the range anti-virus software to curb the menace associated with BYOD. But if your organization allows you to BYOD, be wary since even a company’s IT policy could mean giving your IT department access to your personal files and information.

Anyone could fall victim to cybercriminals trying to breach your privacy. But there are still stops you can pull to prevent this.

General Checklist:

  • Configure your device’ privacy and browser settings to control the amount of information it shares.
  • Activate screen locks and passwords to minimize chances of hacking and change passwords every three months for security.
  • Refrain from storing compromising files (photos and videos) you’re not comfortable with on your device
  • Clear your mobile browser cache regularly to avoid data leakage and information-stealing malware. Constantly monitor your app and account settings to make sure sharing and connectivity are secure. For the less tech savvy, I would recommend theClean Master App. A few clicks and you’re safe.

Get rid of apps you don’t use

  • Download only from trusted sources like the developer’s website or from Google Play. Remove apps not in use.
  • Always check the app’s permissions to ensure that it doesn’t perform functions outside of its intended use.
  • Use your mobile browsers’ private browsing settings, especially for sensitive transactions like online banking.

Device Loss or Theft Readiness

  • Take note of your account credentials or make use of a convenient password manager when the need to reset them arises.
  • Backup files with irreplaceable information in the cloud.
  • Prepare to contact the authorities, your service provider, and concerned organization to avoid the malicious use of your identity and to block bill charges.
  • Sign up for a reliable remote service that allows you to find, lock or wipe your device when you need to.

Check your BYOD Agreements

  • Are you required to produce personal devices for forensic analysis?
  • Does this apply to devices shared with other family members?
  • Who can access personal information stored in your device?
  • Can your company track your location? Is this a requirement? Do they have notifications if the need for this arises? Under what circumstances?
  • Are your personal online activities monitored? Are these systems active outside regular work hours?
  • Is this information retained when you leave the company?

How ‘mystery shopping’ can help ICT regulators: 5 lessons from Zambia

Mobile money ‘Mystery shopping’ as a regulatory measure.

The legals on phone tapping and personal data

Last Friday media reports suggested that the Communications Authority of Kenya(“the CA”) intended to roll out an application called the Device Management System (DMS) capable of tapping into a mobile phone carrier’s network enabling the CA to access personal information from people using that carrier’s network. The CA clarified that it intends to curb the proliferation of counterfeit devices by identifying and isolating those devices and denying them access to services and not collecting a subscriber’s personal information. Despite this, questions as to data protection for the rest of the users of the network have arisen.

Current position

It is well known that phone tapping, surveillance and interception of communications violates the right to privacy (see Kennedy vs Ireland (1987) I.R 587 and Coalition for Reforms and Democracy (CORD) v Attorney General Petition No.630 of 2014.)

There are two bases to challenge this phone tapping.  Firstly, the Constitution provides that every person has the right to privacy – which includes the right not to have information relating to their family or private affairs unnecessarily required or revealed.

The Constitution grants every person the right to institute court proceedings when his/her fundamental right or freedom, such as the right to privacy as described above, has been denied, violated, infringed or is threatened.

The Kenya Information and Communications Act (Act no. 2 of 1998 (as amended)) (“KICA”), provides that the Cabinet Secretary in charge of  Information and Communication has the power to make regulations in relation to a telecommunication service and specifically, to make regulations on the privacy of telecommunication.

Pursuant thereto, the KICA Consumer Protection Regulations require that a Customer has a right to personal privacy and protection against unauthorized use of personal information and specifically restricts a telecommunication licensee from allowing any person to monitor or disclose the content flowing through their system.

Further,  the KICA (Registration of Subscribers of Telecommunication Services) Regulations bars the sharing of subscriber data by mobile providers without the express authority of the affected subscriber.

Conclusion

The current legal position in Kenya is that any person, including a public entity, collecting personal information has to abide by the Constitutional provisions of the Right to Privacy and the KICA regulations on consumer/customer protection.

Consequently, it appears that there would be good grounds to challenge the tapping of the carrier networks by the CA. For now the High Court has granted orders stopping the implementation of the CA directive ordering that it be heard on March 6 2017.

 

Cyber Security – What if Yahoo was a Kenyan Company?

Background

On 22nd September 2016, Yahoo confirmed a cyber-attack in which over 500 million personal accounts were compromised. This was arguably the largest cyber security breach in history. The information obtained by the hackers includes names, email addresses, telephone numbers, dates of birth and in some cases, security questions and answers.  This comes in the wake of the on-going merger with Verizon Communications in which Yahoo is selling its core business (search, email and messenger assets as well as advertising technology tools) for USD 4.8 Billion.

While not as embarrassing to its members as the Ashley Madison hack from 2015, this recent event raises a good prompt to question whether Kenyan law is relevant to the internet. What if Yahoo was a Kenyan company?  What would be the legal outcome of this breach?

Kenyan context 

Kenya’s legislature is attempting to keep up with evolving cyber security issues.  Existing law does not impose any sanction or penalty on to the Kenyan equivalent of Yahoo however there are three bills which would change this.

The Data Protection Bill 2013, the Computer and Cyber Crimes Bill 2016 (CCC) and the Cyber Security and Protection Bill 2016 (CSP) are based on the equivalent laws in South Africa and the UK and aim to incentivize companies to increase their internet security and to prohibit certain acts in the use of the internet. It is unclear if, or when, they will become law.

The Data Protection Bill aims to regulate the collection, retrieval, processing, storing, use and disclosure of personal data. The Bill proposes that all companies will be required to put in measures to protect data against loss, destruction and manipulation. Failure to put in adequate security measures will attract a penalty of 100,000 Kenya Shillings or to imprisonment of 2 years or both.

The CSP and the CCC share the same vision of regulating cyber crimes but adopt competing methods to try and deal with this issue. The CCC is a Government Bill whereas the CSP is privately sponsored, so there is currently no clarity on when or if these bills will be progressed.

The CSP aims to establish a Response Unit in the ICT Ministry to receive and investigate reports on cyber threats. The CCC proposes additional investigative procedures for police officers.

The CSP proposes an information sharing mechanism between public and private companies (and with each other) whereas the CCC is seeking to improve international co-operation for prosecuting cyber crimes.  Broadly, the goal of both bills is to hasten investigations and prosecution of cyber crimes.

Relevantly for corporations, the CSP would require a company suffering a cyber-breach to report it to the Response Unit within 7 days of it occurring. Failure to do so will be an offence.  Worryingly, for corporations, there is no element of knowledge to trigger the 7 day reporting requirement.  A company could be in breach of this provision if it were hacked and did not discover this fact for a significant period of time.  As mentioned above, the CSP bill does not currently have government support and so its chance of becoming law is not high.  However, its existence, and the Government’s CCC bill shows that the Kenyan legislature is moving towards regulating and imposing penalties in this area.  It is only a matter of time before one of these bills is enacted.

Separate to the legal outcomes, from a commercial perspective, a cyber-attack is bad for business. Yahoo not only faces potential class action suits, and reputational damage but the likelihood of the hack being a deal breaker on the merger with Verizon is high. With the potential for new legislative penalties in Kenya on the horizon, companies should place data protection and cyber-security on their risk management agenda sooner rather than later and before a cyber-breach occurs, not as a result of one.

Below is a clip on simple cyber security tips  we can all embrace from the Herjavec Group a cyber security firm.