The telecommunications industry regulator, CCK, is setting up a system to spy on private emails, citing a rise in cyber security threats since Kenya entered the global superhighway with the landing of the undersea fibre optic cable in Mombasa three years ago.
Plans to install the spyware kicked off on Monday after the Communications Commission of Kenya (CCK) sent letters to telecoms service providers demanding their co-operation in the installation of the Internet traffic monitoring equipment known as the Network Early Warning System (NEWS).
CCK said in the letter seen by the Business Daily that the system will monitor both incoming and outgoing traffic on Kenyan networks to detect and facilitate response to possible cyber threats.
“The NEWS tool will need to interface with your systems, mainly to access data that goes through your network, and we will therefore require your assistance on this,” the letter said without stating what types of threats would be monitored and what use would be made of the information gathered.
The system, which acting CCK director-general Francis Wangusi said will be operational by July, has already run into opposition from Internet Service Providers (ISPs) who say it is in breach of the Constitution.
Article 31 of Constitution grants citizens the right to privacy, including a clause preventing infringement of “the privacy of their communication.”
CCK is banking on the Kenya Information and Communications Act, which gives it power to develop a national cyber security management framework as the legal basis for its latest action.
Kenya has in the past year had at least 2,000 local Web sites hacked or defaced, including government portals.
Mr Wangusi insisted that the system will not be in breach of the constitution as it will only target potential cyber threats but critics said it was possible for government spies to infiltrate it and use the information for political or extra-legal purposes.
“In order to ensure transparency and confidentiality in this sensitive and vital process, we intend to sign a non-disclosure agreement stipulating that information gathered will only be used to facilitate response to cyber incidents and will only be shared among concerned parties,” Mr Wangusi said in his letter.
The CCK says it will be the sole custodian of the information gathered from the system insisting that the non-disclosure agreement it expects to sign with the infrastructure providers will come with strict confidentiality terms, including use of the data collected.
But a Nairobi lawyer, Paul Muite, said that any spying on people’s mails that is not backed by a specific court order will be in violation of Articles 31 and 34 of the Constitution.
“I am sure the CCK has lawyers who clearly understand that all laws are subject to the Constitution and that any law such as the Kenya Information and Communication Act that contradicts the Constitution is null and void to the extent of that contradiction,” Mr Muite said.
“This is unwarranted interference with the citizens’ right to freely communicate which is highly irregular as it amounts to spying on people without having to account for their actions,” he said.
Mr Muite said that if the CCK wants to crack down on operators whose networks are being used in a manner that compromises national security then the legal way to do so would be to seek a court order that gives it access to the network monitor to analyse the content.
On Tuesday, the CCK said plans to deploy the system were at advanced stage and is currently awaiting the arrival of the International Telecommunication Union (ITU) experts to set it up.
Deployment of the system will entail installation of sensors on each Internet Service Provider’s (ISP) network.
The sensors will relay information to a central node for collection and analysis for possible cyber threats.
The CCK’s letter to the ISPs comes after last month’s signing of a Memorandum of Understanding (MoU) with the Geneva-based ITU for the provision of technical support needed to set up the system.
With opposition rising against the Sh36.2 million deal signed by Mr Wangusi and the union’s secretary–general, Hamadoum Toure, it remains to be seen how the cyber monitoring plan will work.
Telecommunications operators are opposed to deployment of the monitoring tool, saying it risks exposing them to an avalanche of legal suits.
“We don’t actually understand how such a system would work without infringing on the privacy of our clients as guaranteed in the Constitution,” said an operator who cannot be named opposing the regulator.
He said the fact that Kenya does not have data protection laws means that the CCK cannot guarantee how the information gathered from the NEWS tool will be used.
Mr Wangusi said the CCK is reviewing its legislation to be in tune with the Constitution for smooth implementation of the project.
“We are aware that the government is working on a data protection law; however this alone won’t be enough as we need to review some of our regulations to bring them in line with the Constitution,” he said.
Cyber crimes take various forms, including violation of confidentiality, integrity of content, copyright and trademark infringement.
There are also the more serious crimes such as cyber terrorism, cyber warfare and cyber laundering that the more advanced economies such as the US have been grappling with.
While ISPs agree that there is need to respond to emerging cyber threats, most are opposed to deployment of a monitoring system without proper laws that defines use of the information gathered.
The CCK is expected to finance 70 per cent of the cost of installing the monitoring system while the ITU will fund the remaining 30 per cent.
ITU is initially expected to train staff to execute the plan and manage the system for six months.
Mr Wangusi said the monitoring centre will be established under the Kenya Information Communication Act and be guided by an ITU national CIRT country readiness assessment report that was adopted during the 2010 East Africa Council Organisation (EACO) meeting.
ITU is supporting Kenya under the Global Cybersecurity Agenda aimed at enhancing confidence and security.
Countries that have established similar agencies to tackle cyber crime include Hungary, which went into full scale spying in 2005 ‘to protect critical government infrastructure’.