Computer Misuseand Cybercrimes Act No 5of 2018 - as Plain Text by MWakili
-1101,01AN COIJINICIL FOR OltY11,1G NI 0.01,113.1 SPECIAL ISSUE Kenya Gazette Supplement No.
60 (Acts No.
5) REPUBLIC OF KENYA KENYA GAZETTE SUPPLEMENT ACTS, 2018 NAIROBI, 16th May, 2018 CONTENT Act PAGE The Computer Misuse and Cybercrimes Act, 2018 37 Li oi REPORTING! 1VED P.O.
E3c 1014-3-00100 NAIROBI, KENYA TEL:2: - q231 F=AX.
2712694 PRINTED AND PUBLISHED BY THE GOVERNMENT PRINTER, NAIROBI 37 THE COMPUTER MISUSE AND CYBERCRIMES ACT, 2018 ARRANGEMENT OF SECTIONS PART IPRELIMINARY Section 1 Short title.
2Interpretation.
3Objects of the Act.
PART IITHE NATIONAL COMPUTER AND CYBERCRIMES CO-ORDINATION COMMITTEE 4Establishment of Committee.
5Composition of the Committee.
6Functions of the Committee.
7Secretariat of the Committee.
8Reports by the Committee etc.
9Critical information infrastructure.
10Protection of critical information infrastructure.
11Reports on critical information infrastructure.
12Information sharing agreements.
13Auditing of critical information infrastructures to ensure compliance.
PART IIIOFFENCES 14Unauthorised access.
15Access with intent to commit further offence.
16Unauthorised interference.
17Unauthorised interception.
18Illegal devices and access codes.
19Unauthorised disclosure of password or access code.
20Enhanced penalty for offences involving protected computer system.
38 No.
5 Computer Misuse and Cybercrimes 2018 21Cyber espionage.
22False publications.
23Publication of false information.
24Child pornography.
25Computer forgery.
26Computer fraud.
27Cyber harassment.
28Cybersquatting.
29Identity theft and impersonation.
30Phishing.
31Interception of electronic messages or money transfers.
32Willful misdirection of electronic messages.
33Cyber terrorism.
34Inducement to deliver electronic message.
35Intentionally withholding message delivered erroneously.
36Unlawful destruction of electronic messages.
37 Wrongful distribution of obscene or intimate images.
38Fraudulent use of electronic data.
39Issuance of false e-instructions.
40Reporting of cyber threat.
41Employee responsibility to relinquish access codes.
42Aiding or abetting in the commission of an offence.
43Offences by a body corporate and limitation of liability.
44Confiscation or forfeiture of assets.
45Compensation order.
46Additional penalty for other offences committed through use of a computer system.
PART IVINVESTIGATION PROCEDURES 47Scope of procedural provisions.
39 2018 Computer Misuse and Cybercrimes No.
5 48Search and seizure of stored computer data.
49Record of and access to seized data.
50Production order.
51 Expedited preservation and partial disclosure of traffic data.
52Real-time collection of traffic data.
53Interception of content data.
54Obstruction and misuse of power.
55 Appeal.
56Confidentiality and limitation of liability.
PART V INTERNATIONAL CO-OPERATION 57 General principles relating to international co- operation.
58Spontaneous information.
59Expedited preservation of stored computer data.
60Expedited disclosure of preserved traffic data.
61 Mutual assistance regarding accessing of stored computer data.
62Trans-border access to stored computer data with consent or where publicly available.
63Mutual assistance in the real-time collection of traffic data.
64Mutual assistance regarding the interception of content data.
65Point of contact.
PART VIGENERAL PROVISIONS 66Territorial jurisdiction.
67Forfeiture.
68Prevailing Clause.
69Consequential Amendments.
PART VIIPROVISIONS ON DELEGATED POWERS 70Regulations.
SCHEDULE 40 No.
5 Computer Misuse and Cybercrimes 2018 THE COMPUTER MISUSE AND CYBERCRIMES ACT No.
5 of 2018 Date of Assent: 16th May, 2018 Date of Commencement: 30th May, 2018 AN ACT of Parliament to provide for offences relating to computer systems; to enable timely and effective detection, prohibition, prevention, response, investigation and prosecution of computer and cybercrimes; to facilitate international co-operation in dealing with computer and cybercrime matters; and for connected purposes ENAt;TED by the Parliament of Kenya as follows PART 1PRELIMINARY 1.
This Act may be cited as the Computer Misuse and Short title.
Cybercrimes Act, 2018.
2.
In this Act, unless the context otherwise requires Interpretation.
"access" means gaining entry into or intent to gain entry by a person to a program or data stored in a computer system and the person either (a) alters, modifies or erases a program or data or any aspect related to the program or data in the computer system; (b) copies, transfers or moves a program or data to (i) any computer system, device or storage medium other than that in which it is stored; or (ii) to a different location in the same computer system, device or storage medium in which it is stored; (c) causes it to be output from the computer in which it is held, whether by having it displayed or in any other manner; or (d) uses it by causing the computer to execute a program or is itself a function of the program; "Authority" means the Communications Authority of Cap.
411A.
Kenya; "authorised person" means an officer in a law enforcement agency or a cybersecurity expert designated 41 2018 Computer Misuse and Cybercrimes No.
5 by the Cabinet Secretary responsible for matters relating to national security by notice in the Gazette for the purposes of Part III of this Act; "blockchain technology" means a digitized, decentralized, public ledger of all crypto currency transactions; "Cabinet Secretary" means the Cabinet Secretary responsible for matters relating to internal security; "Central Authority" means the Office of the Attorney No.
49 of 2012.
General and Department of Justice; "Committee" means the National Computer and Cybercrimes Co-ordination Committee established under section 4; "computer data storage medium" means a device, whether physical or virtual, containing or designed to contain, or enabling or designed to enable storage of data, whether available in a single or distributed form for use by a computer, and from which data is capable of being reproduced; "computer system" means a physical or virtual device, or a set of associated physical or virtual devices, which use electronic, magnetic, optical or other technology, to perform logical, arithmetic storage and communication functions on data or which perform control functions on physical or virtual devices including mobile devices and reference to a computer system includes a reference to part of a computer system; "content data" means the substance, its meaning or purport of a specified communication; "critical information infrastructure system or data" means an information system, program or data that supports or performs a function with respect to a national critical information infrastructure; "critical infrastructure" means the processes, systems, facilities, technologies, networks, assets and services essentials to the health, safety, security or economic well- being of Kenyans and the effective functioning of Government; "cybersquatting" means the acquisition of a domain name over the internet in bad faith to profit, mislead, 42 No.
5 Computer Misn,L and Cybercrimes 2018 destroy reputation, or deprive another from registering the same, if the domain name is (a) similar, identical or confusingly similar to an existing trademark registered with the appropriate government agency at the time of registration; (b) identical or in any way similar with the name of a person other than the registrant, in case of a personal name; or (c) acquired without right or intellectual property interests in it.
"data" means any representation of facts, information or concepts Li a form suitable for processing in a computer system, including a program suitable to cause a computer system to perform a function; "interception" means the monitoring, modifying, viewing or recording of non-public transmissions of data to or from a computer system over a telecommunications system, and includes, in relation to a function of a computer system, listening to or recording a function of a computer system or acquiring the substance, its meaning or purport of such function; "interference" means any impairment to the confidentiality, integrity or availability of a computer system, or any program or data on a computer system, or any act in relation to the computer system which impairs the operation of the computer system, program or data; "mobile money" means electronic transfer of funds between banks or accounts' deposit or withdrawal of funds or payment of bills by mobile phone; "national critical information infrastructure" means a vital virtual asset, facility, system, network or process whose incapacity, destruction or modification would have (a) a debilitating impact on the availability, integrity or delivery of essential services including those services, whose integrity, if compromised, could result in significant loss of life or casualties; or (b) significant impact on national security, national defense, or the functioning of the state.
43 2018 Computer Misuse and Cybercrimes No.
5 "network" components means a collection of hardware and computers interconnected by communications channels that allow sharing of resources and information; "password" means any data by which a computer service or a computer system is capable of being obtained or used; "pornography" includes the representation in books, magazines, photographs, films, and other media, telecommunication apparatus of scenes of sexual behaviour that are erotic or lewd and are designed to arouse sexual interest"; "premises" includes land, buildings, movable structures, a physical or virtual space in which data is maintained, managed, backed up remotely and made available to users over' a network, vehicles, vessels or aircraft; "program" means data representing instructions or statements that, if executed in a computer system, causes the computer system to perform a function and reference to a program includes a reference to a part of a program; "requested State" means a state being requested to provide legal assistance under the terms of this Act; "requesting State" means a state requesting for legal assistance and may for the purposes of this Act include an international entity to which Kenya is obligated; "seize" with respect to a program or data includes to- (a) secure a computer system or part of it or a device; (b) make and retain a digital image or secure a copy of any program or data, including using an on-site equipment; (c) render the computer system inaccessible; (d) remove data in the accessed computer system; or (e) obtain output of data from a computer system; "service provider" means (a) a public or private entity that provides to users of its services the means to communicate by use of a computer system; and 44 No.
5 Computer Misuse and Cybercrimes 2018 (b) any other entity that processes or stores computer data on behalf of that entity or its users; "subscriber information" means any information contained in the form of data or any form that is held by a service provider, relating to subscribers of its services, other than traffic data or content data, by which can be established (a) the type of communication service used, the technical provisions taken thereto and the period of service; (b) the subscriber's identity, postal, geographic location, electronic mail address, telephone and other access number, billing and payment information, available on the basis of the service agreement or arrangement; or (c) any other information on the site of the installation of telecommunication apparatus, available on the basis of the service agreement or arrangement; "telecommunication apparatus" means an apparatus constructed or adapted for use in transmitting anything which is transmissible by a telecommunication system or in conveying anything which is transmitted through such a system; "telecommunication system" means a system for the conveyance, through the use of electric, magnetic, electro- magnetic, electro-chemical or electro-mechanical energy, of (a) speech, music or other sounds; (b) visual images; (c) data; (d) signals serving for the impartation, whether as between persons and persons, things and things or persons and things, of any matter otherwise than in the form of sound, visual images or data; or (e) signals serving for the activation or control of machinery or apparatus and includes any cable for the distribution of anything falling within paragraphs (a), (b), (c) or (d); 45 2018 Computer Misuse and Cybercrimes No.
5 "traffic data" means computer data relating to a communication by means of a computer system, generated by a computer system that formed a part in the chain of communication, indicating the communication's origin, destination, route, time, date, size, duration or the type of underlying service; and "trust accounts" means an account where a bank or trust company is holding funds in relation to mobile money on behalf of the public depositors.
3.
The objects of this Act are to Objects of the (a) Act.
protect the confidentiality, integrity and availability of computer systems, programs and data; (b) prevent the unlawful use of computer systems; (c) facilitate the prevention, detection, investigation, prosecution and punishment of cybercrimes; (d) protect the rights to privacy, freedom of expression and access to information as guaranteed under the Constitution; and (e) facilitate international co-operation on matters covered under this Act.
PART IITHE NATIONAL COMPUTER AND CYBERCRIMES CO-ORDINATION COMMITTEE 4.
There is established the National Computer and Establishment Cybercrimes Co-ordination Committee.
of Committee.
5.
(1) The Committee shall comprise of Composition of (a) the Committee.
the Principal Secretary responsible for matters relating to internal security or a representative designated and who shall be the chairperson; (b) the Principal Secretary responsible for matters relating to information, communication and technology or a representative designated in writing by the Principal Secretary responsible for information, communication and technology; (c) the Attorney-General or a representative designated in writing by the Attorney-General; (d) the Chief of the Kenya Defence Forces or a representative designated in writing by the Chief of the Kenya Defence Forces; 7 46 No.
5 Computer Misuse and Cybercrimes 2018 (e) the Inspector-General of the National Police Service or a representative designated in writing by the Inspector-General of the National Police Service; (f) the Director-General of the National Intelligence Service or a representative designated in writing by the Director General of the National Intelligence Service; (g) the Director-General of the Communications Authority of Kenya or a representative designated in writing by the Director-General of the Communications Authority of Kenya; (h) the Director of Public Prosecutions or a representative designated in writing by the Director of Public Prosecutions; (i) the Governor of the Central Bank of Kenya or a representative designated in writing by the Governor of the Central Bank of Kenya; and (j) the Director who shall be the secretary of the Committee and who shall not have a right to vote.
(2) The.
Committee shall report to the Cabinet Secretary responsible for matters relating to internal security.
Functions of the 6.
(1) The Committee shall Committee.
(a) advise the Government on security related aspects touching on matters relating to blockchain technology, critical infrastructure, mobile money and trust accounts; (b) advise the National Security Council on computer and cybercrimes; (c) co-ordinate national security organs in matters relating to computer and cybercrimes; (d) receive and act on reports relating to computer and cybercrimes; (e) develop a framework to facilitate the availability, integrity and confidentiality of critical national information infrastructure including telecommunications and information systems of Kenya; 47 2018 Computer Misuse and Cybercrimes No.
5 (f) co-ordinate collection and analysis of cyber threats, and response to cyber incidents that threaten cyberspace belonging to Kenya, whether such threats or incidents of computer and cybercrime occur within or outside Kenya; co-operate with computer incident response teams (g) and other relevant bodies, locally and internationally on response to threats of computer and cybercrime and incidents; establish codes of cyber-security practice and (h) standards of performance for implementation by owners of critical national information infrastructure; (i) develop and manage a national public key infrastructure framework; (j) develop a framework for training on prevention, lictltA.Aaull and mitigation of computer and cybercrimes and matters connected thereto; and perform any other function conferred on it by this (k) Act or any other written law.
(2) Subject to the provisions of this Act, the Committee shall regulate its own procedure.
7.
(1) There shall be a Secretariat which shall Secretariat of the comprise of the Director and such number of public officers Committee.
that, subject to the approval of the Committee, the Cabinet Secretary responsible for matters relating to internal security in consultation with the Cabinet Secretary responsible for matters relating to information, communications and technology may deploy to the Secretariat.
(2) The Director shall be (a) the head of the Secretariat; and (b) responsible to the Committee for the day to day administration of the affairs of the Secretariat and implementation of the decisions arising from the Committee.
(3) Without prejudice to the generality of the provisions of subsection (2), the Director shall be responsible for 48 Computer Misuse and Cybercrimes No.
5 2018 (a) the implementation of the decisions of the Committee; (b) the efficient administration of the Secretariat; (c) the management of staff of the Secretariat; (d) the maintenance of accurate records on financial matters and resource use; (e) the preparation and approval of the budget for the required funding of the operational expenses of the Secretariat; and (f) the performance of any other duties as may be assigned to him or her by the Committee.
(4) The Director shall be appointed for a single term of four years and shall not be eligible for reappointment.
8.
Reports by the The Committee shall submit quarterly reports to the Committee etc.
National Security Council.
9.
(1) The Director shall, by notice in the Gazette, Critical designate certain systems as critical infrastructure.
information infrastructure.
(2) The Director shall designate a system as a critical infrastructure if a disruption of the system would result in (a) the interruption of a life sustaining service including the supply of water, health services and energy; (b) an adverse effect on the economy of the Republic; (c) an event that would result in massive casualties or fatalities; (d) failure or substantial disruption of the money market of the Republic; and (e) adverse and severe effect of the security of the Republic including intelligence and military services.
(3) The Director shall, within a reasonable time of designating a system as critical infrastructure, inform the owner or operator of the system the reasons for the designation of the system as a critical infrastructure.
(4) The Director shall, within a reasonable time of the declaration of any information infrastructure, or category or 49 2018 Computer Misuse and Cybercrimes No.
5 class of information infrastructure or any part thereof, as a critical information infrastructure, in line with a critical infrastructure framework issue directives to regulate (a) the classification of data held by the critical information infrastructure; (b) the protection of, the storing of and archiving of data held by the critical information infrastructure; (c) cyber security incident management by the critical information infrastructure; (d) disaster contingency and recovery measures, which must be put in place by the critical information infrastructure; (e) minimum physical and technical security measures that must be implemented in order to protect the critical information infrastructure; (f) the period within which the owner, or person in control of a critical information infrastructure must comply with the directives; and (g) any other relevant matter which is necessary or expedient in order to promote cyber security in respect of the critical information infrastructure.
10.
(1) The Committee shall within reasonable time Protection of and in consultation with the owner or a person in control of critical information an identified critical information infrastructure, submit to infrastructure.
the National Security Council its recommendations of entities to be gazetted as critical information infrastructures.
(2) The Committee shall, after the gazettement under subsection (1), in consultation with a person that owns or operates the critical information infrastructure (a) conduct an assessment of the threats, vulnerabilities, risks, and probability of a cyber- attack across all critical infrastructure sectors; (b) determine the harm to the economy that would result from damage or unauthorized access to critical infrastructure; (c) measure the overall preparedness of each sector against damage or unauthorized access to critical infrastructure including the effectiveness of market 50 No.
5 Computer Misuse and Cybercrimes 2018 forces driving security innovation and secure practices.
identify any other risk-based security factors (d) appropriate and necessary to protect public health and safety, or national socio-economic security; and I4 (e) recommend to the owners of sYstaiirdesitmated as critical infrastructure, methods of securing their systems against cyber threats.
11.
(1) The owner or operator of a system designated Reports on critical as critical infrastructure shall report to the Committee any information incidents likely to constitute a threat in the nature of an infrastructure.
attack that amounts to a computer and cybercrime and the action the owner or operator intends to take to prevent the threat.
Upon receipt of a report by the Committee, under (2) subsection (1), the National Security Council shall provide technical assistance to the owner or operator of a critical infrastructure to mitigate the threat.
(3) The Director may institute an investigation of a computer and cybercrime attack on his or her own volition and may take necessary steps to secure any critical infrastructure without reference to the entity.
The Director shall submit a report on any threat in (4) the nature of a computer and cybercrime reported by the owners or operators of critical infrastructure periodically to the National Security Council.
12.
(1) A private entity may enter into an information Information sharing agreement with a public entity on critical sharing agreements.
information infrastructure.
(2) An agreement under subsection (1) shall only be entered into for the following purposes and in line with a critical infrastructure framework to ensure cyber security; (a) for the investigation and prosecution of crimes (b) related to cyber security; (c) for the protection of life or property of an individual; and to protect the national security of the country.
(d) 51 2018 Computer Misuse and Cybercrimes No.
5 (3) Prior to the sharing of information under subsection (1), a party to an agreement shall review the information and ascertain whether the information contains personal details that may identify a specific person not directly related to a threat that amounts to a computer and cybercrime and remove such information.
(4) A person shall not, under this Part, share information relating to the health status of another person without the prior written consent of the person to whom the information relates.
13.
(1) The owner or person in control of a critical Auditing of information infrastructure shall annually submit a critical compliance report on the critical information infrastructure information infrastructures to to the Committee in line with a critical infrastructure ensure framework in order to evaluate compliance.
compliance.
(2) The Director, shall within a reasonable time before an audit on a critical information infrastructure or at any time there is an imminent threat in the nature of an attack that amounts to a computer and cybercrime, notify the owner or person in control of a critical information infrastructure in writing (a) the date on which an audit is to be performed; and (b) the particulars and contact details of the person who is responsible for the overall management and control of the audit.
(3) The Director shall monitor, evaluate and report on the adequacy and effectiveness of any audit.
(4) The Director may request the owner or person in control of a critical information infrastructure to provide such additional information as may be necessary within a specified period in order to evaluate the issues raised from the audit.
(5) An owner or authorised person in control of a critical information infrastructure commits an offence and if convicted is liable to a fine not exceeding two hundred thousand shillings or to term of imprisonment not exceeding five years or both if the owner or authorized person (a) fails to file a compliance report and fails to co- operate with an audit to be performed on a critical information infrastructure in order to evaluate compliance with the directives issued; 52 Computer Misuse and Cybercrimes No.
5 2018 (b) fails to provide to the Director such additional information as may be necessary within a specified period in order to evaluate the report of an audit in line with the critical infrastructure after he or she has been requested to do so to the Director; (c) hinders, obstructs or improperly attempts to influence any member of the Committee, person or entity to monitor, evaluate and report on the adequacy and effectiveness of an audit; (d) hinders, obstructs or improperly attempts to influence any person authorized to carry out an audit; (e) fails to co-operate with any person authorized to carry out an audit; or (0 fails to assist or provide technical assistance and support to a person authorized to carry out an audit.
(6) A person shall not perform an audit on a critical information infrastructure unless he or she (a) has been authorized in writing by the Director to perform such audit; or (b) is in possession of a certificate of appointment, in the prescribed form, issued by the Director, which certificate must be submitted to the owner or person in control of a critical information infrastructure at the commencement of the audit.
PART IIIOFFENCES 14.
Unauthorised (1) A person who causes, whether temporarily or access.
permanently, a computer system to perform a function, by infringing security measures, with intent to gain access, and knowing such access is unauthorised, commits an offence and is liable on conviction, to a fine not exceeding five million shillings or to imprisonment for a term not exceeding three years, or to both.
(2) Access by a person to a computer system is unauthorised if (a) that person is not entitled to control access of the kind in question to the program or data; or 53 2018 Computer Misuse and Cybercrimes No.
5 (b) that person does not have consent from any person who is entitled to access the computer system through any function to the program or data.
(3) For the purposes of this section, it is immaterial that the unauthorised access is not directed at (a) any particular program or data; (b) a program or data of any kind; or (c) a program or data held in any particular computer system.
15.
(1) A person who commits an offence under Access with intent section 14 with intent to commit a further offence under to commit further any law, or to facilitate the commission of a further offence offence.
by that person or any other person, commits an offence and is liable, on conviction, to a fine not exceeding ten million shillings or to imprisonment for a term not exceeding ten years, or to both.
(2) For the purposes of subsection (1), it is immaterial that the further offence to which this section applies is committed at the same time when the access is secured or at any other time.
16.
(1) A person who intentionally and without Unauthorised authorisation does any act which causes an unauthorised interference.
interference, to a computer system, program or data, commits an offence and is liable on conviction, to a fine not exceeding ten million shillings or to imprisonment for a term not exceeding five years, or to both.
(2) For the purposes of this section, an interference is unauthorised, if the person whose act causes the interference (a) is not entitled to cause that interference; (b) does not have consent to interfere from a person who is so entitled.
(3) A person who commits an offence under subsection (1) which, (a) results in a significant financial loss to any person; (b) threatens national security; (c) causes physical injury or death to any person; or 54 Computer Misuse and Cybercrimes No.
5 2018 (d) threatens public health or public safety, is liable, on conviction, to a fine not exceeding twenty million shillings or to imprisonment for a term not exceeding ten years, or to both.
(4) For the purposes of this section, it is immaterial whether or not the unauthorised interference is directed at (a) any particular computer system, program or data; (b) a program or data of any kind; or (c) a program or data held in any particular computer system.
(5) For the purposes of this section, it is immaterial whether an unauthorised modification or any intended effect of it is permanent or temporary.
17.
(1) A person who intentionally and without Unauthorised authorisation does any act which intercepts or causes to be interception.
intercepted, directly or indirectly and causes the transmission of data to or from a computer system over a telecommunication system commits an offence and is liable, on conviction, to a fine not exceeding ten million shillings or to imprisonment for a term not exceeding five years, or to both.
(2) A person who commits an offence under subsection (1) which (a) results in a significant financial loss; (b) threatens national security; (c) causes physical or psychological injury or death to any person; or (d) threatens public health or public safety, is liable, on conviction to a fine not exceeding twenty million shillings or to imprisonment for a term not exceeding ten years, or to both.
(3) For the purposes of this section, it is immaterial that the unauthorised interception is not directed at (a) a telecommunication system; (b) any particular computer system data; (c) a program or data of any kind; or 55 2018 Computer Misuse and Cybercrimes No.
5 (d) a program or data held in any particular computer system.
(4) For the purposes of this section, it is immaterial whether an unauthorised interception or any intended effect of it is permanent or temporary.
18.
(1) A person who knowingly manufactures, adapts, Illegal devices and imports, offers to supply, distributes access codes.
sells, procures for use, a device, program, computer or otherwise makes available password, access code or similar data designed or adapted primarily for the purpose of committing any offence under this Part, commits an offence and is liable, on conviction, to a fine not exceeding twenty million shillings or to imprisonment for a term not exceeding ten years, or to both.
(2) A person who knowingly receives, or is in possession of, a program or a computer password, device, access code, or similar data from any action specified under subsection (1) and intends that it be used to commit or assist in commission of an offence under this Part commits an offence and is liable on conviction, to a fine not exceeding ten million shillings or to imprisonment for a term not exceeding five years, or to both.
(3) Despite subsections (1) and (2), the activities described under the subsections do not constitute an offence if (a) any act intended for the authorised training, testing or protection of a computer system; or the use of a program or a computer password, (b) access code, or similar data is undertaken in compliance of and in accordance with the terms of a judicial order issued or in exercise of any power under this Act or any law.
(4) For the purposes of subsections (1) and (2), possession of any program or a computer password, access code, or similar data includes having (a) possession of a computer system which contains the program or a computer password, access code, or similar data; (b) possession of a data storage device in which the program or a computer password, access code, or similar data is recorded; or 56 No.
5 Computer Misuse and Cybercrimes 2018 (c) control of a program or a computer password, access code, or similar data that is in the possession of another person.
19.
Unauthorised (1) A person who knowingly and without authority disclosure of discloses any password, access code or other means of password or gaining access to any program or data held in any computer access code.
system commits an offence and is liable, on conviction, to a fine not exceeding five million shillings or to imprisonment for a term not exceeding three years, or to both.
(2) A person who commits the offence under subsection (1) (a) for any wrongful gain; (b) for any unlawful purpose; or (c) to occasion any loss, is liable, on conviction, to a fine not exceeding ten million shillings or to imprisonment for a term not exceeding five years, or to both.
20.
(1) Where a person commits any of the offences Enhanced penalty specified under sections 14, 15, 16 and 17 on a protected for offences involving computer system, that person shall be liable, on conviction, protected to a fine not exceeding twenty five million shillings or computer system.
imprisonment for a term not exceeding twenty years or both.
(2) For purposes of this section "protected computer system" means a computer system used directly in connection with, or necessary for, (a) the security, defence or international relations of Kenya; (b) the existence or identity of a confidential source of information relating to the enforcement of a criminal law; (c) the provision of services directly related to communications infrastructure, banking and financial services, payment and settlement systems and instruments, public utilities or public transportation, including government services delivered electronically; 57 2018 Computer Misuse and Cybercrimes No.
5 the protection of public safety including systems (d) related to essential emergency services such as police, civil defence and medical services; (e) the provision of national registration systems; or (f) such other systems as may be designated relating to the security, defence or international relations of Kenya, critical information, communications, business or transport infrastructure and protection of public safety and public services as may be designated by the Cabinet Secretary responsible for matters relating to information, communication and technology.
21.
(1) A person who unlawfully and intentionally Cyber espionage.
performs or authorizes or allows another person to perform a prohibited act envisaged in this Act, in order to (a) gain access, as provided under section 14, to critical data, a critical database or a national critical information infrastructure; or (b) intercept data, as provided under section 17, to, from or within a critical database or a national critical information infrastructure, with the intention to directly or indirectly benefit a foreign state against the Republic of Kenya, commits an offence and is liable, on conviction, to imprisonment for a period not exceeding twenty years or to a fine not exceeding ten million shillings, or to both.
(2) A person who commits an offence under subsection (1) which causes physical injury to any person is liable, on conviction, to imprisonment for a term not exceeding twenty years.
(3) A person who commits an offence under subsection (1) which causes the death of a person is liable, on conviction, to imprisonment for life.
(4) A person who unlawfully and intentionally possesses, communicates, delivers or makes available or receives, data , to, from or within a critical database or a national critical information infrastructure, with the intention to directly or indirectly benefit a foreign state against the Republic of Kenya, commits an offence and is liable on conviction to imprisonment for a period not 58 Computer 'lisuse and Cybercrimes No.
5 2018 exceeding twenty years or to a fine not exceeding ten million shillings, or to both.
(5) A person who unlawfully and intentionally performs or authorizes, or allows another person to perform a prohibited act as envisaged under this Act in order to gain access, as provided under section 14 ,to or intercept data ,as provided under section 17, which is in possession of the State and which is exempt information in accordance with the law relating to access to information, with the intention to directly or indirectly benefit a foreign state against the Republic of Kenya , commits an offence and is liable, on conviction , to a fine not exceeding five million shillings or to imprisonment for a period not exceeding ten years, or to both.
22.
(1) A person who intentionally publishes false, False publications.
misleading or fictitious data or misinforms with intent that the data shall be considered or acted upon as authentic, with or without any financial gain, commits an offence and shall, on conviction, be liable to a fine not exceeding five million shillings or to imprisonment for a term not exceeding two years, or to both.
(2) Pursuant to Article 24 of the Constitution, the freedom of expression under Article 33 of the Constitution shall be limited in respect of the intentional publication of false, misleading or fictitious data or misinformation that (a) is likely to (i) propagate war; or (ii) incite persons to violence; (b) constitutes hate speech; (c) advocates hatred that (i) constitutes ethnic incitement, vilification of others or incitement to cause harm; or (ii) is based on any ground of discrimination specified or contemplated in Article 27(4) of the Constitution; or (d) negatively affects the rights or reputations of others.
23.
A person who knowingly publishes information Publication of that is false in print, broadcast, data or over a computer false information.
system, that is calculated or results in panic, chaos, or 59 2018 Computer Misuse and Cybercrimes No.
5 violence among citizens of the Republic, or which is likely to discredit the reputation of a person commits an offence and shall on conviction, be liable to a fine not exceeding five million shillings or to imprisonment for a term not exceeding ten years, or to both.
24.
(1) Child A person who, intentionally pornography.
(a) publishes child pornography through a computer system; (b) produces child pornography for the purpose of its publication through a computer system; (c) downloads, distributes, transmits, disseminates, circulates, delivers, exhibits, lends for gain, exchanges, barters, sells or offers for sale, lets on hire or offers to let on hire, offers in another way, or make available in any way from a telecommunications apparatus pornography; or (d) possesses child pornography in a computer system or on a computer data storage medium, commits an offence and is liable, on conviction, to a fine not exceeding twenty million or to imprisonment for a term not exceeding twenty five years, or both.
(2) It is a defence to a charge of an offence under subsection (1) that a publication which is proved to be justified as being for the public good on the ground that such book, pamphlet, paper, writing, drawing, painting, art, representation or figure is in the interest of science, literature, learning or other objects of general concerns.
(3) For purposes of this section "child" means a person under the age of eighteen years; "child pornography" includes data which, whether visual or audio, depicts (a) a child engaged in sexually explicit conduct; (b) a person who appears to be a child engaged in sexually explicit conduct; or (c) realistic images representing a child engaged in sexually explicit conduct; 60 Computer Misuse and Cybercrimes No.
5 2018 "publish" includes to (a) distribute, transmit, disseminate, circulate, deliver, exhibit, lend for gain, exchange, barter, sell or offer for sale, let on hire or offer to let on hire, offer in any other way, or make available in any way; (b) having in possession or custody, or under control, for the purpose of doing an act referred to in paragraph (a); or (c) print, photograph, copy or make in any other manner whether of the same or of a different kind or nature for the purpose of doing an act referred to in paragraph (a).
25.
(1) A person who intentionally inputs, alters, Computer deletes, or suppresses computer data, resulting in forgery.
inauthentic data with the intent that it be considered or acted upon for legal purposes as if it were authentic, regardless of whether or not the data is directly readable and intelligible commits an offence and is liable, on conviction, to fine not exceeding ten million shillings or to imprisonment for a term not exceeding five years, or to both.
(2) A person who commits an offence under subsection (1), dishonestly or with similar intent (a) for wrongful gain; (b) for wrongful loss to another person; or (c) for any economic benefit for oneself or for another person, is liable, on conviction, to a fine not exceeding twenty million shillings or to imprisonment for a term not exceeding ten years, or to both.
26.
(1) A person who, with fraudulent or dishonest Computer intent fraud.
(a) unlawfully gains; (b) occasions unlawful loss to another person; or (c) obtains an economic benefit for oneself or for another person, through any of the means described in subsection (2), commits an offence and is liable, on conviction, to a fine not exceeding twenty million shillings or 61 2018 Computer Misuse and Cybercrimes No.
5 imprisonment term for a term not exceeding ten years, or to both.
(2) For purposes of subsection (1) the word " means" refers to (a) an unauthorised access to a computer system , program or data; any input, alteration, modification, deletion, (b) suppression or generation of any program or data; (c) any interference, hindrance, impairment or obstruction with the functioning of a computer system; copying, transferring or moving any data or (d) program to any computer system, data or computer data storage medium other than that in which it is held or to a different location in any other computer system, program, data or computer data storage medium in which it is held; or (e) uses any data or program, or has any data or program output from the computer system in which it is held, by having it displayed in any manner.
27.
(1) A person who, individually or with other Cyber harassment.
persons, wilfully communicates, either directly or indirectly, with another person or anyone known to that person, commits an offence, if they know or ought to know that their conduct (a) is likely to cause those persons apprehension or fear of violence to them or damage or loss on that persons' property; or detrimentally affects that person; or (b) (c) is in whole or part, of an indecent or grossly offensive nature and affects the person.
(2) A person who commits an offence under subsection (1) is liable, on conviction, to a fine not exceeding twenty million shillings or to imprisonment for a term not exceeding ten years, or to both.
(3) A person may apply to Court for an order compelling a person charged with an offence under subsection (1) to refrain from 62 No.
5 Computer Misuse and Cybercrimes 2018 (a) engaging attempting to engage in; or (b) enlisting the help of another person to engage in, any communication complained of under subsection (1).
(4) The Court (a) may grant an interim order; and (b) shall hear and determine an application under subsection (4) within fourteen days.
(5) An intermediary may apply for the order under subsection (4) on behalf of a complainant under this section.
(6) A person may apply for an order under his section outside court working hours.
(7) The Court may order a service provider to provide any subscriber information in its possession for the purpose of identifying a person whose conduct is complained of under this section.
(8) A person who contravenes an order made under this section commits an offence and is liable, on conviction to a fine not exceeding one million shillings or to imprisonment for a term not exceeding six months, or to both.
28.
Cybersquatting.
A person who, intentionally takes or makes use of a name, business name, trademark, domain name or other word or phrase registered, owned or in use by another person on the internet or any other computer network, without authority or right, commits an offence and is liOble on conviction to a fine not exceeding two hundred thousand shillings or imprisonment for a term not exceedirig two years or both.
29.
Identity theft and A person who fraudulently or dishonestly makes use of the electronic signature, password or impersonation.
any other unique identification feature of any other person commits an offence and is liable, on conviction, to a fine not exceeding two hundred thousand shillings or to imprisonment for a term not exceeding three years or both.
30.
Phishing.
A person who creates or operates a website or sends a message through a computer system with the intention to induce the user of a website or the recipient of 63 2018 Computer Misuse and Cybercrimes No.
S the message to disclose personal information for an unlawful purpose or to gain unauthorized access to a computer system, commits an offence and is liable upon conviction to a fine not exceeding three hundred thousand shillings or to imprisonment for a term not exceeding three years or both.
A person who unlawfully destroys or aborts any Interception of 31.
electronic electronic mail or processes through which money or messages or information is being conveyed commits an offence and money transfers.
is liable on conviction to a fine not exceeding two hundred thousand shillings or to a term of imprisonment not exceeding seven years or to both.
32.
A person who willfully misdirects electronic Willful messages commits an offence and is liable on conviction to misdirection of electronic a fine not exceeding one hundred thousand shillings or to messages.
imprisonment for a term not exceeding two years or to both.
33.(11 A person who accesses or causes to be Cyber terrorism.
accessed a computer or computer system or network for purposes of carrying out a terrorist act, commits an offence and shall on conviction, be liable to a fine not exceeding five million shillings or to imprisonment for a term not exceeding ten years, or to both.
(2) For the purpose of this section, "terrorist act" shall No.30 of 2012.
have the same meaning as assigned under the Prevention of Terrorism Act, 2012.
A person who induces any person in charge of Inducement to 34.
deliver electronic electronic devices to deliver any electronic messages not message.
specifically meant for him commits an offence and is liable on conviction to a fine not exceeding two hundred thousand shillings or imprisonment for a term not exceeding two years or to both.
A person who intentionally hides or detains any Intentionally 35.
withholding electronic mail, message, electronic payment, credit and message delivered debit card which was found by the person or delivered to erroneously.
the person in error and which ought to be delivered to another person, commits an offence and is liable on conviction a fine not exceeding two hundred thousand shillings or imprisonment for a term not exceeding two years or to both.
A person who unlawfully destroys or aborts any Unlawful 36.
destruction of electronic mail or processes through which money or electronic information is being conveyed commits an offence and is messages.
64 No.
5 Computer Misuse and Cybercrimes 2018 liable on conviction to a fine not exceeding two hundred thousand shillings or imprisonment for a term not exceeding two years, or to both.
37.
A person who transfers, publishes, or dw.
mtfi ntru disseminates, including making a digital depiction available ob til f isscenu for e 07 distribution or downloading intimate images.
through a telecommunications network or though any other means of transferring data to a computer, the intimate or obscene image of another person commits an offence and is liable, on conviction to a fine not exceeding two hundred thousand shillings or imprisonment for a term not exceeding two years, or to both.
38.
(1) A person who knowingly and without authority Fraudulent use of causes any loss of property to another by altering, erasing, electronic data.
inputting or suppressing any data stored in a computer, commits an offence and is liable on conviction to a fine not exceeding two hundred thousand shillings or imprisonment for a term not exceeding two years, or to both.
(2) A person who sends an electronic message which materially misrepresents any fact upon which reliance by another person is caused to suffer any damage or loss commits an offence and is liable on conviction to imprisonment for a fine not exceeding two hundred thousand shillings or imprisonment for a term not exceeding two years, or to both.
(3) A person who with intent to defraud, franks electronic messages, instructions, subscribes any electronic messages or instructions, commits an offence and is liable on conviction a fine not exceeding two hundred thousand shillings or imprisonment for a term not exceeding two years, or to both.
(4) A person who manipulates a computer or other electronic payment device with the intent to short pay or overpay commits an offence and is liable on conviction to a fine not exceeding two hundred thousand shillings or imprisonment for a term not exceeding two years, or to both.
(5) A person convicted under subsection (4) shall forfeit the proprietary interest in the stolen money or property to the bank, financial institution or the customer.
39.
A person authorized to use a computer or other Issuance of false electronic devices for financial transactions including e-instructions.
posting of debit and credit transactions, issuance of 65 2018 Computer Misuse and Cybercrimes No.
5 electronic instructions as they relate to sending of electronic debit and credit messages or confirmation of electronic fund transfer, issues false electronic instructions, commits an offence and is liable, on conviction, a fine not exceeding two hundred thousand shillings or imprisonment for a term not exceeding two years, or to both.
40.
(1) A person who operates a computer system or a Reporting of computer network, whether public or private, shall cyber threat.
immediately inform the Committee of any attacks, intrusions and other disruptions to the functioning of another computer system or network within twenty four hours of such attack, intrusion or disruption.
(2) A report made under subsection (1) shall include (a) information about the breach, including a summary of any information that the agency knows on how the breach occurred; (b) an estimate of the number of people affected by the breach; (c) an assessment of the risk of harm to the affected individuals; and (d) an explanation of any circumstances that would delay or prevent the affected persons from being informed of the breach.
(3) The Committee may propose the isolation of any computer systems or network suspected to have been attacked or disrupted pending the resolution of the issues.
(4) A person who contravenes the provisions of subsection (1) commits an offence and is liable upon conviction a fine not exceeding two hundred thousand shillings or imprisonment for a term not exceeding two years, or to both.
41.
(1) An employee shall, subject to any contractual Employee agreement between the employer and the employee, responsibility to relinquish access relinquish all codes and access rights to their employer's codes.
computer network or system immediately upon termination of employment.
(2) A person who contravenes the provision of this subsection (1) commits an offence and shall be, liable on conviction, to a fine not exceeding two hundred thousand 66 Computer Misuse and Cybercrimes No.
5 2018 shillings or imprisonment for a term not exceeding two years, or to both.
42.
(1) A person who knowingly and willfully aids or Aiding or abetting abets the commission of any offence under this Act in the commission commits an offence and is liable, on conviction, to a fine of an offence.
not exceeding seven million shillings or to imprisonment for a term not exceeding four years, or to both.
(2) A person who knowingly and willfully attempts to commit an offence or does any act preparatory to or in furtherance of the commission of any offence under this Act, commits an offence and is liable, on conviction, to a fine not exceeding seven million shillings or to imprisonment for a term not exceeding four years, or to both.
43.
(1) Where any offence under this Act has been Offences by a committed by a body corporate body corporate and limitation of (a) the body corporate is liable, on conviction, to a liability.
fine not exceeding fifty million shillings; and (b) every person who at the time of the commission of the offence was a principal officer of the body corporate, or anyone acting in a similar capacity, is also deemed to have committed the offence, unless they prove the offence was committed without their consent or knowledge and that they exercised such diligence to prevent the commission of the offence as they ought to have exercised having regard to the nature of their functions and to prevailing circumstances, and is liable, on conviction, to a fine not exceeding five million shillings or imprisonment for a term not exceeding three years, or to both.
(2) If the affairs of the body corporate are managed by its members, subsection (1) (b) applies in relation to the acts or defaults of a member in connection with their management functions, as if the member was a principal officer of the body corporate or was acting in a similar capacity.
44.
Confiscation or (1) A court may order the confiscation or forfeiture forfeiture of of monies, proceeds, properties and assets purchased or assets.
obtained by a person with proceeds derived from or in the commission of an offence under this Act.
67 2018 Computer Misuse and Cybercrimes No.
5 (2) The court may, on conviction of a person for any this Act make an order of restitution of any offence lip asset gained from the commission of the offence, in accordance with the provisions and procedures of the Proceeds of Crime and Anti-Money Laundering Act, 2009.
No.
9 of 2009.
45.
(1) Where the court convicts a person for any Compensation offence under this Part, or for an offence under any other order.
law committed through the use of a computer system, the court may make an order for the payment by that person of a sum to be fixed by the court as compensation to any person for any resultant loss caused by the commission of the offence for which the sentence is passed.
(2) Any claim by a person for damages sustained by reason of any offence committed under this Part is deemed to have been satisfied to the extent of any amount which they have been paid under an order for compensation, but the order shall not prejudice any right to a civil remedy for the recovery of damages beyond the amount of compensation paid under the order.
(3) An order of compensation under this section is recoverable as a civil debt.
46.
(1) A person who commits an offence under any Additional penalty other law through the use of a computer system commits an for other offences committed offence and shall be liable on conviction to a penalty through use of a similar to the penalty provided under that law.
computer system.
(2) A Court shall, in determining whether to sentence a person convicted of an offence under this section, consider (a) the manner in which the use of a computer system enhanced the impact of the offence; (b) whether the offence resulted in a commercial advantage or financial gain; (c) the value involved, whether of the consequential loss or damage caused, or the profit gained from commission of the offence through the use of a computer system; (d) whether there was a breach of trust or responsibility; (e) the number of victims or persons affected by the offence; 68 Computer Misuse and Cybercrimes No.
5 2018 (f) the conduct of the accused; and (g) any other matter that the court deems fit to consider.
PART IV INVESTIGATION PROCEDURES 47.
(1) All powers and procedures under this Act are Scope of applicable to and may be exercised with respect to any procedural provisions.
(a) criminal offences provided under this Act; (b) other criminal offences committed by means of a computer system established under any other law; and (c) the collection of evidence in electronic form of a criminal offence under this Act or any other law.
(2) In any proceedings related to any offence, under any law of Kenya, the fact that evidence has been generated, transmitted or seized from, or identified in a search of a computer system, shall not of itself prevent that evidence from being presented, relied upon or admitted.
(3) The powers and procedures provided under this Part are without prejudice to the powers granted under No.28 of 2012.
(a) the National Intelligence Service Act, 2012; No.
30 of 2011.
No.
25 of 2012.
(b) the National Police Service Act, 2011; (c) the Kenya Defence Forces Act, 2012; and (d) any other relevant law.
48.
Search and seizure (1) Where a police officer or an authorised person of stored has reasonable grounds to believe that there may be in a computer data.
specified computer system or part of it, computer data storage medium, program, data, that (a) is reasonably required for the purpose of a criminal investigation or criminal proceedings which may be material as evidence; or (b) has been acquired by a person as a result of the commission of an offence, the police officer or the authorised person may apply to the court for issue of a warrant to enter any premises to access, search and similarly seize such data.
69 Computer Misuse and Cybercrimes No.
5 2018 (2) A search warrant issued under subsection (1) shall (a) identify the police officer or authorised person; direct the police officer or authorised person under (b) paragraph (a) to seize the data in question ; or (c) direct the police officer or authorised person to: (i) search any person identified in the warrant; (ii) enter and search any premises identified in the warrant; or (iii) search any person found on or at such premises.
(3) A search warrant may be issued on any day and shall be of force until it is executed or is cancelled by the issuing court.
(4) A police officer or an authorised person shall present a copy of the warrant to a person against whom it is issued.
A person who (5) (a) obstructs the lawful exercise of the powers under this section; compromises the integrity or confidentiality of a (b) computer system, data, or information accessed or retained under this section; or (c) misuses the powers granted under this section, commits an offence and is liable on conviction to a fine not exceeding five million shillings or to a term of imprisonment not exceeding three years or to both.
49.
(1) Where a computer system or data has been Record of and removed or rendered inaccessible, following a search or a access to seized seizure under section 48, the person who made the search data.
shall, at the time of the search or as soon as practicable after the search (a) make a list of what has been seized or rendered inaccessible, and shall specify the date and time of seizure; and provide a copy of the list to the occupier of the (b) premises or the person in control of the computer system referred to under paragraph (a).
70 No.
5 Computer Misuse and Cybercrimes 2018 (2) Subject to subsection (3), a police officer or an authorised person shall, on request, permit a person who (a) had the custody or control of the computer system; (b) has a right to any data or information seized or secured; or (c) has been acting on behalf of a person under subsection (1)(a) or (b), to access and copy computer data on the system or give the person a copy of the computer data.
(3) The police officer or authorised person may refuse to give access or provide copies under subsection (2), if they have reasonable grounds for believing that giving the access or providing the copies, may (a) constitute a criminal offence; or (b) prejudice (i) the investigation in connection with the search that was carried out; (ii) an ongoing investigation; or (iii) any criminal proceeding that is pending or that may be brought in relation to any of those investigations.
(4) Despite subsection (3), a court may, on reasonable grounds being disclosed, allow a person who has qualified under subsection (2) (a) or (b) (a) access and copy computer data on the system; or (b) obtain a copy of the computer data.
50.
Production order.
(1) Where a police officer or an authorised person has reasonable grounds to believe that (a) specified data stored in a computer system or a computer data storage medium is in the possession or control of a person in its territory; and (b) specified subscriber information relating to services offered by a service provider in Kenya are in that service provider's possession or control and is necessary or desirable for the purposes of the investigation, the police officer or the authorised person may apply to court for an order.
71 2018 Computer Misuse and Cybercrimes No.
5 (2) The Court shall issue an order directing a specified person to submit specified computer (a) data that is in that person's possession or control, and is stored in a computer system or a computer data storage medium; or a specified service provider offering its services in (b) Kenya to submit subscriber information relating to such services in that service provider's possession or control.
(1) Where a police officer or an authorised person Expedited 51.
preservation and has reasonable grounds to believe that partial disclosure (a) any specified traffic data stored in any computer of traffic data.
system or computer data storage medium or by means of a computer system is reasonably required for the purposes of a criminal investigation; and (b) there is a risk or vulnerability that the traffic data may be modified, lost, destroyed or rendered inaccessible, the police officer or an authorised person shall serve a notice on the person who is in possession or control of the computer system, requiring the person to (i) undertake expeditious preservation of such available traffic data regardless of whether one or more service providers were involved in the transmission of that communication; or (ii) disclose sufficient traffic data concerning any communication in order to identify the service providers and the path through which communication was transmitted.
The data specified in the notice shall be preserved (2) and its integrity shall be maintained for a period not exceeding thirty days.
(3) The period of preservation and maintenance of integrity may be extended for a period exceeding thirty days if, on an application by the police officer or authorised person, the court is satisfied that (a) an extension of preservation is reasonably required for the purposes of an investigation or prosecution; (b) there is a risk or vulnerability that the traffic data may be modified, lost, destroyed or rendered inaccessible; and 72 No.
5 Computer Misuse and Cybercrimes 2018 (c) the cost of the preservation is not overly burdensome on the person in control of the computer system.
(4) The person in possession or control of the computer system shall be responsible to preserve the data specified (a) for the period of notice for preservation and maintenance of integrity or for any extension thereof permitted by the court; and (b) for the period of the preservation to keep confidential any preservation ordered under this section.
(5) Where the person in possession or control of the computer system is a service provider, the service provider shall be required to (a) respond expeditiously to a request for assistance, whether to facilitate requests for police assistance, or mutual assistance requests; and (b) disclose as soon as practicable, a sufficient amount of the non-content data to enable a police officer or an authorised person to identify any other telecommunications providers involved in the transmission of the communication.
(6) The powers of the police officer or an authorised person under subsection (1) shall apply whether there is one or more service providers involved in the transmission of communication which is subject to exercise of powers under this section.
52.
Real-time (1) Where a police officer or an authorised person collection of has reasonable grounds to believe that traffic data traffic data.
associated with specified communications and related to the person under investigation is required for the purposes of a specific criminal investigation, the police officer or authorised person may apply to the court for an order to (a) permit the police officer or authorised person to collect or record through the application of technical means traffic data, in real-time; (b) compel a service provider, within its existing technical capability 73 2018 Computer Misuse and Cybercrimes No.
5 (i) to collect or record through application of technical means traffic data in real time; or (ii) to cooperate and assist a police officer or an authorised person in the collection or recording of traffic data, in real-time, associated with specified communications in its jurisdiction transmitted by means of a computer system.
(2) In making an application under subsection (1), the police officer or an authorised person shall state the grounds they believe the traffic data (a) sought is available with the person in control of the computer system; identify and explain, the type of traffic data (b) suspected to be found on such computer system; identify and explain the subscribers, users or (c) unique identifier the subject of an investigation or prosecution suspected as may be found on such computer system; identify and explain the offences identified in (d) respect of which the warrant is sought; and (e) explain the measures to be taken to prepare and ensure that the traffic data shall be sought (i) while maintaining the privacy of other users, customers and third parties; and without the disclosure of data to any party not (ii) part of the investigation.
(3) Where the court is satisfied with the explanations provided under subsection (2), the court shall issue the order provided for under subsection (1).
(4) For purposes of subsection (1), real-time collection or recording of traffic data shall be ordered for a period not exceeding six months.
(5) The court may authorize an extension of time under subsection (4), if it is satisfied that (a) such extension of real-time collection or recording of traffic data is reasonably required for the purposes of an investigation or prosecution; 74 No.
5 Computer Misuse and Cybercrimes 2018 (b) the extent of real-time collection or recording of traffic data is commensurate, proportionate and necessary for the purposes of investigation or prosecution; (c) despite prior authorisation for real-time collection or recording of traffic data, additional real-time collection or recording of traffic data is necessary and needed to achieve the purpose for which the warrant is to be issued; (d) measures taken to prepare and ensure that the real- time collection or recording of traffic data is carried out while maintaining the privacy of other users, customers and third parties and without the disclosure of information and data of any party not part of the investigation; (e) the investigation may be frustrated or seriously prejudiced unless the real-time collection or recording of traffic data is permitted; and (0 the cost of such preservation is not overly burdensome upon the person in control of the computer system.
(6) A court may, in addition to the requirement specified under subsection (3) require the service provider to keep confidential the order and execution of any power provided under this section.
(7) A service provider who fails to comply with an order under this section commits an offence and is liable on conviction (a) where the service provider is a corporation, to a fine not exceeding ten million shillings; or (b) in case of a principal officer of the service provider, to a fine not exceeding five million shillings or to imprisonment for a term not exceeding three years, or to both.
53.
(1) Where a Interception of police officer or an authorised person content data.
has reasonable grounds to believe that the content of any specifically identified electronic communications is required for the purposes of a specific investigation in respect of an offence, the police officer or authorised person may apply to the court for an order to 75 2018 Computer Misuse and Cybercrimes No.
5 (a) permit the police officer or authorised person to colleci or record through the application of technical means; (b) compel a service provider, within its existing technical capability (i) to collect or record through the application of technical means; or to co-operate and assist the competent (ii) authorities in the collection or recording of, content data, in real-time, of specified communications within the jurisdiction transmitted by means of a computer system.
(2) In making an application under subsection (1), the police officer or an authorised person shall (a) state the reasons he believes the content data being sought is in possession of the person in control of the computer system; (b) identify and state the type of content data suspected to be found on such computer system; (c) identify and state the offence in respect of which the warrant is sought; (d) state if they have authority to seek real-time collection or recording on more than one occasion is needed, and shall specify the additional number of disclosures needed to achieve the purpose for which the warrant is to be issued; (e) explain measures to be taken to prepare and ensure that the real-time collection or recording is carried out (i) while maintaining the privacy of other users, customers and third parties; and (ii) without the disclosure of information and data of any party not part of the investigation; (f) state how the investigation may be frustrated or seriously prejudiced unless the real time collection or recording is permitted; and (g) state the manner in which they shall achieve the objective of the warrant, real time collection or 76 No.
5 Computer Misuse and Cybercrimes 2018 recording by the person in control of the computer system where necessary.
(3) Where the court is satisfied with the grounds provided under subsection (2), the court shall issue the order applied for under subsection (1).
(4) For purposes of subsection (1), the real-time collection or recording of content data shall not be ordered for a period that exceeds the period that is necessary for the collection thereof and in any event not for more than a period of nine months.
(5) The period of real-time collection or recording of content data may be extended for such period as the court may consider necessary where the court is satisfied that (a) such extension of real-time collection or recording of content data is required for the purposes of an investigation or prosecution; (b) the extent of real-time collection or recording of content data is proportionate and necessary for the purposes of investigation or prosecution; (c) despite prior authorisation for real-time collection or recording of content data, further real-time collection or recording of content data is necessary to achieve the purpose for which the warrant is to be issued; (d) measures shall be taken to prepare and ensure that the real-time collection or recording of content data is carried out while maintaining the privacy of other users, customers and third parties and without the disclosure of information and data of any party not part of the investigation; (e) the investigation may be frustrated or seriously prejudiced unless the real-time collection or recording of content data is permitted; and (f) the cost of such real-time recording and collection is not overly burdensome upon the person in control of the computer system.
(6) The court may also require the service provider to keep confidential the order and execution of any power provided for under this section.
77 2018 Computer Misuse and Cybercrimes No.
5 (7) A service provider who fails to comply with an order under this section commits an offence and is liable, on conviction where the service provider is a corporation, to a (a) fine not exceeding ten million shillings; in case of an officer of the service provider, to a (b) fine not exceeding five million shillings or to imprisonment for a term not exceeding three years, or to both.
(1) A person who obstructs the lawful exercise of Obstruction and 54.
misuse of power.
the powers under this Part, including destruction of data, or fails to comply with the requirements of this Part is liable, on conviction, to a fine not exceeding five million shillings or to imprisonment for a term not exceeding three years, or to both.
(2) A police officer or an authorised person who misuses the exercise of powers under this Part commits an offence and is liable, on conviction, to a fine not exceeding five million shillings or to imprisonment for a term not both.
exceeding three years, or to 55.
Any person aggrieved by any decision or order of Appeal.
the Court made under this Part, may appeal to the High Court or Court of Appeal as the case may be within thirty order.
days from the date of the decision or (1) A service provider shall not be subject to any Confidentiality 56.
and limitation of civil or criminal liability, unless it is established that the liability.
service provider had actual notice, actual knoWledge, or inifAt, ,apd, not merely through n willful and malicioaa omission or failure to act, had thereby facilitated, aided or fitiiiiY 13eiC6f4 y ithiliAtter system l abetted the ukP controlled or managed by a service provider in connection with a contravealeamf thin Actetanylotheirl written law.
-able under this A service provider shirhof hell (2) Act or any other law for maintaining and making available the provision of their service.
A service provider shall not be liable under this (3) Act or any other law for the disclosure of any data or other information that the service provider discloses only to the extent required under this Act or in compliance with the exercise of powers under this Part.
78 No.
5 Computer Misuse and Cybercrimes 2018 PART V INTERNATIONAL CO-OPERATION 57.
(1) This Part shall apply in addition to the Mutual General principles Legal Assistance Act, 2011 and the Extradition relating to international co- (Contiguous and Foreign Countries) Act.
operation.
No.
36 of 2011.
(2) Thr Central Authority rmay make a request for cap.
6 mutual legal assistance in any criminal matter to a requested State for purposes of (a) undertaking investigations or proceedings concerning offences related to computer systems, electronic communications or data; (b) collecting evidence of an offence in electronic form; or (c) obtaining expeditious preservation and disclosure of traffic data, real-time collection of traffic data associated with specified communications or interception of content data or any other means, power, function or provisions under this Act.
(3) A requesting State may make a request for mutual legal assistance to the Central Authority in any criminal matter, for the purposes provided in subsection (2).
(4) Where a request has been received under No.
36 of 2011.
subsection (3), the Central Authority may, subject to the Cap.
76.
provisions of the Mutual Legal Assistance Act, 2011, the Extradition (Contiguous and Foreign Countries) Act, this Act and any other refevant law (a) grant the legal assistance requested; or (b) refuse to grant the legal assistance requested.
(5) The Central Authority may require a requested State to (a) keep the contents, any information and material provided in a confidential manner; (b) only use the contents, information and material provided for the purpose of the criminal matter specified in the request; and (c) use it subject to other specified ciondid.
58.
(1) The Central Authority may, su and any other relevant law, without prior b 79 2018 Computer Misuse and Cybercrimes No.
5 to a foreign State information obtained within the framework of its own investigations when it considers that the disclosure of such information might assist the foreign State in initiating or carrying out investigations or proceedings concerning criminal offences or might lead to a request for co-operation by the foreign State under this Act.
Prior to providing the information under subsection (2) (1), the Central Authority may request that such information be kept confidential or only subject to other specified conditions.
(3) Where a foreign State cannot comply with the specified conditions specified under subsection (2), the State shall notify the Central Authority as soon as practicable.
Upon receipt of a notice under subsection (3), the (4) Central Authority may determine whether to provide such information or not.
(5) Where the foreign State accepts the information subject to the conditions specified by the Central Authority, that State shall be bound by them.
59.
(1) Subject to section 57, a requesting State which Expedited has the intention to make a request for mutual legal preservation of stored computer assistance for the search or similar access, seizure or data.
similar securing or the disclosure of data, may request the Central Authority to obtain the expeditious preservation of data stored by means of a computer system, located within the territory of Kenya.
(2) When making a request under subsection (1), the requesting State shall specify the authority seeking the preservation; (a) the offence that is the subject of a criminal (b) investigation or proceedings and a brief summary of the related facts; (c) the stored computer data to be preserved and its connection to the offence; (d) any available information identifying the custodian of the stored computer data or the location of the computer system; 80 No.
5 Computer Misuse and Cybercrimes 2018 (e) the necessity of the preservation; and (f) the intention to submit a request for mutual assistance for the search or similar access, seizure or similar securing or the disclosure of the stored computer data.
(3) Upon receiving the request under this section, the Central Authority shall take the appropriate measures to preserve the specified data in accordance with the procedures and powers provided under this Act and any other relevant law.
(4) A preservation of stored computer data effected under this section, shall be for a period of not less one hundred and twenty days, in order to enable the requesting State to submit a request for the search or access, seizure or securing, or the disclosure of the data.
(5) Upon receipt for a request under this section, the data shall continue to be preserved pending the final decision being made with regard to that request.
60.
Where during the course of executing a request Expedited under section 57 with respect to a specified communication, disclosure of preserved traffic the investigating agency discovers that a service provider in data.
another State was involved in the transmission of the communication, the Central Authority shall expeditiously disclose to the requesting State a sufficient amount of traffic data to identify that service provider and the path through which the communication was transmitted.
61.
(1) Subject to section 57, a requesting State may Mutual assistance request the Central Authority to search or similarly access, regarding accessing of seize or similarly secure, and disclose data stored by means stored computer of a computer system located within the territory of Kenya, data.
including data that has been preserved in accordance with section 60.
(2) When making a request under subsection (1), the requesting State shall (a) give the name of the authority conducting the investigation or proceedings to which the request relates; (b) give a description of the nature of the criminal matter and a statement setting-out a summary of the relevant facts and laws; 81 Computer Misuse and Cybercrimes 2018 No.
5 give a description of the purpose of the request and (c) of the nature of the assistance being sought; in the case of a request to restrain or confiscate (d) assets believed on reasonable grounds to be located in the requested State, give details of the offence in question, particulars of the investigation or proceeding commenced in respect of the offence, and be accompanied by a copy of any relevant restraining or confiscation order; give details of any procedure that the requesting (e) State wishes to be followed by the requested State in giving effect to the request, particularly in the case of a request to take evidence; (0 include a statement setting out any wishes of the requesting State concerning any confidentiality relating to the request and the reasons for those wishes; give details of the period within which the (g) requesting State wishes the request to be complied with; where applicable, give details of the property, (h) computer, computer system or electronic device to be traced, restrained, seized or confiscated, and of the grounds for believing that the property is believed to be in the requested State; (i) give details of the stored computer data, data or program to be seized and its relationship to the offence; (j) give any available information identifying the custodian of the stored computer data or the location of the computer, computer system or electronic device; include an agreement on the question of the (k) payment of the damages or costs of fulfilling the request; and (1) give any other information that may assist in giving effect to the request.
(3) Upon receiving the request under this section, the Central Authority shall take all appropriate measures to 82 No.
5 Computer Misuse and Cybercrimes 2018 obtain necessary authorisation including any warrants to execute upon the request in accordance with the procedures and powers provided under this Act and any other relevant law.
(4) Where the Central Authority obtains the necessary authorisation in accordance with subsection (3), including any warrants to execute the request, the Central Authority may seek the support and cooperation of the requesting State during such search and seizure.
(5) Upon conducting the search and seizure request, the Central Authority shall, subject to section 59, provide the results of the search and seizure as well as electronic or physical evidence seized to the requesting State.
62.
A police officer or authorised person may, subject Trans-border to any applicable provisions of this Act access to stored computer data (a) access publicly available stored computer data, with consent or where publicly regardless of where the data is located available.
geographically; or (b) access or receive, through a computer system in Kenya, stored computer data located in another territory, if such police officer or authorised person obtains the lawful and voluntary consent of the person who has the lawful authority to disclose the data through that computer system.
63.
(1) Subject to section 57, a requesting State may Mutual assistance request the Central Authority to provide assistance in real- in the real-time collection of time collection of traffic data associated with specified traffic data.
communications in Kenya transmitted by means of a computer system.
(2) When making a request under subsection (1), the requesting State shall specify (a) the authority seeking the use of powers under this section; (b) the offence that is the subject of a criminal investigation or proceedings and a brief summary of the related facts; (c) the name of the authority with access to the relevant traffic data; 83 2018 Computer Misuse and Cybercrimes No.
5 the location at which the traffic data may be held; (d) the intended purpose for the required traffic data; (e) (1) sufficient information to identify the traffic data; any further details relevant to the traffic data; (g) the necessity for use of powers under this section; (h) and (i) the terms for the use and disclosure of the traffic data to third parties.
(3) Upon receiving the request under this section, the Central Authority shall take all appropriate measures to obtain necessary authorisation including any warrants to execute upon the request in accordance with the procedures and powers provided under this Act and any other relevant law.
(4) Where the Central Authority obtains the necessary authorisation including any warrants to execute upon the request, the Central Authority may seek the support and cooperation of the requesting State during the search and seizure.
(5) Upon conducting the measures under this section the Central Authority shall, subject to section 57, provide the results of such measures as well as real-time collection of traffic data associated with specified communications to the requesting State.
64.
(1) Subject to section 57, a requesting State may Mutual assistance request the Central Authority to provide assistance in the regarding the interception of real-time collection or recording of content data of content data.
specified communications in the territory of Kenya transmitted by means of a computer system.
(2) When making a request under subsection (1), a requesting State shall specify (a) the authority seeking the use of powers under this section; (b) the offence that is the subject of a criminal investigation or proceedings and a brief summary of the related facts; (c) the name of the authority with access to the relevant communication; 84 Computer Misuse and Cybercrimes No.
5 2018 (d) the location at which or nature of the communication; (e) the intended purpose for the required communication; (f) sufficient information to identify communications; the (g) details of the data of the relevant interception; (h) the recipient of the communication; (i) the intended duration for the use of the communication; (j) the necessity for use of powers under this section; and (k) the terms for the use and disclosure of the communication to third parties.
(3) Upon receiving the request under this section, the Central Authority shall, take all appropriate measures to obtain necessary authorisation including any warrants to execute upon the request in accordance with the procedures and powers provided under this Act and any other relevant law.
(4) Where the Central Authority obtains the necessary authorisation, including any warrants to execute upon the request, the Central Authority may seek the support and cooperation of the requesting State during the search and seizure.
(5) Upon conducting the measures under this section the Central Authority shall subject to section 57, provide the results of such measures as well as real-time collection or recording of content data of specified communications to the requesting State.
65.
(1) The Central Authority shall ensure that the Point of contact.
investigation agency responsible for investigating cybercrime, shall designate a point of contact available on a twenty-four hour, seven-day-a-week basis, in order to ensure the provision of immediate assistance for the purpose of investigations or proceedings concerning criminal offences related to computer systems and data, or for the collection of evidence in electronic form of a criminal offence, including carrying out the following measures 85 2018 Computer Misuse and Cybercrimes No.
5 (a) the provision of technical advice; (b) the preservation of data pursuant to sections 59 and 60; (c) the collection of evidence, the provision of legal information, and locating of suspects, within expeditious timelines to be defined by regulations under this Act.
(2) The point of contact shall be resourced with and possess the requisite capacity to securely and efficiently carry out communications with other points of contact in other territories, on an expedited basis.
The point of contact shall have the authority and be (3) empowered to coordinate and enable access to international mutual assistance under this Act.
PART VIGENERAL PROVISIONS 66.
(1) Any court of competent jurisdiction shall try Territorial any offence under this Act where the act or omission jurisdiction.
constituting the offence is committed in Kenya.
(2) For the purposes of subsection (1), an act or omission committed outside Kenya which would if committed in Kenya constitute an offence under this Act is deemed to have been committed in Kenya if (a) the person committing the act or omission is (i) a citizen of Kenya; or ordinarily resident in Kenya; and (ii) (b) the act or omission is committed (i) against a citizen of Kenya; (ii) against property belonging to the Government of Kenya outside Kenya; or (iii) to compel the Government of Kenya to do or refrain from doing any act; or (c) the person who commits the act or omission is, after its commission or omission, present in Kenya.
67.
The court before which a person is convicted of Forfeiture.
any offence may, in addition to any other penalty imposed, order the forfeiture of any apparatus, device or thing to the 86 No.
5 Computer Misuse and Cybercrimes 2018 Authority which is the subject matter of the offence or is used in connection with the commission of the offence.
68.
Prevailing Clause.
Whenever there is a conflict between this Act and any other law regarding cybercrimes, the provisions of this Act shall supersede any such other law.
69.
The laws specified in the first column of the Consequential Schedule are amended, in the provisions specified in the Amendments.
second column thereof, in the manner respectively Cap 411A.
specified in the third column.
PART VIIPROVISIONS ON DELEGATED POWERS 70.
(1) The Cabinet Secretary may make regulations Regulations.
generally for the better carrying into effect of any provisions under this Act.
(2) Without prejudice to the foregoing, regulations made under this section may provide for (a) designation of computer systems, networks, programs, data as national critical information infrastructure; (b) protection, preservation and management of critical information infrastructure; (c) access to, transfer and control of data in any critical information infrastructure; (d) storage and archiving information; of critical data or (e) audit and inspection of information infrastructure national critical Cap 2, (f) recovery plans in the event of disaster, breach No.
23 of 2013 or loss of national critical information infrastructure or any part of it; standard operating procedures for the conduct, (g) search, seizure and collection of electronic evidence; and (h) mutual legal assistance.
(3) For the purposes of Article 94 (6) of the Constitution (a) the purpose and objective of delegation under this section is to enable the Cabinet Secretary to make 87 2018 Computer Misuse and Cybercrimes No.
5 regulations to provide for the better carrying into effect of the provisions of this Act and to enable the Authority to discharge its functions more effectively; (b) the authority of the Cabinet Secretary to make regulations under this Act will be limited to bringing into effect the provisions of this Act and to fulfil the objectives specified under this section; (c) the principles and standards applicable to the regulations made under this section are those set out in the Interpretation and General Provisions Act and the Statutory Instruments Act, 2013.
88 Computer Misuse and Cybercrimes No.
5 2018 SCHEDULE (s.69) Written law Provision Amendment Kenya Information 83U Repeal and Communication Act,1998 83V Repeal 83W Repeal 83X Repeal 83Z Repeal 84A Repeal 84B Repeal 84F Repeal Sexual Offences Act, 16 Delete and replace with the 2011 following section Child pornography 16.
(1) A person, including a juristic person, who knowingly (a) possesses an indecent photograph of a child; (b) displays, shows, exposes or exhibits obscene images, words or sounds by means of print, audio-visual or any other media to a child with intention of encouraging or enabling a child to engage in a sexual act; (c) sells, lets to hire, distributes, publicly exhibits or in any manner puts into circulation, or for purposes of sale, hire, distribution, public exhibition circulation, or makes, produces or has in his or her possession an indecent photograph of a child; (d) imports, exports or conveys any obscene object for any of the purposes specified in 89 2018 Computer Misuse and Cybercrimes No.
5 Provision Amendment Written law subsection (1), or knowingly or having reason to believe that such object will be sold, let to hire, distributed or publicly exhibited or in any manner put into circulation; (e) takes part in or receives profits from any business in the course of which he or she knows or has reason to believe that obscene objects are, for any of the purposes specifically in this section, made, produced, purchased, kept, imported, exported, conveyed, publicly exhibited or in any manner put into circulation; (f) advertises or makes known by any means whatsoever that any person is engaged or is ready to engage in any act which is an offence under this section, or that any such obscene object can be produced from or through any person; or offers or attempts to do any (g) act which is an offence under this section, commits an offence and is liable upon conviction to imprisonment for a term of not less than six years or to a fine of not less than five hundred thousand shillings or to both and upon subsequent conviction, to imprisonment to a term of not less than seven years without the option of a fine.
90 Computer Misuse and Cybercrimes No.
5 2018 Written law Provision Amendment to (2) This section shall not apply (a) publication or possession of an indecent photograph where it is proved that such publication or possession was intended for bona fide scientific research, medical, religious or law enforcement purpose; the indecent representation of a child in a sculpture, engraving, painting or other medium on or in any ancient monument recognised by law; and (b) activities between two persons above eighteen years of age by mutual consent.
(3) For the purposes of subsection (1), (a) an image is obscene if (i) it is lascivious or appeals to prurient interest; or (ii) its effect, or where it comprises two or more distinct items, the effect of any one of its items, if taken as a whole, tends to deprave and corrupt persons who are likely, having regard to all relevant circumstances, to read, see or hear the matter contained or embodied in it.
(b) an indecent photograph includes a visual, audio or 91 2018 Computer Misuse and Cybercrimes No.
5 Provision Amendment Written law audio visual representation depicting (i) a child engaged in explicit sexually conduct; a person who appears to (ii) be a child engaged in explicit sexually conduct; or realistic images representing a child engaged in sexual activity.
New Insert a new section immediately after section 16 as follows Sexual communication with a child 16A.
(1) A person of eighteen years and above who knowingly communicates with a child in (i) a sexual manner; or a manner intended to (ii) encourage the child to communicate in a sexual manner, commits an offence and is liable, on conviction, to a fine of not less than five hundred thousand shillings or imprisonment for a term of not less than five years, or to both.
(2) For the purposes of this section, a communication is sexual if any part of it relates to (a) sexual activity, or (b) a reasonable person would consider any part of the communication to be sexual.
.
Frequently asked questions
What is M-Wakili?
Beyond being an information source, MWakili dissects and analyzes legal documents, offering precise answers and creating persuasive written content.
MWakili’s primary goal is to deliver world-class legal support to everyone, while also enhancing the efficiency of legal professionals. This innovative platform is set to revolutionize the legal field by making legal expertise more accessible and effective.
Will I get immediate answers to my legal questions 24/7?
How does M-Wakili work?
Is M-Wakili accurate?
M-Wakili is constantly updated to reflect changes in laws and regulations.
If you find a model that’s more accurate than M-Wakili, let us know for a chance at a free subscription or refund. (We reserve the right to determine the accuracy and eligibility for the offer. Terms and conditions apply.)
Who can use M-Wakili?
How can I access M-Wakili?
Is M-Wakili a substitute for a human lawyer?
Fun fact: Most of our paying users are lawyers! They use M-Wakili for legal research and analysis.
Is AI going to replace lawyers?
In fact, most of our paying users are lawyers! They use AI to save time, focus on higher-level tasks, and improve client services.
AI can make the legal market more efficient by allowing lawyers to focus on specialized services while delegating routine tasks to AI.
Is my data secure with M-Wakili?
Can M-Wakili represent me in court?
Do I need to pay for M-Wakili services?
How can M-Wakili help law students?
What does "HHH" mean?
- Helpful: M-Wakili genuinely aims to assist the user.
- Honest: M-Wakili provides information it believes to be true and avoids misinformation.
- Harmless: M-Wakili will not aid harmful activities or lead users into harm's way.