In George Orwells book ‘1984’ ,’Big Brother’ is a fictional character, an enigmatic dictator of a totalitarian state. The society is constantly under surveillance by the authorities (mainly by telescreens) and the people are constantly reminded of this by the phrase “Big Brother is watching you” a core truth of the states propaganda. Big Brother is now used commonly as a synonym of governmental abuse of power particularly when aimed at surveillance and civil liberties.
The Communications Commission of Kenya (CCK) announcement on Monday the 19th of March that it was going to monitor internet traffic was met with outrage from civil liberty groups and individuals. The proposal to start monitoring by July this year meant to some of us more technically minded people that the process had to already be underway, implying that the announcement was more of a fait accompli than an issue for debate. But debate is exactly what an implementation like this needs. Logging everyones emails and surfing habits calls the entire nations rights to privacy into question. Its the thick end of the wedge.
What Why and How?
The CCK may have already started installing the software on ISP (Internet Service Provider) servers. The software, called NEWS (Network Early Warning System) monitors and records all incoming and outgoing traffic on the ISP server system, so everyone who uses the service whether its for emails, messaging, Skype or surfing will have their activity recorded.
The KCC state that the reason for this process is to detect and speed up the response to potential cyber threats, saying that in the last year at least 2000 Kenya websites had been attacked.
The software itself is known as a Packet Analyzer or ‘Sniffer’ and is commonly used for detecting network problems, intrusions, misuse and spying. When applied to a high use network such as an ISP the software requires considerable resources in terms of processing and memory so would require additional hardware or run the risk of slowing the system down. The budget quoted by CCK of $425,000 to achieve the programme seems to us to be woefully low when viewed against national security.
The ISP’s themselves are up in arms against the system saying that they can see an avalanche of legal suits against them from customers, and one unnamed operator said “We don’t understand how such a system would work without infringing on the privacy of our clients…”
Can we all sleep easy?…We think not..!
The information captured by the NEWS software will be the sole responsibility of CCK (notice the CCK is a Commission and not an Authority..)…so nothing to worry about here….!
This information which basically comprises the entire nations internet habits is of enormous value to commerce, the security forces, politicians and hackers, and given that Kenya does not have a data protection act (yet) will certainly become a target for misuse.
Your passwords, credit card details, names, addresses, personal photos, affairs and naughty surfing habits will all be neatly packaged onto a array of hard drives at the CCK, just waiting for some unscrupulous villain to either hack or bribe his way in.
Do we have faith enough in the CCK’s technical abilities to make this process totally secure and workable?, well at least one person doubts it..
What happened to the New Constitution?
Apart from the outrageous infringements on personal privacy that could possibly result from the design or malpractice of the system, what consideration has been given to our New Constitution? It seems the answer is ‘not a lot’, the CCK appear to be oblivious to these two articles which contradict their directive.
Articles 31 and 34 clearly state our rights as citizens:
31. Every person has the right to privacy, which includes the right not to have—
(a) their person, home or property searched;
(b) their possessions seized;
(c) information relating to their family or private affairs unnecessarily required or revealed; or
(d) the privacy of their communications infringed.
34. (1) Freedom and independence of electronic, print and all other types of media is guaranteed, but does not extend to any expression specified in Article 33 (2).
(2) The State shall not—
(a) exercise control over or interfere with any person engaged in broadcasting, the production or circulation of any publication or the dissemination of information by any medium; or
(b) penalise any person for any opinion or view or the content of any broadcast, publication or dissemination.
(3) Broadcasting and other electronic media have freedom of establishment, subject only to licensing procedures that—
(a) are necessary to regulate the airwaves and other forms of signal distribution; and
(b) are independent of control by government, political interests or commercial interests.
(4) All State-owned media shall—
(a) be free to determine independently the editorial content of their broadcasts or other communications;
(b) be impartial; and
(c) afford fair opportunity for the presentation of divergent
(5) Parliament shall enact legislation that provides for the establishment of a body, which shall—
(a) be independent of control by government, political interests or commercial interests;
views and dissenting opinions.
(b) reflect the interests of all sections of the society; and
(c) set media standards and regulate and monitor compliance
with those standards.
Article 33 (2) refers to:
- The right to freedom of expression does not extend to—
- propaganda for war;
(b) incitement to violence;
(c) hate speech; or
(d) advocacy of hatred that—
(i) constitutes ethnic incitement, vilification of others or (ii) is based on any ground of discrimination specified or contemplated in Article 27 (4).
The CCK had banked on the Kenya Information and Communications Act which allows for a national cyber security framework. Director General of CCK Francis Wangusi insists that the system will only be used to target potential cyber threats, so would appear to be working within the Act.
However the system employed can only find those threats by ‘sniffing’ all of the incoming and outgoing traffic, it finds the targets by looking everywhere. And as lawyer Paul Muite points out “I’m sure the CCK has lawyers who understand that all laws are subject to the Constitution and that any law such as the Kenya Information and Communication Act that contradicts the Constitution is null and void to the extent of that contradiction”
If the Information and Communications Act is indeed ‘null and void’ in the relevant parts then Mr Wangusi’s argument falls, and the project should be scrapped.
Is there a remedy?
Paul Muite also suggests a remedy for the CCK, one which is currently in use by most western governments. If the CCK want to crack down on operators whose networks are being used in a manner which compromises national security then the legal way to do so would be to seek a court order that gives it access.
In other words target the problem where the problem is known to exist, (rather than looking everywhere in the hope of finding a problem).
If the project is implemented what can we do as users?
In terms of personal surfing security and the possible breaches which may arise if the CCK’s plan is implemented we would suggest everyone looks into the use of VPN’s, Proxy servers, and encryption. It won’t protect you against a court order if you are up to no good, but it will make your data more secure from casual prying eyes.
As we have said before, opening up Kenya’s internet with high speed broadband would inevitably see a rise in cyber crime, the CCK have sought a way to tackle this, but to us it seems like a sledgehammer approach for what in reality is a smallish (compared to overall internet use) problem. Cybercrimes however are on the increase and we implore everyone to be vigilant. Storing masses of personal data is a dangerous act of folly on the part of the CCK, and as we have seen in other countries some of the best systems around are not immune to attack or incompetence. We are all hoping the CCK will either reverse this decision in the light of legal contentions or technically fail to implement the programme. We’ll update you in July!