UPDATED: May 2017 | SOURCE: Vodafone Group with support from Hogan Lovells
Provision of Real-time Lawful Interception Assistance
NOTE: Some of the pertinent legal frameworks have changed since this report was last updated with the passing of the Computer Misuse and Cybercrimes Act, 2018, in May 2018.
THE NATIONAL INTELLIGENCE SERVICE ACT (ACT NO. 28 OF 2012)
The National Intelligence Service Act (Act No. 28 of 2012) (the NIS Act) allows the Director-General (the DG) of the National Intelligence Service (NIS) (pursuant to Section 36) to monitor or otherwise interfere with the privacy of a person’s communications.
The Security Laws (Amendment) Act No. 19 of 2014 (the SLA Act) amended the NIS Act by repealing the entire Part V and substituting it with a new part. Pursuant to the ‘new’ Section 42(2) where the DG has reasonable grounds to believe that a covert operation is necessary to enable the NIS to deal with any threat to national security or to perform any of its functions, the DG may, subject to any guidelines approved by the NIS Council, issue a written authorisation valid for 180 days to an officer of the NIS. No guidelines by the NIS Council in relation to the written authorisation have been issued yet.
Under Section 42(3)(a) and (b) such written authorisation is sufficient authorisation for officers of the NIS to conduct an operation and the authorisation may be served on any person required to assist the NIS or facilitate the covert operation or investigations to be undertaken.
The written authorisation may by virtue of Section 42(3)(c) authorise any member of the NIS to obtain any information, material, record, document or thing and, for that purpose, such a member may be authorised to:
a. enter any place, or obtain access to anything;
b. search for or remove or return, examine, take extracts from, make copies of or record in any other manner the information, material, record, document or thing;
c. monitor communication;
d. install, maintain or remove anything; or
e. take all necessary action, within the law, to preserve national security.
Provided that the written authorisation permits any of these actions, the authorisation is to be accompanied by a warrant issued by the High Court.
THE PREVENTION OF TERRORISM ACT (ACT NO. 30 OF 2012)
Section 36(1) and (2) of The Prevention of Terrorism Act (Act No. 30 of 2012) (the PT Act) allows a police officer (subject to consent from the Inspector-General or the Director of Public Prosecutions) to apply for an interception of communications order.
Section 36(3) of the PT Act allows for the issuance of an interception order that requires a communications service provider to intercept and retain a specified communication of a specified description received or transmitted or about to be received or transmitted by the communications service provider, or to authorise a police officer to enter any premises, and to install on such premises, any device for the interception and retention of a specified communication and to remove and retain such device.
The SLA Act introduced Section 36A to the PT Act which permits National Security Organs to intercept communication for the purposes of detecting, deterring and disrupting terrorism in accordance with procedures to be prescribed by the Cabinet Secretary responsible for internal security.
THE MUTUAL LEGAL ASSISTANCE ACT (CHAPTER 75A LAWS OF KENYA)
Pursuant to The Mutual Legal Assistance Act (Chapter 75A Laws of Kenya) (the MLA Act), a requesting state may make a request to Kenya for the interception and immediate transmission of telecommunications, or the interception, recording and subsequent transmission of telecommunications. Under Section 27 of the MLA Act, for the purpose of a criminal investigation, Kenya may, in accordance with the provisions of this Act and any other relevant law, execute such a request from a requesting state for the interception and immediate transmission of telecommunications, or the interception, recording and subsequent transmission of telecommunications.
Section 32(1) of the MLA Act states that a request may be made to Kenya from a requesting state for deployment of covert electronic surveillance.
KENYA INFORMATION AND COMMUNICATIONS ACT (CAP. 411A, LAWS OF KENYA)
The statutes mentioned above should be considered in the context of Section 31 of the Kenya Information and Communications Act (Chapter 411A, Laws of Kenya) (the KIC Act) which makes it an offence punishable by conviction with a fine not exceeding 300,000 shillings, or by imprisonment for a term not exceeding three years, or by both where a licensed telecommunications operator who otherwise than in the course of their business:
- intercepts a message sent through a licensed telecommunications system;
- discloses to any person the contents of a message intercepted; or
- discloses to any person the contents of any statement or account specifying the telecommunications services.
Section 93 of the KIC Act obliges the Communications Authority (the CA) to implement any information access and disclosure restrictions pursuant to Article 35 of the Constitution which makes access to information including information held by the state a fundamental right.
KENYA INFORMATION AND COMMUNICATIONS (CONSUMER PROTECTION) REGULATIONS, 2010
Further, Regulation 15(1) of the Kenya Information and Communications (Consumer Protection) Regulations 2010 requires that, subject to the provisions of the KIC Act or any other written law, a licensee (licensed under the KIC Act) does not monitor, disclose, or allow any person to monitor or disclose, the content of any information of any subscriber transmitted through the licensed system by listening, tapping, storage, or other kinds of interception or surveillance of communications and related data.
Section 31 of the KIC Act and Regulation 15(1) of the Kenya Information and Communications (Consumer Protection) Regulations 2010 is however qualified by Section 93 of the KIC Act which allows for disclosure of information in accordance with the provisions of Article 35 of the Constitution.
Disclosure of Communications Data
KENYA INFORMATION AND COMMUNICATIONS ACT (CAP. 411A, LAWS OF KENYA) (KIC ACT)
Section 89(1) of the KIC Act provides the powers to enter and search premises, and extends to obtaining any article or thing. These powers extend to obtaining data related to customer communications. A court is permitted to grant a search warrant to enable entry of any premises and to search, examine and test any station or apparatus, or obtain any article or thing.
KENYA INFORMATION AND COMMUNICATIONS (REGISTRATION OF SUBSCRIBERS OF TELECOMMUNICATION SERVICES) REGULATIONS 2013
Regulation 10(1) prohibits the disclosure of the registration particulars of a subscriber without the subscriber’s written consent except where the information is required:
a. for the purpose of facilitating the performance of any statutory functions of the CA;
b. in connection with the investigation of any criminal offence;
c. for the purpose of any criminal proceedings; or
d. for the purpose of any civil proceedings under the KIC Act.
THE NATIONAL INTELLIGENCE SERVICE ACT (ACT NO. 28 OF 2012) (NIS ACT)
Section 42 of the NIS Act permits the DG to issue a written authorisation which may be served on any person required to assist the NIS or facilitate a covert operation or investigation. The written authorisation, accompanied by a warrant, may also permit any member of the NIS to access any place and obtain access to anything and examine, record and take copies or extracts of any information, material, record, documents or thing.
THE MUTUAL LEGAL ASSISTANCE ACT (CAP. 75A LAWS OF KENYA) (MLA ACT)
Section 28 of the MLA Act allows a requesting state to make a request for legal assistance in accordance with Kenyan law for the provision of data relating to customer communications.
THE ANTI-MONEY LAUNDERING ACT (CAP 59B)
Section 103 of the Proceeds of Crime and Anti-Money Laundering Act (Chapter 59B) authorises the police to apply for production orders where a person has been charged with, or convicted of, an offence and a police officer has reasonable grounds for suspecting that any person has possession or control of:
a. a document relevant to identifying, locating or quantifying property of the person, or to identifying or locating a document necessary for the transfer of property of such person; or
b. a document relevant to identifying, locating or quantifying tainted property in relation to the offence, or to identifying or locating a document necessary for the transfer of tainted property in relation to the offence.
The police officer may make an ex parte application with a supporting affidavit to a court for an order against the person suspected of having possession or control of a document of the kind referred to, to produce it.
National Security and Emergency Powers
THE NATIONAL INTELLIGENCE SERVICE ACT (ACT NO. 28 OF 2012) (“NIS ACT”)
As described above, pursuant to Section 42(2) of the NIS Act where the Director-General has reasonable grounds to believe that a covert operation under this Section is required to enable the NIS to investigate or deal with any threat to national security or to perform any of its functions, they may, subject to the guidelines approved by the Council, issue a written authorisation requiring any person to facilitate or assist the NIS in its investigation and, when accompanied by a warrant, to monitor or otherwise interfere with the privacy of a person’s communications to enable the investigation of any threat to national security.
THE CONSTITUTION OF KENYA 2010
Under Articles 58 and 132(4) of the Constitution, the President may declare a state of emergency, and any legislation enacted or other action taken in consequence of the declaration shall be effective only prospectively and not longer than 14 days from the date of declaration, unless the National Assembly resolves to extend the declaration. After the declaration of a state of emergency, the government would have broad powers, which could extend to a range of actions in relation to Vodafone’s network and/or customer communications.
THE PRESERVATION OF PUBLIC SAFETY (CHAPTER 57)
Section 3 of the Preservation of Public Security Act (Chapter 57) (the PPS Act) states that the President may publish a declaration under the PPS Act when it appears that such a declaration is necessary for the preservation of public security. Section 4(1) and (2) state that in such instances, the President shall have the power to make regulations for inter alia the censorship, control or prohibition of the communication of any information or of any means of communicating.
Oversight of the Use of Powers
The oversight role of the judiciary pursuant to the NIS Act has been further limited by the amendments to the NIS Act made by the SLA Act. With the amendments, a written authorisation by the DG is sufficient to require a person to facilitate or assist a covert operation or investigation by the NIS. As indicated above, a warrant is, however, necessary where any such written authorisation permits a member of the NIS to obtain information, monitor communication or install, maintain or remove anything.
Further, Section 65 of the NIS Act was amended by the SLA to provide that the National Assembly rather than the Parliament of Kenya (through the relevant committee) has oversight authority over all the workings of the NIS pursuant to Article 238(2) of the Constitution of Kenya (2010).
Regarding powers granted to the President in a state of emergency, pursuant to Article 58(5) of the Constitution of Kenya, the Supreme Court may decide on the validity of a declaration of a state of emergency, any extension of a declaration of a state of emergency and any legislation enacted, or other action taken, in consequence of a declaration of a state of emergency.
SHUT-DOWN OF NETWORK AND SERVICES
There is no clear legislation on this issue. Pursuant to Article 58 and Article 132(4) of the Constitution of Kenya, the President may declare a state of emergency. After a declaration of a state of emergency, the government has broad powers. It is feasible that such powers could extend to ordering the shut-down of Vodafone’s network and/or certain of its services. Any action or legislation taken in consequence of a declaration of a state of emergency is effective for no longer than 14 days from the date of declaration, unless the National Assembly resolves to extend the declaration.
In the recent case of Royal Media Services Limited vs. The Hon. Attorney General, The Minister of Information and Broadcasting and the Communications Commission of Kenya [Petition No. 59 of 2013 High Court of Kenya], the petitioner (a broadcasting station called Royal Media Services Limited) had its transmitters disabled and shut down by the government.
The Kenya Information and Communications (Registration of Subscribers of Telecommunication Services) Regulations 2012
Under Regulations 11 and 12 of The Kenya Information and Communications (Registration of Subscribers of Telecommunication Services) Regulations 2012, telecommunications services must be suspended with respect to subscribers who fail to register their details. Upon expiry of the 90-day suspension period, a subscriber’s individual access to the telecommunications service is deactivated.
The Preservation of Public Security Act (Chapter 57)
The President may make a declaration for the preservation of public security under Section 3 of the Preservation of Public Security Act (Chapter 57) (the PPS Act). In the period during which such a declaration is in force, the President bears power to make regulations for inter alia the censorship, control or prohibition of the communication of any information or of any means of communicating.
BLOCKING OF URLS & IP ADDRESSES
See Section 1 ‘Shut-down of network and services’ above. It is plausible that, were a state of emergency to be declared or a declaration for the preservation of public security be made by the President, the government might use its emergency powers to order Vodafone to block specified URLs, IP addresses or IP ranges.
POWER TO TAKE CONTROL OF VODAFONE’S NETWORK
See Section 1 ‘Shut-down of network and services’ above. It is plausible that, were a state of emergency to be declared or a declaration for the preservation of public security be made by the President, the government might use its emergency powers to take control of Vodafone’s network.
Oversight of the Use of Powers (Censorship-related)
Under Article 58(5) of the Constitution of Kenya, the Supreme Court may decide whether a declaration of a state of emergency is valid. The Supreme Court may also preside over whether the extension of a declaration of a state of emergency beyond 14 days and any legislation enacted in consequence of a declaration of a state of emergency is valid.
Encryption and Law Enforcement Assistance
1. Does the government have the legal authority to require a telecommunications operator to decrypt communications data where the encryption in question has been applied by that operator and the operator holds the key?
Yes. The extent to which such regulations may permit National Security Organs (NSOs) to require encrypted data to be decrypted is not set out in the Act. However, it would not, in the context of modern communication, be astounding for the regulations to extend that far.
2. Does the government have the legal authority to require a telecommunications operator to decrypt data carried across its networks (as part of a telecommunications service or otherwise) where the encryption has been applied by a third party?
While there is no specific Kenyan law on investigation of electronic data protected by encryption, the powers granted to National Security Organs under the NIS Act and POTA are far-reaching.
As indicated above, under Section 42 of the NIS Act, Sections 35, 36 and 36A of the POTA and Sections 27 and 28 of the MLA, NSOs have the power to intercept communication and require cooperation by CSPs. These powers include, in the case of the NIS, the power, albeit under warrant, to obtain access to anything in the custody of a person required to assist an investigation and to take all necessary action, within the law, to preserve national security. These general powers could extend to requiring a telecommunications operator to decrypt communication transmitted through its network by an ‘over the top’ communications service provider, should the telecommunications operator have the ability to do so.
The scope of what an NSO could achieve under these powers is untested in Kenyan Courts.
However as an indication of the general school of thought, a challenge to the constitutionality of Section 42 of the NIS Act and Section 36A of the POTA at the Constitutional and Human Rights Division of the High Court in Coalition for Reform and Democracy (CORD) & 2 others v Republic of Kenya & 10 others (2015) eKLR was defeated on the basis that the powers granted to NSOs under those sections were justified, would serve a genuine public interest and were not unduly restrictive in view of the nature of terrorism and sophistication of modern communication.
Please also note that Condition 14 of the Network Facilities Provider Tier 2 Licence No. TL/NFP/T2/00054 dated 14 September 2009 imposes a duty on the CSP to keep information obtained in the course of its business from any of its subscribers confidential. However clause 14.3 exempts CSPs from the obligation to keep such information confidential for the purpose of law enforcement, national interest or pursuant to any law.
3. Can a telecommunications operator lawfully offer end-to-end encryption on its communications services when it cannot break that encryption and therefore could not supply a law enforcement agency with access to cleartext metadata and the content of the communication on receipt of a lawful demand?
There is no clear legislation on this aspect. Please note however that following the reasoning of the court in Coalition for Reform and Democracy (CORD) & 2 others v Republic of Kenya & 10 others (2015) eKLR, it would appear that the courts would likely interpret the law to err on the side of caution, more so due to the recurrence of terrorist attacks. It remains to be seen if the courts will view the obligation to assist to also extend to an obligation not to inadvertently block attempts by NSOs to access encrypted information.
In any case, note that CSPs are required to submit quarterly and annual reports to the Communications Authority of Kenya under the Kenya Information and Communications (Compliance Monitoring, Inspections and Enforcement) Regulations 2010. If the encryption service prevents the CSP from meeting its reporting or other obligations under the law and under the licence, then it is likely to be viewed as a breach of the conditions of the licence and the law.
4. Please provide examples in this jurisdiction where legislation which predated the advent of commercial encryption (which Vodafone estimates to be circa 1990) has been applied to contemporary cases involving encryption.
Kenyan law on encryption and access to encrypted data is limited. However, being a common law jurisdiction, the courts look to decisions made in other common law jurisdictions as persuasive authorities that give guidance in reaching a decision. As such, the global treatment of the obligation to decrypt data and local prevailing circumstances may influence the decision reached.
The Kenyan Judicature Act at Section 3 incorporates English Statutes of General Application passed on or before 12 August 1897 into Kenyan law, unless specifically repealed by Kenyan law, provided that the statutes only apply in so far as the circumstances of Kenya and its inhabitants permit, and subject to such qualifications as those circumstances may render necessary.