ICT lawyer Stephen Kiptniess said that such legal provisions would enable the government to monitor the emails for security reasons while still guaranteeing people’s privacy.
“We need specific legislation that will tell you what you can and cannot do and that will also prescribe civil and even criminal liability and stiff penalties for the misuse of the system,” the lawyer argued.
Such penalties would for instance apply when the government, through the National Security Intelligence Service (NSIS) or Communications Commission of Kenya (CCK) carries out surveillance without for instance a court order or refuses to comply with an order.
“Approvals are necessary from courts because it is required that you present a certain level of evidence before a court can grant you a warrant to intercept communications,” Kiptniess explained.
Such explicit authorisation lacks in the Kenya Information and Communications Act which CCK) hopes to use to back up its surveillance raising questions about the legality of the move.
The Act gives the Information Minister the power to grant someone or an organisation access to protected computer systems. The same Act has a provision that prohibits unauthorised access to computer material with a view to altering them.
The CCK kicked off the debate after announcing plans to tap communication by installing an Internet tracking system with the help of the Internet Service Providers.
This announcement received the backing of its parent Ministry of Information which added that such spyware would help curb hate speech in the country.
As the implementation date of July 2012 nears and the plans to monitor the emails become a reality, the ability and capacity of the CCK to store information that will be collected from this exercise is also being questioned.
While it has great expertise in communication networks with its core mandate being to license and regulate telecommunications and the postal and couriers sub-sectors, the CCK lacks in security surveillance.
It does not help matters either that the country does not have a Data Protection Act.
“Collecting a lot of information that is a consequence of surveillance and interception would require very strict rules about how you can hold that information. The best practice is, security agencies conduct that with strict rules on how long you can keep that information,” Kiptniess emphasised.
In Europe, he pointed out they do have the EU Electronic Privacy Directive that specifically is to address the requirements of new digital technologies and the Data Retention Directive which specifies how long the authorities can keep the information and what they can and cannot do with it.
In the absence of all these rules in Kenya however and if the government insists on going ahead with the implementation of this software, the country could see increased litigation cases from people who feel that the government is infringing on their privacy.