Kenya’s Communications Authority Goes All ‘Big Brother’ On Public WiFi Networks To Curb Cybercrime

Big Brother – From the name of the head of state in George Orwell’s Nineteen Eighty-Four. A person or organisation exercising total control over people’s lives.
This one was truly a shocker. Honest. I read the coverage in today’s editions of the Business Daily here and the Daily Nation here. I was stunned. I was wondering if this is really happening in Kenya. Really? As in. REALLY??! So. To give you the main highlights, let me break it down for you as succinctly as possible:
- The Communications Authority (CA) of Kenya will soon require that all devices (i.e mobile phones, tablets, computers, e-readers, even Internet of Things?) that connect to public WiFi networks (such as the kind you use in airports, hotels and restaurants) be registered with the Kenya Network Information Centre (KENIC) as a way of curbing cybercrime. This will be done by assigning unique IP addresses to the devices for tracking purposes (sounds like Big Brother to me!)
- Users of the aforementioned WiFi capable devices will be required to provide their telephone numbers and identity card details, which can be used to track them down should they use their devices to commit cybercrime such as fraud or hacking websites (Big Brother again…)
- CA will license KENIC to register devices so that the identity of a device will be known when it connects to a public WiFi network (I thought KENIC’s mandate was managing and operating the .KE ccTLD? Have they become a proxy for executing CA’s initiatives?)
- Failure by any establishment to adhere to the rules will compel KENIC to withdraw the WIFI services used by the defaulting institutions (Apparently so. This will NOT be good for businesses and the bigger question is exactly HOW this will be done at a practical level? The effort and hassle of doing so for consumers could deter them completely from using public WiFi networks which would defeat the whole purpose to begin with)
- In case a crime is committed, CA will then be able to trace people using the national identity cards that were registered and their phone numbers keyed in during registration process (Question: What happens if the crime was committed using your devices when they were NOT in your possession or stolen for instance? Questions questions…)
- The new rules from the CA will also require all Kenyan companies to host their websites in the country rather than outside (I am not sure if this is entirely accurate since one can already host their website wherever they want to unless perhaps this is China we are talking about and not Kenya? How will CA police where websites are hosted? I am more than a little puzzled)
- CA is also working on a memorandum of understanding with the registrar of companies that will also see anyone registering a company or business in Kenya compelled to acquire a Kenyan domain name as part of the process (this is obviously to drive up the current dismal uptake of Kenyan domain names, but again, Kenyan businesses should NOT be forced to do so if they would rather not?)
I know the CA is doing this all for the sake of cybersecurity which is really important for Kenya but the measures do seem a little extreme from my perspective? There is a serious risk that these initiatives, if they actually happen, could be misused as well and compromise the privacy and constitutional freedoms of Kenyans, all in the name of curbing cybercrime. That being said, I am really keen to see the final paperwork when it becomes widely available from the CA for review by the general public. Something tells a good number of these suggestions will be shot down. However, then again, this is Kenya and in the name of cybersecurity anything is possible.
2 Comments
[…] wrote a blog post earlier this week here on the extreme measures that Kenya’s Communications Authority (CA) intended to take with […]
It is not only the fact that the measures are “extreme” in the sense that they carry a massive administrative burden. It is just as important that they will be totally ineffective.
It is of no help that your devices MAC address is registered to your id number, when you can easily change/spoof your MAC address before you connect it to any wifi.
Similarly the requirement to host locally is extremely invasive – assume for a second that your site/system has some “special” requirements that no provider is offering in Kenya – then you are lost..
Another scenario, lets assume that Uganda gets “inspired” by this an implements a similar requirement to host locally. If your business is now in both Uganda and Kenya you have to have two setups running – which depending on your site/solution can be extremely costly.