Why the plan by CCK to monitor Kenyan Internet traffic will flop
Today I woke up to the news that the Communication Commission of Kenya (CCK) has announced its intention to start monitoring both inbound and outbound internet traffic in the country so as to “detect and facilitate response to possible cyber threats.” They plan to do this by installing “the Internet traffic monitoring equipment known as the Network Early Warning System (NEWS)” in ISP border equipment.
This move by CCK is ostensibly informed by the fact that they have noted an increase in number of cyber attacks in the country in the last three or so years since arrival of faster internet connectivity via fiber. This is the most laughable and ridiculous thing I have heard coming from an institution that is supposed to be a regulator of communication and postal services. This is because CCK lacks the technical capability (capacity and ability) and the legal mandate to do this.
First things first, CCK states its mandate on its website as:
- Licensing all systems and services in the communications industry, including telecommunications, postal/courier and broadcasting.
- Managing the country’s frequency spectrum and numbering resources,
- Facilitating the development of e-commerce.
- Type approving/accepting communications equipment meant for use in the country
- Protecting consumer rights within the communications environment.
- Managing competition in the sector to ensure a level playing ground for all players,
- Regulating retail and wholesale tariffs for communications services.
- Managing the Universal Access Fund
- Monitoring the activities of licensees to enforce compliance with the licence terms and conditions as well as the law.
In the above mandates, none grants it powers to monitor internet traffic for suspicious activities, the closest one is the last point which says “Monitoring the activities of licensees” , not end users. Unless CCK changes the licence conditions to include responsibility of the licensee on what type of content traverses their network, CCK cannot legally monitor whats passing through an ISPs pipes to the internet. CCK is said to be basing its intention on the Kenya Information and Communications Act, which gives it powers to develop a national cyber security management framework. The dictionary defines “framework” as “A basic structure underlying a system, concept, or text.” This means that the CCK is to provide a guideline (a template if you may) on how the country can protect itself from cyber crime, it does not give CCK the mandate to police the internet by sniffing every packet that come and leaves the country. There is also a legal reason why CCK is a commission and not an Authority like NEMA, KRA or KPA. Transforming it to an Authority will give it more teeth to bite than being a commission. (This is why all Anti corruption bodies are intentionally set as commissions by the powers that be). For CCK to do this, it needs teeth to bite which it lacks.
Talking of sniffing every packet, ISPs have rubbished the proposal by CCK to install what it calls the Network Early Warning System (NEWS) into the ISPs equipment. For any of you who has run a debug or packet sniff on any border equipment, you will agree that its CPU and memory intensive, i see ISPs asking CCK for money to upgrade their equipment to accommodate this extra task should they have their way in forcing them to install the NEWS system. Also, the NEWS system is for early detection of cyber attacks and not monitoring traffic per-se. What role CCK plays in ensuring security of privately owned networks is still unclear as it is tantamount to trespassing and against article 31 of Constitution grants citizens the right to privacy, including a clause preventing infringement of “the privacy of their communications. ISP networks are privately owned property.
With the international nature of the Internet, CCK is bound to run into jurisdiction problems when enforcing their proposed monitoring. If a Kenyan ISP hosts a server in a data center in the UK, that server is technically under the UK jurisdiction and not Kenya’s. If an ISP operating in Kenya under a CCK license decides to encrypt both its inbound and outbound traffic using US registered cryptography up to the next hop that is in the US, does CCK have any powers to ask for decryption of the traffic for the purposes of monitoring? According to the Max Planck Encyclopedia of Public International Law, cryptographic systems registered in a country and used to encrypt traffic to and from that country are considered as being under the jurisdiction of the country in which it was registered. This is one loop-hole that ISPs can use to circumvent the new CCK plan. They will simply encrypt or tunnel traffic leaving their border equipment until its out of Kenya’s borders.
CCK claims to have the backing of the ITU in setting up this system after signing a KES 36Million deal. The ITU will allegedly help train CCK staff in the new systems, the ITU? Ha! what people seem to forget is that out of all the UN bodies, the ITU is the least effective and powerless of them all. The reason being that most countries that fund the UN do not ascribe to tha fact that the UN should play a central role in how they communicate, the ITU is so toothless that they couldn’t even stop the Wimax Forum from using the same frequencies allocated by ITU to C-band satellite services. The ITU is also underfunded and itself lacks the technical capability to do such a thing. Look around, what impact does ITU have on the communication sector? none. For all we care, the IEEE (to which I am a member) has set nearly all the world standards in communications. So CCK saying that “They have the backing of the ITU” doesn’t scare anyone. If ITU was very critical to the world, it would be headed by either a US or EU citizen just like the Breton woods institutions and not by Hamadoun Touré from Mali. Also, signing a KES 36.2 Million deal to install this system is a big joke. That’s just $425K which I think is not even enough to buy the equipment to do what CCK hopes to do.
So, when all is said and done, CCK will fail in this mission to spy on citizens in the guise of preventing cyber crime. What the CCK should instead be doing is setting and enforcing regulation on network and content security, the CCK should be more worried that the Government of Kenya hosted all its websites on a single server in Kenya as opposed to at a data center. It should be more worried that the developer of the websites also never took any precautions in enforcing security on the scripts and hosting environment used in the government websites, that’s how CCK can become a relevant player in the prevention of cyber crime in the country, not attempting to spy on emails and browsing traffic.
Activists will now start saying that the CCK should be opposed, twitter hashtags will emerge and campaigns on social media will run. The activists should not even waste their precious time because even without a campaign urging it to stop, CCK will not manage to do what it says it intends to do. The obstacles are too many.
|Kasanga on Frequently Asked Questions par…|
|Frequently Asked Que… on Frequently asked questions|
|Turf N Tree on How VSAT Fair Access Policy (F…|