Home > Regulation and Law > Why the plan by CCK to monitor Kenyan Internet traffic will flop

Why the plan by CCK to monitor Kenyan Internet traffic will flop

Today I woke up to the news that the Communication Commission of Kenya (CCK) has announced its intention to start monitoring both inbound and outbound internet traffic in the country so as to “detect and facilitate response to possible cyber threats.” They plan to do this by installing “the Internet traffic monitoring equipment known as the Network Early Warning System (NEWS)” in ISP border equipment.

This move by CCK is ostensibly informed by the fact that they have noted an increase in number of cyber attacks in the country in the last three or so years since arrival of faster internet connectivity via fiber.  This is the most laughable and ridiculous thing I have heard coming from an institution that is supposed to be a regulator of communication and postal services. This is because CCK lacks the technical capability (capacity and ability) and the legal mandate to do this.

First things first, CCK states its mandate on its website as:

  • Licensing all systems and services in the communications industry, including telecommunications, postal/courier and broadcasting.
  • Managing the country’s frequency spectrum and numbering resources,
  • Facilitating the development of e-commerce.
  • Type approving/accepting communications equipment meant for use in the country
  • Protecting consumer rights within the communications environment.
  • Managing competition in the sector to ensure a level playing ground for all players,
  • Regulating retail and wholesale tariffs for communications services.
  • Managing the Universal Access Fund
  • Monitoring the activities of licensees to enforce compliance with the licence terms and conditions as well as the law.

In the above mandates, none grants it powers to monitor internet traffic for suspicious activities, the closest one is the last point which says “Monitoring the activities of licensees” , not end users. Unless CCK changes the licence conditions to include responsibility of the licensee on what type of content traverses their network, CCK cannot legally monitor whats passing through an ISPs pipes to the internet. CCK is said to be basing its intention on the Kenya Information and Communications Act, which gives it powers to develop a national cyber security management framework. The dictionary defines “framework” as “A basic structure underlying a system, concept, or text.” This means that the CCK is to provide a guideline (a template if you may) on how the country can protect itself from cyber crime, it does not give CCK the mandate to police the internet by sniffing every packet that come and leaves the country.  There is also a legal reason why CCK is a commission and not an Authority like NEMA, KRA or KPA. Transforming it to an Authority will give it more teeth to bite than being a commission. (This is why all Anti corruption bodies are intentionally set as commissions by the powers that be). For CCK to do this, it needs teeth to bite which it lacks.

Talking of sniffing every packet, ISPs have rubbished the proposal by CCK to install what it calls the Network Early Warning System (NEWS) into the ISPs equipment. For any of you who has run a debug or packet sniff on any border equipment, you will agree that its CPU and memory intensive, i see ISPs asking CCK for money to upgrade their equipment to accommodate this extra task should they have their way in forcing them to install the NEWS system. Also,  the NEWS system is for early detection of cyber attacks and not monitoring traffic per-se. What role CCK plays in ensuring security of privately owned networks is still unclear as it is tantamount to trespassing and against article 31 of Constitution grants citizens the right to privacy, including a clause preventing infringement of “the privacy of their communications. ISP networks are privately owned property.

With the international nature of the Internet, CCK is bound to run into jurisdiction problems when enforcing their proposed monitoring. If a Kenyan ISP hosts a server in a data center in the UK, that server is technically under the UK jurisdiction and not Kenya’s. If an ISP operating in Kenya under a CCK license decides to encrypt both its inbound and outbound traffic using US registered cryptography up to the next hop that is in the US, does CCK have any powers to ask for decryption of the traffic for the purposes of monitoring? According to the Max Planck Encyclopedia of Public International Law, cryptographic systems registered in a country and used to encrypt traffic to and from that country are considered as being under the jurisdiction of the country in which it was registered. This is one loop-hole that ISPs can use to circumvent the new CCK plan. They will simply encrypt or tunnel traffic leaving their border equipment until its out of Kenya’s borders.

CCK claims to have the backing of the ITU in setting up this system after signing a KES 36Million deal. The ITU will allegedly help train CCK staff in the new systems, the ITU? Ha!  what people seem to forget is that out of all the UN bodies, the ITU is the least effective and powerless of them all. The reason being that most countries that fund the UN do not ascribe to tha fact that the UN should play a central role in how they communicate, the ITU is so toothless that they couldn’t even stop the Wimax Forum from using the same frequencies allocated by ITU to C-band satellite services. The ITU is also underfunded and itself lacks the technical capability to do such a thing. Look around, what impact does ITU have on the communication sector? none. For all we care, the IEEE (to which I am a member) has set nearly all the world standards in communications. So CCK saying that “They have the backing of the ITU” doesn’t scare anyone. If ITU was very critical to the world, it would be headed by either a US or EU citizen just like the Breton woods institutions and not by Hamadoun Touré from Mali. Also, signing a KES 36.2 Million deal to install this system is a big joke. That’s just $425K which I think is not even enough to buy the equipment to do what CCK hopes to do.

So, when all is said and done, CCK will fail in this mission to spy on citizens in the guise of preventing cyber crime. What the CCK should instead be doing is setting and enforcing regulation on network and content security, the CCK should be more worried that the Government of Kenya hosted all its websites on a single server in Kenya as opposed to at a data center. It should be more worried that the developer of the websites also never took any precautions in enforcing security on the scripts and hosting environment used in the government websites, that’s how CCK can become a relevant player in the prevention of cyber crime in the country, not attempting to spy on emails and browsing traffic.

Activists will now start saying that the CCK should be opposed, twitter hashtags will emerge and campaigns on social media will run. The activists should not even waste their precious time because even without a campaign urging it to stop, CCK will not manage to do what it says it intends to do. The obstacles are too many.

  1. March 21, 2012 at 11:09 am

    I am all for monitoring internet traffic for security purposes not censor purposes. Countries worldwide are monitoring internet traffic and just last year India and UAE were trying to ban BlackBerry platform because of the encrypted BBM traffic. In the wake of the riots in London, among the recommendations that were put forward was to either ban BlackBerries or force RIM to avail the keys. Countries like South Africa, America, Canada and many other European countries have firewalls that filter internet traffic, why can’t Kenya do it?

    CCK is the government institution mandated to craft and enforce communication policies in this country, just like FCC in America or European Regulators for Electronic Communications for EU countries so I believe this falls perfectly under them. It’s just amazing that you think CCK’s ability to enforce this kind of stuff is limited by the fact that it’s a Commission not an Authority. Boss, CCK has been arresting people who use frequencies illegally in this country, so what now? LOL

    Your cryptography bit did make sense as a prospective hurdle in enforcing this but just like India and UAE tried to ban the technology if keys are not handed over to theM, what can possibly prevent our government from doing so if recommended by CCK? And btw did you know that you cannot sell any encryption technology in the US without handing over your keys to FCC? Did you know that? Alright then.

    Now the server hostage bit too made sense but remember the governments do communicate. Trust me regardless of where the server is hosted if the information needed is a threat to national security it will be handed over to the authorities. Take a look at Pirate bay for example. Sweden is one of the countries that safeguard personal data but see that couldn’t protect Pirate Bay, they had use satellite to protect their webservers and they are currently working on hosting those servers in drones ( please I’m not making this up. Check this out http://www.factmag.com/2012/03/19/the-pirate-bay-promise-to-hide-servers-in-tiny-airborne-drones/ )

    Again, if the spying is meant to gag the internet, then I can’t support it but I think it’s time some security measures were put in place to protect internet users. We all can remember PEV and how emails were used. Let’s not forget the good side of monitoring internet traffic. I have seen people on twitter talking about hacking websites.. LMAO. CCK mentioned emails, how is that even remotely close to hacking websites? LMAO!!

    • March 21, 2012 at 11:33 am

      Thanks for the comments Sure Rogers, I agree with some of your comments to a large extent, especially on monitoring to prevent issues like PEV from happening, by all means. Monitoring and surveillance is not bad, my issue is the CCKs capacity to do it. They have failed in nearly all “projects” they have started (Mobile number portability, digital TV migration, Universal access fund, mobile call quality assurance)
      However, the fact that other countries have done it doesn’t mean we have to do it also, on jurisdiction, you could be right, but the case of pirate-bay et al was based on illegal sharing of copyrighted content and not monitoring of citizens and that’s why it was easy to do cross-border confistication of servers, it will be hard for Kenya to ask for access to an ISP server seated in UK if they cannot prove that it’s a threat to national security or sharing illegal content, UK and Saudi Arabia could only BAN BBM and not ask for Canada’s help in decrypting BB services.
      You also say “Countries like South Africa, America, Canada and many other European countries have firewalls that filter internet traffic, why can’t Kenya do it?” Filtering internet traffic is different from monitoring where users are going to or what emails they are sending, for sure Kenya can decide to filter websites, CCK is already mandated to ask ISPs to filter websites they deem dangerous to Kenya, so filtering is OK and is already happening, it’s the sniffing of normal browsing that’s the issue here, the sniffing of my business email to my suppliers or customers or of my personal email to family, what assures me that my business email sniffed by CCK will not end up on my competitors inbox after the competitor compromises CCK staff?

      On your example of CCK’s mandate by citing the US FCC, please note the FCC does not engage in network sniffing, that’s the work of homeland security and CIA, FCC’s role is purely regulation. If Kenya wants to do this, CCK is the wrong body to do it due to legal reasons and derailing them from their main duty of regulation. Good example is the giving NEMA the powers to arrest people making loud moises, that should be the duty of local govts, right now NEMA has forgot its mandate or environmental regulation and are busy at night moving from pub to pub asking for bribes or turning down of music. They have forgot their MAIN mandate, that’s what will happen to CCK if they start doing these side shows of sniffing traffic.
      Thanks for the comments; they shade a new perspective on the discussion. Keep them coming.

      • March 21, 2012 at 12:03 pm

        We are basically talking about the same thing. Internet Filtration for me goes beyond dangerous websites. Internet filtration incorporates surveillance and blockage. Emails traffic, web traffic, Applications and Instant Messaging systems like ICQ, IRC, Jabbar, MSN etc. All this in my area of expertise constitutes to web tiltration. Trust me none of that is happening anywhere in this country. You don’t even need to use proxies to do whatever you want to do.

        What we need to worry about like Nanjira said on twitter, is how they’ll handle it. The idea to me is noble if it’s not meant to gag internet users. We just have to ensure CCK do it ethically and the right way. The ISPs like Safaricom have done it with your phonecalls and text messages, maybe CCK will have to collaborate with them.

        Of course FCC doesn’t sniff or arrest people but they lay the rules and regulations that enables FBI and Homeland Security to do so.. Like one that of availing encryption keys to them, that doesn’t make it toothless. or does it?

        Did you get a chance to read about SOPA? Pirating Softwares, Music, Movies etc was described as a threat to American National Security… LMAO!! I really didn’t make that up, look for that document.

        Good discussion anyway, I wish we could stop the simplistic view some of us have taken on twitter. Concerns like this “what assures me that my business email sniffed by CCK will not end up on my competitors inbox after the competitor compromises CCK staff?” are some of the things we should worry about in my opinion.

  2. March 21, 2012 at 12:07 pm

    Sure Rogers :
    Trust me none of that is happening anywhere in this country. You don’t even need to use proxies to do whatever you want to do. – atleast not at the ISP level as directed by CCK. Most corporate organizations have done it on their own. (Correction)

  3. March 21, 2012 at 3:17 pm

    When I saw monitoring, for cyber attacks and security threats… I thought NSIS, CCK is only a regulatory body and does not have authority to do what it intends to do

  4. April 5, 2012 at 11:45 am

    I agree with Sure Rogers. I think its high time that internet monitoring is done because for example kenya is having alot of terrorism and you know these guys dont use telephones so how will the governement cope up if they dont. I dont mind if they have to force operators to buy new equipment or what but what am aware of there other stand alone equipment that can automate the process and they do not have to be embeded into those of the ISP. So go go CCK and Kenyan Government.

    • April 5, 2012 at 10:53 pm

      Thanks Sem3bash for your comments. I am not against the monitoring, I am however skeptical about the GoK ability to effectively do it.

  5. sanj si
    April 23, 2012 at 2:33 pm

    Internet monitoring is done all over the world in all jurisdictions and if it is not then BEWARE. If internet monitoring was done sooner alot of bad things could and can be prevented. It is very similar to phone hacking, it happens and is used all over the world.

    The issue here is the misuse of that technology and information. Countries need to have the ability to know what is being talked about on the phone and online if it is a threat to national secuirty. In the UK currently, if certain ‘keywords’ are said on the phone or online then a central agency is alerted and has the option to listen or ‘tap in’.

    I agree the threat of a big business deal could be sabotaged by relaying an important e-mail to a competitor is a problem (which can be done quite easily these days), but believe me saving lives and protecting people from evil peodphiles and scammers as well as terrorists is also just as important.

    And then we lead onto how and who will enforce these applications. Hmm…now there lies the problem, where there is huge power and responsibility there is ABUSE of that power, and in this case, giving just one authority access to such info would be crazy, especially in Africa. LOL just imagine working in that centre with the whole countries e-mails at your fingertips, finger licking to many i would say.

    Let’s just agree, the idea is not to listen or tap in to 2 lovers or business deals, its to prevent Fraud, crime and protect national security.

    BUT…..i am willing to bet anything, it will be abused by many greedy people……

    • April 23, 2012 at 2:40 pm

      Hi Sanj Si,
      I totally agree with your comments.
      My main issue in penning the article is the way the regulator wants to implement it. As i type this, a ‘government task force’ has already been formed to handle this without even talking to the ISP’s and getting their views. The regulator should involve all stake holders (ISP’s, end users) in this by first educating them on what this is (like you said it should be monitoring keywords in conversations, most users don’t know that, they think its monitoring ALL communication).
      If the regulator works on making this an all inclusive process and putting in place checks and balances to prevent abuse, by all means i am for it, but without that, it will be abused.

  1. April 7, 2012 at 4:52 pm
  2. November 8, 2012 at 10:25 am

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Get every new post delivered to your Inbox.

Join 141 other followers

%d bloggers like this: