When the Computer Misuse and Cybercrimes Act was passed, Kenyans were told it would fight hackers, online fraud, and digital crime. At first, that sounded like a good thing because after all, who doesn’t want protection from scammers and cybercriminals?
But as time has gone by, the cybercrimes law has been used for something very different. Instead of protecting ordinary Kenyans, it has become a tool for politicians and powerful people to silence critics, intimidate citizens, and even invade our privacy.
In 2018, we took this fight to court, and argued that many sections of this law are unconstitutional. The matter is currently pending before the Court of Appeal and will be heard this September 17th 2025.
Here’s a breakdown of why this law is problematic, why it matters, and how it could impact the everyday citizen:
Freedom of Expression Under Attack
The Act makes it a crime to publish ‘false,’ ‘misleading,’ or ‘fictitious’ information. On the surface, this might seem reasonable, but here is the danger:
- No clear definition of “false”: Truth is not always black and white. A statement could be seen as false by one person but as opinion, satire, or political criticism by another.
- Risk of abuse: If the government or politicians get to decide what counts as false, they can easily brand anything critical of them as “fake news.”
- Real cases: Bloggers have been arrested for writing about politicians. An author was detained for publishing a biography of the president’s daughter. A developer was harassed for creating a tool that helped Kenyans participate in debate over the Finance Bill. In one tragic case, Albert Ojwang was arrested over “fake news” and died after being tortured in police custody.
This creates a chilling effect. Even if you are never convicted, the fear of being arrested, detained, and dragged through the courts makes people afraid to speak. It silences ordinary Kenyans who simply want to express their opinions online.
In a democracy, citizens must be free to question leaders, criticize government, share information, and even joke about politics. If speaking your mind can land you in jail, then that democracy is under threat.
Vague and Overbroad Offences
A law must be clear enough for ordinary people to understand what is legal and what is not. Unfortunately, many offences under this Act are vague and catch even innocent actions.
Some examples:
- Cyber harassment: The law says you can be guilty if your words “detrimentally affect” someone or are “grossly offensive.” But what does that mean? Criticism can affect a politician. Satire can be offensive to some. Even breaking bad news can affect a person. This gives police power to arrest people for almost anything they post online.
- Receiving money by mistake: The law makes it a crime to “intentionally withhold” money sent to you in error. Yet in practice, even elderly Kenyans who don’t know how to reverse M-Pesa transactions have been arrested. These people had no criminal intent, but the law treats them like thieves.
- Cybersquatting: This offence is so broad that it could criminalize using common words, memes, jokes, or parodies online. Imagine being sued for using a funny username or popular phrase on Twitter.
- Simple mistakes: Typing the wrong email address could be considered “misdirecting an electronic message.” Deleting old emails could be considered “unlawful destruction of data.” These ordinary activities are being criminalized.
This is dangerous because it means anyone can be targeted, and the decision is left to police. In such an environment, the law becomes a weapon, not protection.
Your Digital Privacy is at Risk
One of the scariest parts of the law is the section on investigations and surveillance. It gives police wide powers to collect and monitor personal data, with very weak oversight mechanisms.
Here is what it allows:
- Police can get access to your data with ease: Courts are required to issue orders once police say they have “reasonable grounds.” The judge has no real discretion; they are reduced to a rubber stamp.
- Bypassing courts: In some cases, police can skip the courts completely and go directly to service providers (like Safaricom) to demand your data.
- Real-time tracking: Police can collect data about your movements, location, and communications in real time and even force service providers to allow cloning of systems to make surveillance easier.
- No notification: You will never be informed that you were under surveillance, even after the investigation is over.
- No safeguards: There are no strict limits on how long this data can be kept, how it can be used, or who oversees it.
In a country where police abuse is a reality, such unlimited access to personal data is extremely dangerous. It means that your texts, emails, calls, and online activity can be monitored without your knowledge, and possibly misused.
The Constitution protects the right to privacy, but this law is an affront to that right.
No Public Participation
The Constitution requires Parliament to involve citizens in lawmaking. But in this case, many controversial sections of the law were added at the last minute, after public participation had already been done.
For example, the Bill originally focused on cybercrime offences like hacking. But later, provisions about “false information” and “misleading messages” were sneaked in during the final stages, without Kenyans being consulted.
This is unconstitutional because:
- Citizens had no chance to debate or question these provisions.
- The law ended up protecting politicians’ interests instead of public interests.
- Laws passed this way set a bad precedent because it means unpopular or oppressive clauses can be hidden in important laws without public knowledge.
Gender Inequality in Key Institutions
The law also created the National Computer and Cybercrimes Coordination Committee to oversee implementation. But Parliament failed to ensure compliance with the two-thirds gender rule.
As a result, the current committee is overwhelmingly male, with only two women out of eleven members. This violates Article 27 of the Constitution, which requires no more than two-thirds of any public body to be of the same gender.
This is not just a technical issue. Decisions about cybersecurity affect all Kenyans, and women’s voices must be included. By failing to put safeguards into the law, Parliament allowed inequality to continue in one of the most important digital oversight bodies.
What This Means for Ordinary Kenyans
If these unconstitutional provisions remain in place:
- You could be arrested for your posts: A tweet, Facebook post, or even a joke could be branded “false information” or “cyber harassment.”
- You could be punished for innocent mistakes: Receiving the wrong M-Pesa transaction, misdirecting an email, or sharing a meme could land you in court.
- You lose your privacy: The State could monitor your calls, texts, and movements without you knowing.
- Your voice is ignored: Laws could continue to be passed without genuine public participation.
This fight is not just about bloggers or journalists. It is about every Kenyan who uses a phone or the internet. The Cybercrimes Act was supposed to protect Kenyans from digital crime, but instead it has become a tool of control. It criminalizes speech, allows abuse of surveillance powers, sneaks in laws without public input, and undermines gender equality.
The Court of Appeal now has the chance to correct these wrongs. Striking down the unconstitutional sections of the law would not only protect our freedoms but also reaffirm that Kenya is a democracy where rights matter.
If we let this law stand as it is, then we risk sliding into a society where expressing your opinion online is dangerous, where privacy is a luxury, and where the law serves the powerful instead of protecting the people.
Resources