Premium
Cybercrime law missed the bigger picture
Cybercrime refers to any harmful act committed using a phone, computer, or online platform.
What you need to know:
- Kenya has missed an opportunity to engage citizens as co-authors of digital dignity.
- Cybercrime refers to any harmful act committed using a phone, computer, or online platform.
There has been a lot of uproar following the signing of the Kenya Cybercrime Bill 2025. Part of the concern is that it was quietly signed into law during a period of national mourning, after the death of former Prime Minister Raila Odinga. Many have called the new law a distraction.
However, I see something deeper; a missed opportunity to engage citizens as co-authors of digital dignity. Let’s start with the basics. What is cybercrime in everyday language or to a common mwananchi? Cybercrime refers to any harmful act committed using a phone, computer, or online platform. Think of it as digital misbehaviour with real-world consequences.
For instance, if you steal someone’s identity or passwords, send threatening or abusive messages, spread false information to damage someone’s reputation, take over someone’s SIM card to access their bank account, or trick people into giving up private information (which is also called phishing or vishing).
Harsh penalties
These are not just technology problems; they are trust problems. So what does the Act actually say? It has introduced harsh penalties and broad powers. Here is what the new law covers.
First, cyber harassment, which is using texts, e-mails, or social media to repeatedly harm, intimidate, or emotionally distress someone. It is like throwing stones from behind a screen. You do not see the bruises, but they land. Every cruel message, every public shaming, every silent punishment is a stone. Offenders risk a penalty of up to 10 years in prison or a fine of up to Sh20 million.
Second is phishing and vishing. Phishing, as noted above, is tricking someone online (through email or message) to give up private information. Vishing, on the other hand, is the same trick but done through voice calls. Imagine someone casting a fishing line into your inbox or phone call. The bait looks real, for example, a bank alert, a job offer, but the hook is hidden. Once you bite, they steal your passwords and money. For this, one faces a penalty of up to two years in prison or a fine of Sh200,000.
Third is SIM swap fraud. This is when someone tricks your mobile provider into giving them control of your phone number so they can access your bank, apps, or messages. It is like someone stealing your house keys not by breaking in, but by convincing the security guard they are you. Once inside, your digital life is theirs. The penalty for this is up to two years in prison or a Sh200,000 fine.
System security
Fourth is website shutdowns. The government can block websites or apps that promote terrorism, child abuse, or religious extremism. Fifth is content removal. The courts can order harmful content to be deleted from devices or platforms.
Perhaps you want to ask if this is about cybersecurity. Not entirely. While it includes technical protections, the Act leans more toward behavioural control than system security. It is less about protecting your data and more about regulating what you say and how you say it online.
This is where negotiation matters. What could have been was a negotiated approach using A.M.A.Z.E (Ask, Mirror, Align, Zone, Explore).
Let us not legislate silence and call it safety. Let us negotiate with citizens, not just for them.
Mr Molla is Managing Director, MDP Africa.
