OPINION: It should be illegal to be hacked
On Friday 27th September The Standard carried a story on the Judiciary. According to The Standard, the Chief Justice is the Commander in Chief of a four member group codenamed ‘War Council’ whose sole purpose is to to remove the ‘Darth Vader’, a nickname given to Gladys Shollei. The Standard obtained the information about the group and their plot to remove Shollei through email exchanges between the Chief Justice and part of the ‘War Council’ team. Asked about the plot and emails and the allegation, the Chief Justice initially declined to comment on the matter but alluded that his email and twitter accounts were hacked (emphasis mine). He also said that his phone conversations are being tapped.
Not so long ago the TruthMeter presenter Willis Raburu found himself in trouble when it appeared that he tweeted the identity of ICC witness 536. In his reply to the claims that he revealed the identity of the ICC witness, Willis Raburu defended himself saying that his twitter account was hacked.
“My fellow Kenyans as I said it would be perfect to clear my name, to show you here how much of an injustice was done to me, as my account was hacked (emphasis mine). I have the facts and the trail of tweets but I also have the opportunity…..” wrote Willis Raburu at his blog page http://willisraburu.wordpress.com.
Shortly before the Presidential Petition ruling, K24 posted on its twitter account that 9th April would be a public holiday as the Supreme Court was to rule in favor of the current President and Deputy President in a case filed against them by the former Prime Minister Raila Odinga in regards to the March 4th General Elections.
Supreme Court ends last hearing on a Good Friday. Finally tomorrow in their judgment they will uphold the elections – April 9th is holiday,” read the tweet posted on 29th March 2013.
The K24 tweet was immediately deleted but not before it went viral and placing K24 on trending topics. K24 then offered a public apology saying:
Sorry people. Our account was hacked (emphasis mine); ignore any Twitter updates that you see from @K24Tv. We have reported the hacking incident to Twitter and they are working on it! We will be back as soon as we sort out the problem. We apologise again for this unfortunate incident and Tweets.
Hacking claims have also affected the ICC and IEBC. ICC claimed that some hackers had accessed crucial information from witnesses’ email accounts; information that could lead to revelation of the witnesses’ identities. In relation to the hacking claims by the ICC and arrests that were later made, The Star reported that Dennis Itumbi was arrested in relation to the hacks. “Dennis Itumbi was arrested on Thursday night at his rural home in Embu where he was reportedly hiding after evading four attempts at arrest by police.” Fast forward to today Dennis Itumbi is a free man and a government official in charge of social media docket at State House.
Last but not least the March 4th general election provisional vote tallying system failed at Bomas. Part of the rumors that went round was that the IEBC servers had been hacked and reprogrammed to interfere with the provisional votes counts. According to the rumors, the vote tally difference between the two leading candidates Uhuru Kenyatta and Raila Odinga were supposed to be maintained within a certain constant range as predetermined by a certain algorithm that was initiated by a virus implanted in the IEBC servers.
Hacking generally is an illegal activity. However there is a branch of hacking that is encouraged even by the large corporates. For example Google periodically offers rewards to any hacker who can break into its Chrome browser. Recently a consortium came up with a $13,000 prize offer to any individual or group of persons who can hack into the iPhone 5S’ Touch ID. The Touch ID has since then been hacked by a Germ group calling themselves CCC (read: How to hack iPhone 5S). In these two types of scenarios, hacking is encouraged.
But to hack into company’s systems, government computers and servers, individual online accounts etc in order to access private, sensitive and confidential information is illegal (although a discussion post claimed that hacking into private emails is not illegal in Kenya). As much as these types of hacking are illegal, it is almost next to impossible to establish beyond reasonable doubt the identities of suspect hackers as hackers are smart guys who rarely leave trace unless they want to get the recognition.
Since hacking is a reality, and that hackers are hardly known or traceable, it should be a matter of personal responsibility to ensure that accounts we are directly responsible for are properly protected with maximum security features available/affordable. Most of the hackers take advantage of lack of proper systems’, computers’ and systems’ protection against malware, viruses and trojan horses and as such are easily broken into.
Personally I have been able to easily access some people’s emails, Facebook accounts and computer files simply because the gadgets and files are protected by guessable passwords, or no passwords at all. Others, especially those using smartphones, do not have lock screen credentials and as we all know, phone apps normally prefer to “remember” the user thereby just having access to their phones means you can access their emails, Facebook, Twitter and all other online accounts. Actually you don’t have to hack some accounts. What you need to do especially when you have someone’s phone, is to request for a new password using “forgot my password” option. A code for changing the password will likely be sent to that particular phone’s number. So to be safe one must be ensure to:
- Always lock the phone or computer with a strong password or PIN. A strong password means a password with letters, numbers and symbols e.g. p@s$w0r5 instead of password. Forget the Android patters; five year old kids have been able to by-pass that.
- If you used a particular phone number to register online accounts, then make sure the SIM card used for registration is not in use in the same phone/tablet for accessing the online accounts otherwise I’ll just “forget your password” and create a new one.
When I bought my first phone, Safaricom gave me a small booklet that contained terms and conditions of service. The long wording can be summarized that Safaricom expected me and only me to use the SIM card that I bought. That is, all communications received or sent via the SIM card were by me or as a result of express knowledge and permission by me. Safaricom did not expect a situation whereby I denied knowledge of a text message or phone call from my SIM card that caused harm to another party. If today an insulting text message is sent from my number to anyone, that person will sue me and win, defending myself that my phone was hacked won’t hold water—I guess.
The excuse “I was hacked” sounds like the Shaggy’s song “It wasn’t me” that should be left to cheating spouses to sing. Serious and sensitive matters that are of public interest must however be subjected to thorough protective measures where individuals responsible for safeguarding such interests are held accountable in case of security and privacy breaches. Just as everyone is expected to jealously protect and safeguard important, confidential and sensitive personal, corporate, legal or government hard copy documents, the same level of requirement must be pushed to online and soft copy documents.
All said and done,a law should be established expressly stating that the use of personal and official email accounts, Facebook accounts, any other online accounts; the use of personal or official phones, computers, or any other ICT gadgets, at all times, is by first principles understood to mean that such use was by the owner/custodian or with the owner’s/custodian’s express knowledge and permission. This will make all hacking excuses illegal, unless otherwise is proven beyond reasonable doubt!
I am not alone in saying that it should be illegal to be hacked. A post at TechDirt had this to say:
…breaches definitely seem to be due to negligence on the part of a corporate IT team that failed to lock down the data in any significant manner. That seems to be leading more people down the path of saying that companies should be liable for getting hacked.