The “Cybercrime” Cover-Up: How the State Is Gaslighting Kenyans While Gagging the Constitution

The government insists “fake news” is fuelling panic about the newly signed Computer Misuse and Cybercrimes (Amendment) Act, 2024, urging citizens to “read the law.” We did. What the text and the public record show is a tightening web of vague offences and sweeping administrative powers that chill speech and expand state control online—precisely where the Constitution demands the highest scrutiny.

Start with the baseline. Kenya’s 2018 Act already criminalised “false, misleading or fictitious data” and “publication of false information,” provisions long criticised for vagueness and a chilling effect on journalism and civic speech. Those provisions—sections 22 and 23—sit uneasily with Article 33, which protects expression subject only to narrow carve-outs like propaganda for war, incitement to violence, and hate speech. The Act itself concedes it is limiting Article 33 through Article 24, but that does not cure overbreadth: criminalising general “false” speech goes far beyond the Constitution’s targeted exceptions.

The 2024/25 amendments do not narrow these dangers; they layer on new ones. Official explanations boast of “empowering” the National Computer and Cybercrime Coordination Committee (NC4) to issue directives against websites and apps and to broaden cyber-harassment and phishing offences. That sounds tidy until you ask the constitutional question: are takedowns and access-blocking anchored in prior, specific, and proportionate judicial oversight—or can an executive-dominated committee curtail online speech first and justify later? The government’s own messaging emphasises NC4’s expanded “power to issue legal directives,” not court warrants. That is a red flag under Articles 33, 34 (media freedom), and 47 (fair administrative action).

Who exactly is NC4? By statute it is a security-heavy committee chaired by the Interior PS, with military, police, intelligence, the ICT regulator and prosecutors all at the table, reporting to the Interior CS. Concentrating content-control levers in such a body invites mission creep from cyber-security into content governance, with obvious risks to editorial independence and civic speech—especially if directives move faster than courts. In constitutional terms, that structure burdens Articles 33 and 34 and must pass a strict Article 24 test of necessity and proportionality, which the amendments’ cheerleading has not even attempted to satisfy.

Proponents say the law merely targets “harmful” conduct like grooming, extremist content, SIM-swap, and phishing. No one disputes the need to fight crime. The issue is drafting. Where an offence is tightly defined (e.g., unauthorised SIM-swaps, targeted phishing) it is defensible. Where language swells to “communications that cause harm,” or where the state may “restrict access” to applications without clear, prior judicial control, the law drifts into content policing. That is exactly the point critics have raised since 2018 and that digital-rights experts continue to document as a pattern in Kenya’s online regulation.

Government spokespeople also assert that critics are “misrepresenting” the law’s intent. Intent is irrelevant if effect violates rights. Sections penalising “false” or “misleading” information still present a classic vagueness problem: who decides truth, how quickly, by what standard, and with what defenses? Article 33(3) already protects reputations through civil remedies; criminal truth-policing, on the other hand, chills whistle-blowing, satire, and good-faith error. Kenya’s courts upheld much of the 2018 Act, but even that judgment recognised Article 24 limits; it did not license executive-branch censorship by directive. Amendments that expand administrative power without sharpening safeguards run afoul of the same constitutional architecture.

Consider process. Takedowns and access-blocking implicate prior restraint—one of the most disfavoured tools in a democracy. Any such restraint must be judicial, specific, time-bound, and appealable, with transparency obligations. An Interior-led committee ordering “restrictions” is the opposite model. Even if later court review exists somewhere, the chilling effect is immediate and irreparable for time-sensitive speech such as investigations, protests, or election commentary. That burdens Articles 33 and 34 and violates Article 47 unless the law guarantees due process up front. The government’s own explainer never mentions mandatory prior court orders. That omission is telling.

Supporters tout “expanded definitions,” including a broader idea of “access” that captures automated tools. That may be sensible for hacking prosecutions, but the same drafting style—expansive, tech-neutral verbs and elastic harms—when applied to speech offences blurs the line between conduct and content. Kenya can punish intrusion, fraud, and identity theft without criminalising imprecise categories of “misleading” expression or granting a security council the power to switch off speech. Legal technique matters; here, it has been used as a net, not a scalpel.

Now to the government’s “fake news” accusation. The record shows a parallel communications strategy: publicly dismiss critics as liars while quietly building a paid influencer ecosystem to amplify the official line. Multiple reports and announcements describe plans to pay content creators to promote flagship programmes; investigative work has documented “disinformation for hire” networks that swarm critics, launder talking points, and manipulate trends. When the State both funds influence campaigns and criminalises “false” speech, it acquires a monopoly on truth—and the law becomes a cudgel for narrative control. That is the textbook definition of chilling effect.

Digital-rights mapping over the past five years also shows a pattern: regulatory bodies seeking greater technical access and enforcement latitude, courts occasionally reining them in, and civil society warning that the line between cybersecurity and speech control is being erased. The new amendments, sold as “progress,” harden that pattern. A constitutional fix is straightforward: reserve blocking orders to courts; delete criminal bans on generic “false” speech; keep cyber-offences tightly focused on conduct (intrusion, fraud, child abuse material) with precise elements and defences; and insert transparency, notice, and appeal rights for any platform directive. Until then, the claim that critics are the “fake news” actors is projection.

Even government-friendly explainers confirm the nub: the law “empowers NC4” to issue restrictions. That cannot coexist with Article 33’s tight exceptions unless every restriction is judicially authorised, strictly necessary, and proportionate to a specific criminal offence. Anything less is unconstitutional. In a free society, security policy must be built with narrow tools and thick safeguards. Kenya has chosen thick tools and thin safeguards—and then hired influencers to tell us we’re imagining it.

Finally, the remedy is constitutional courage, not PR. Parliament should publish a clause-by-clause compliance memo showing how each amended section passes Article 24’s test; the Executive should renounce administrative blocking in favour of court warrants; and NC4 should be confined to technical coordination, not speech governance. Until then, Kenyans are right to demand scrutiny. The Constitution does not yield to convenience, even when rebranded as “cybersecurity.”

Read Also: Kenya’s New Cybercrime Law Sparks National Outcry over Online Freedoms