The Court of Appeal has dismissed a request from the taxman for Google to be compelled to reveal the identity of hackers who breached its systems.
In a ruling made yesterday, the Court of Appeal threw out Kenya Revenue Authority's (KRA) suit on grounds that the taxman was late in filing court documents.
KRA brought the landmark case against Google in 2018 after a hacker breached its systems and made off with sensitive data.
The taxman sued Google’s local subsidiary, Google Kenya, seeking to compel the firm to reveal the user behind a Gmail account allegedly involved in the attack.
Just months before the suit, KRA had accused 12 people of hacking and causing it to lose Sh3.9 billion. It is, however, unclear if the appeal is related to the theft.
KRA won the initial round obtaining orders to have Google furnish Kenyan investigators with the data. However, Google appealed the decision arguing that Google Kenya and parent company, Google LLC, are two different entities.
High Court judge Pauline Nyamweya yesterday declared the order that the KRA obtained from a magistrate’s court in January as irrational, noting that Google Kenya is a separate legal entity from Google Inc, the firm that the taxman had listed as the respondent in the case.
The decision sends KRA investigators back to the drawing board since Google Inc, which is the custodian of the gmail account used to hack the taxman’s system, is domiciled in the United States.
“It is thus evident that while the respondent in the said application was Google Inc., the orders sought against the respondent were instead issued against the applicant (Google Kenya). To this extent the order issued on January 9, 2018 cannot be explained by the facts and law,” Justice Nyamweya said, as she directed the KRA to pay the legal cost Google Kenya had incurred.
The judgment underlines the difficulty that governments all over the world are facing in their dealings with US digital conglomerates like Google and Facebook – including the computation of their tax obligations.
A 28-year-old man, Alex Mutungi Mutuku, and 11 others were in March last year arraigned in court for hacking and causing the KRA a loss of Sh3.9 billion but it was not clear whether the case is connected with the documents sought.
In Mr Mutuku’s case, prosecutors claimed that the hackers had used high tech equipment and software to steal from the KRA and that the police had managed to track the syndicate after it allegedly siphoned about Sh4 billion.
Mr Mutuku was charged alongside Calvin Otieno Ogalo, Albert Komen Kipkechem, David Ndung’u Wambugu, Lucy Katilo Wamwandu, Edward Kiprop Langat, Kenneth Opege Riaga, Omar Ibrahim, James Mwaniki Gakung’u, Gilbert Kiptala Kipkechem and Joseph Kirai Mwangi. They denied the charges.
The hacking is said to have happened between March 2015 and March 2017.
The Assets Recovery Agency (ARA) obtained court orders freezing the accounts of individuals charged with stealing the Sh3.9 billion from the KRA.
The taxman has not indicated in court documents whether the case is linked to the hacking at the centre of its feud with Google.
The dispute arose when investigating officer Mohammed Jillo attached to the Directorate of Criminal Investigations unit sought a warrant to investigate Google Kenya. The magistrate’s court granted the request on January 9.
Mr Jillo alleged that the email address firstname.lastname@example.org was used to access the KRA'
- (chars - 3230)
computer system and performed a task of an authorised officer, hence infringing on the information security of the agency.
He told the magistrate's court that the KRA’s information security was at stake because of the unauthorised access to its systems while seeking the warrant to investigate the said gmail account.
Everything was going well for investigators until Google Kenya informed them that it acts as a separate legal entity that merely handles marketing and sales and could therefore not accept service of court orders on behalf of Google Inc.
The investigation wanted to check information and documents relating to the gmail account used to hack the system in order to get the face behind the hacking.