Biometric data collection in Kenya risky

An edited version of this article was published in the  Daily Nation on February 21, 2018.

I was buying a sim card when the customer care agent asked me to pose for a photo. I asked why they wanted a photo of me as they had all my personal information including a scanned copy of my national identity card. He mumbled back that government required SIM Card agents to take subscriber’s photos. Not convinced, I probed further on this new law but he could not elucidate the reasons. I later on discovered after reading the Kenya Information and Communications (Registration of SlM-cards) Regulations, 2015 that such a requirement doesn’t exist. The customer care agent either didn’t know the requirements, or lied to me about them.

 

This was not an isolated incident. Every day people give out their biometric data to both state and non-state agencies such as professional bodies, banks and even schools. Despite this mass data collection taking place for a while now, parts of the Kenyan citizenry have always expressed their reservations with the collection of biometric data.

 

During the first biometric voter registration in 2012, rumours were rife in western Kenya region on how fingerprint scans would make it easy for chiefs to arrest petty village offenders. Joseph Kamaru’s rendition of Mau Mau’s song Uhoro Uria Mwaiguire tells of a community mourning the incarceration of their war heros who refused to have their fingerprints taken. This reservation and fear played out recently in 2017 when some Mau Mau veterans raised concerns around biometric voter registration for fear of arrest over crimes they did while fighting for independence. All these show a lingering historical concern on the use of technology that communicates how some feel about the collection and use of biometric data.

In addition, there is currently no data protection law stipulating how personal information like biometric data should be handled and processed by both private and state actors. In fact, the only place where biometrics have been mentioned in Kenyan law is in the Elections Act. According to this legislation, biometrics are unique identifiers or attributes including fingerprints, hand geometry, earlobe geometry, retina and iris patterns, voice waves, DNA, and signatures. Even the abandoned Data Protection Bill of 2013 only contained a mention of fingerprints and blood type which were to be categorised as personal information.

 

Motivation behind collection of data

Data collection is part of know your customer logic, both for efficiency, trust and security. But increasingly, data collection has in itself become the business model of most companies. The value of personal aggregated personal thoughts, habits, and social networks are as valuable as any other high end market activities, witfully branded surveillance capitalism.

 

However, the collection and centralized storage of this highly sensitive and valuable data exposes these corporations to the risk of the data being misused at best and being stolen at worst. There are many reported cases of deliberate targeting of secure systems that hold sensitive data. These sensitive data is later sold to third parties in the black market who have illegal ways to monetize it such as by sale of data to fraudsters and identity theft.

 

In jurisdictions with data protection laws, the general privacy principle for corporations handling consumer data is that data obtained for one purpose shall not be used for any other purpose. This rule has general exceptions such as when the information is public, the data subject has given consent and public interest. However, Kenya has no data protection law which leaves personal information such as biometric data at the mercy of corporations that collect it. Security breaches and data loses are reported regularly in the US and Europe, but in Kenya there is no requirement for public or private sector entities to disclose such occurrences. Thus we don’t even know the risks that we face.

 

For example, during the 2017 general elections, many voters received targeted campaign texts messages that were rather too intrusive. The texts had the name of the voter and the exact constituency where they were registered as a voter. How politicians received access to the voter register and the voters cell-phone numbers remains a mystery to date. But it also shows us how vulnerable we are after subscribing for services where personal information is required, and could be shared with others without our knowledge.

 

One way we can push for accountability is by asking our newly elected parliamentarians to breathe life to Article 31 of the Constitution by legislating a data protection law. We are in dire need of a data protection law that give us, the data subjects, more say on how our personal information is collected and used by data processors. Daniel J Solove argued in his book ‘Conceptualizing Privacy’ that privacy ‘involves more than avoiding disclosure; it also involves the individual’s ability to ensure that personal information is used for the purposes she desires’.

 

Other than just the law, there is need for a legal obligation on data processors to be transparent about what data they are collecting, how will be used and who it will be shared with. This obligation can be based on the tort and crime of misuse of personal information. It will force data processors, such as public and private entities, to take data protection more seriously while protecting the data subject’s right to privacy. While many argue that they have nothing to hide, they should always remember that they have something to protect. Next time you think of buying a SIM Card, remember that you will probably be asked for more personal information than is required and that there is no law governing the use of that information.

Is Kenya Ready for Unique Identifiers? Part I

It is reported that some 1.6 million students have registered to sit for the Kenya Certificate of Primary Education (KCPE) and Kenya Certificate of Secondary Education (KCSE) examinations in October 2017. As always, preparations for these examinations involves stringent security measures to curb cheating. Beyond cheating, forgery of academic degree certificates and other official documents is also on the rise. To fight this vice, the government has put various measures in place, the latest being introducing a six- character Unique Personal Identifier (UPI). This UPI will be linked to an electronic database with the educational records of all individuals from primary school up to university level. Other than blocking exam cheats and fake certificate fraudsters, the UPI will also be used to curb the theft of public funds by eliminating ‘ghost’ teachers and inflated student enrollment figures.

To read the rest of the article, click here.

Big wins for freedom of expression

This article was first published in the Nairobi Law Monthly magazine June 2017 edition.

Freedom of Expression

When the Universal Declaration of Human Rights was being drafted over 50 years ago, no one could have foreseen the impact of some of its provisions on the future. Priority was world peace as the world was just healing from the Second World War.

Article 19 of the UDHR, which was later adopted by Kenya in its 2010 Constitution, provided for the right to freedom of expression, which includes “(a) freedom to seek, receive or impart information or ideas; (b) freedom of artistic creativity; and (c) academic freedom and freedom of scientific research.”

Article 19

Since, at the time of drafting this code, Kenya was still nursing the wounds from the 2007/2008 post-election violence, a limitation was imposed on this freedom as it did not extend to: “(a) propaganda for war; (b) incitement to violence; (c) hate speech;(d) advocacy of hatred…”

Kenyans who voted for the Constitution in the 2010 referendum wholly agreed upon these limitations. The effect of this was that colonial laws that had been used to oppress vocal citizens became unconstitutional. Although arrests still take place, one by one, these laws are being quashed after petitions to the High Court by arrested persons.

The criteria for limitations for this right was judicially reiterated in the case of Coalition for Reforms and Democracy vs. The Republic (2015) where the High Court held that limitations to freedom of expression must be on grounds which are permitted under Article 33 (2) and that the State has a duty to demonstrate that the limitation is justifiable, and that freedom of expression is not a right to be interfered with lightly.

KICA s29 case: Geoffrey Andare vs. Attorney General & Director of Public Prosecutions (2016)

The accused, Geoffrey Andare, was charged under Section 29 of the Kenya Information Communication Act with the offence of improper use of licensed telecommunication system. The particulars of the offence were that he, through his Facebook account, posted grossly offensive electronic mail with regard to the complainant, a Mr Titus Kuria, in which he stated, “You don’t have to sleep with the young vulnerable girls to award them

opportunities to go to school, that is so wrong! Shame on you,” knowing it to be false and with the intention of causing annoyance to the complainant.

Mr Andare approached the High Court in person with an urgent application seeking to stop his prosecution in the said criminal case. The Court held that the provisions of Section 29 were so vague, broad and uncertain that individuals wouldn’t know the parameters within which their communication falls. Therefore it would offend the rule requiring certainty in legislation that creates criminal offences.

Section 29 imposed a limitation on the freedom of expression in vague, imprecise and undefined terms that go outside the scope of the limitations allowed under Article 33 (2) of the Constitution. Hence, section 29 of the Kenya Information and Communication Act was found to be unconstitutional for violating Article 33 of the Constitution.

Criminal Defamation case: Jacqueline Okuta & Another vs. Attorney General & 2 others [2017]

Defamation is usually a civil matter but in Kenya, it used to be a criminal offence under Section 194 of the Penal Code. In the case of Jacqueline Okuta & another vs. Attorney General & 2 Others [2017], the first petitioners had been charged with the offence of criminal defamation under Section 194 as read with Section 36 of the Penal Code.

The particulars of the charges against the petitioners were that they used Facebook to publish words with intent to defame one Cecil Miller. The petitioners submitted that Section 194 of the Penal Code violated the right to freedom of expression beyond the orbit of limitations permitted by the constitution under Article 33 (2) (d).

The High Court agreed with this assertion and reiterated that freedom of expression is secured under Article 33 of the Constitution. It also emphasised that any limitation must fall within the scope and ambit of the provisions of Article 24 of the Constitution. It found that criminal defamation couldn’t be reasonably justified in a democratic society as it offends the right to freedom of expression. Criminal sanctions on speech ought to be reserved for the most serious cases particularised under Article 33 (2) (a)- (d) where the Constitution aims at protecting public interest and peace.

The Robert Alai case, Petition 174 of 2016

This recent win comes from a judgement before Justice Enoch Chacha Mwita of the Constitutional and Human Rights Division, who declared Section 132 of the Penal Code to be unconstitutional. This section had criminalised undermining the authority of public office.
The petitioner in this case, Robert Alai had been charged under the offense for criticising the Head of State, President Uhuru Kenyatta. The offence carried a prison term of three years for those found guilty of the offence.

The High Court found the provision to have an unjustifiable limitation to freedom of expression, especially for an open and democratic society such as Kenya. It was therefore found inconsistent with Article 33(2) of the Constitution.

Screen shots, consumer protection and online (in)justice

This article was first published in the Nairobi Business Monthly December 2016

Web presence is a requirement in modern business. It is hard to trust a business entity which you cannot Google. How else will you know about the previous customers’ feedback?
Trending online can really boost sales and businesses strive to trend for all the right reasons. The biggest nightmare is trending online negatively. The people online are more courageous and unforgiving due to their presumed anonymity.

A lot of customer service is done on social media platforms. Service providers and their customers prefer this since it is convenient. This can be said to be in line with consumer protection right under Article 46 of the Constitution. This exercise can be said to be enabled by the exercise of the right of freedom of expression and the right to information.

Other than customer care, people have used online platforms to push for proper governance and to ask for accountability. People have even pressured public officers into doing their duty like in the Koffi Olomide incident where the musician kicked his dancer at the airport and the pressure on social media forced government officials to take action and the musician was deported.

Screenshot Era

Online forums are sharing platforms. Media files in the form of videos and photos circulate by the minute. Since the Internet has revolutionized communication, a lot of it is done online. Smartphones now can have over three messaging applications for users. These phones enable users to take screenshots and users have developed a habit of sharing screenshots of their communications with others.

In 2015, screenshots of ‘Brother Ocholla’ circulated all over the Internet. ‘Brother Ocholla’ had apparently sent a rather inappropriate text to his prayer group on WhatsApp forum and a member leaked a screenshot. The screenshot trended on social media for a while with people making fun of the situation that ‘Brother Ocholla’ was in.

All too recently, a customer care agent of a telecommunication company contacted a customer whom he had served. The customer wasn’t too amused by his deeds and not only told him off by sharing the screenshot of the brief chat with the world. As a result, the young customer care agent lost his job since his employer had to show that it is doing something concerning the alleged privacy breach.

According to Kenya’s Evidence law, screenshots are admissible in a court of law. Section 106B of the Evidence Act states that any information contained in an electronic record shall be deemed to be a document, hence admissible. This is subject to several statutory conditions though.

The general rule is that whatever is posted online is not subject to privacy laws. This was the position in the US case of Palmieri v. United States. In this case, the American court found that if an individual discloses information to their Facebook friends, they have potentially disclosed it to the entire world. The petitioner had shared information with a friend on Facebook and the friend shared the information with the US government.

The court, in its analysis stated that from the moment the petitioner, Palmieri, disclosed information to his Facebook friends, they were free to use it as they wished. Because of this, he could not claim that his rights to privacy have been breached. And the same principle applies to anyone who sends an email or even writes a letter; they lose any expectation of privacy once it is delivered.

While we have a right to free speech, sometimes sharing screenshots can amount to a breach of the right to privacy. People ought to be careful not to expose too much information about others arbitrarily. If the image contains sensitive information, blur it. It is not yet law, but it is good practice. A suspected pedophile recently boasted of his misdeeds on social media. The young man even posted the child’s picture on his timeline.

Due to rage, people online shared the screen shot while calling for his arrest. In the process, they breached the minor’s rights as a victim of alleged defilement.

Similarly, the lady who complained online about the customer care agent’s privacy breach ought to have at least blurred the young man’s contacts before sharing the information online. Though she was enraged, the maxim states that he who goes to equity must do equity. The young man still had a right to be heard before any decision was made under application of the maxim audi alteram partem.

According to the Kenya Data Protection Bill, personal information or data includes contact details including telephone numbers of the person. This provision puts contacts at the same ambient as health records which we all agree is sensitive information. Hence it is safe to say that the lady had a prima facie case, but her mode of handling it leaves a lot to be desired. Social media is not even a genuine court of public opinion since it usually depends on the opinions of the influencers. The loudest in terms of traffic win even if they are wrong.

It would have been better to publish that information after inaction from the service provider after reporting it. A best-case scenario is the online reporting by Karimi Mwari who shared her experience with rogue Dakika Sacco matatu crew online after reporting the matter to the authorities. Action was taken and the culprits were apprehended.

Experience has shown us not to place absolute trust on the people in these online platforms. This is a lesson Peter Kenneth and Hillary Clinton know all too well. It applies to other situations too, such as seeking justice. It is advisable to follow due processes before sharing it because once it is out it is out.

Let them cry not in the Range Rover

This article was first published on Nairobi Business Monthly November 2016

Many apply foundation to hide black eyes. Others don shades to hide red eyes. Others fell on the stairs while others just ignore the whole vibe when it is brought up. Author Yvonne Adhiambo Owuor wrote in her book Dust (2013) about the four languages of Kenya: English, Kiswahili, Memory and Silence. We have embraced the former too quick. We refuse to talk about the ghosts that roam in our midst. The words accept and move on are engraved in our hearts. More will die and it will go unreported because of our selective outrage.

Gory images of chopped hands were all over digital media. The outrage was as instant as the middle class knack for tweeting and we saw some action being taken. Same script when musician Koffi Olomide kicked a dancer at the airport. The chap was arrested and deported without being tried, but the message was sent. You cannot assault a woman in public in our world of digital media.

But what about the world where people don’t really care about taking videos? What about that part of Kenya where the chief and pastors have to quell fires amongst couples day in day out? Should official action be a result of digital outrage? Can’t we just develop norms where women, primary victims in gender-based violence, are respected?

Kenya has really good laws that address this vice. The Constitution, Article 28 recognizes a person’s right to dignity and Article 29, recognizes the right not to be subjected to any form of violence from either public or private sources. The Penal Code’s Chapter 26 is on assault, which is basically used in charging perpetrators of gender-based violence.

However, these laws don’t seem to do much in terms of addressing gender based violence. There are two scenarios of this vice: Domestic violence and gender based violence at the work place. The latter is almost never reported because of fear of victimization and unemployment. So a lot of abuse goes unreported and even where there are out in the open, the victims are in too much fear that they apologise for provoking the boss. We saw this play out well when Koffi Olomide’s dancer recorded a video together with the singer to defend his action.

Few years ago, Alassane BA of Shelta Afrique was accused of assaulting staff, Karen Kandie. Upon his arrest, he invoked diplomatic immunity and the court held that he could not be tried in Kenya. This was among the few cases of gender-based violence at the work place that got reported. Unfortunately, Ms Kandie did not get justice.

When it comes to domestic violence, the challenge is that they are majorly crimes of passion.  A common scenario during trial processes of perpetrators is where the complainant withdraws charges so as to secure the release of the accused due to various reasons. In some cases, the perpetrator might be the sole breadwinner and their stay in remand is not doing the family any good. Or maybe the victim has been coerced by the perpetrators relatives to forgive him.  Or in cases where the accused was able to secure their release after paying cash bail, the complainant and accused who most likely still live together will attend court then go back to the same house, or even bed.

In 2015, the Protection against Domestic Violence Act was enacted to provide for the protection and relief of victims of domestic violence. The drafters of law seem to have understood the challenge of prosecuting domestic violence from the protection clauses the Act contains. The act seems to have picked the geist of the Criminal Procedure Code Section 176, which promotes reconciliation in cases of common assault.

The Act is elaborate in its definition of violence and a relationship, which is meant to clear all ambiguities during interpretation. It also obligates the Police Service to have protection mechanisms for victims of the violence. Hence there is no shortage of laws to address this vice.

The silver bullet seems to be in society developing norms where women are respected and protected, where women are viewed and treated as human beings with dignity and not property. Norms where reconciliation between parties in a case of domestic violence is done with the best interests of the victim and not family image.

To get a lasting solution to this vice, religious and community leaders must come together so as to avoid creating conflicting norms. In the recent case of Jackline Mwende, the lady who lost both hands, she narrated how her religious leader encouraged her to stay in the marriage. The vow ‘Till death do us apart’ does not include death induced by one of the partners in the marriage. Hence in their teachings, religious leaders must come out strongly against this vice while working together with security agencies in creating effective protection mechanisms.

We should strongly condemn gender-based violence and unite to eradicate an environment where the vice thrives. While silence is golden, in this case it is a poison that is killing us slowly. Creating an environment where people can speak out should be our priority.
“Of pain you could wish only one thing: that it should stop. Nothing in the world was so bad as physical pain. In the face of pain there are no heroes.” – George Orwell

Why the taxman should keep off our wallets

CXUdXDJW8AECupG

This article was first published on Nairobi Business Monthly August 2016.

It is true that two things are certain, taxes and death. It is also true that we are in the information technology age where technology is becoming a major part of our lives day after day. The effect is that we now have new mediums of conducting business. We have virtual lives, virtual businesses and even virtual wallets.

It is common knowledge that a third of what is always collected by the Kenya Revenue Authority is never accounted for. The efforts of sealing this loophole never see the light of day. The taxman however, is always keen on increasing tax so as to meet targets. This year he has gone after the small-scale farmers. He also wants to snoop into every individual’s bank account and mobile money account with the aim of catching tax cheats.

He wants to profile individuals using the confidential financial data. He intends on legitimizing his deeds in the Finance Bill 2016, which is still top secret yet it raises serious human rights concerns.

Lest we forget, Thomas Hobbes in his book the Leviathan writes on how man left the state of nature so as to form the commonwealth. In our case, the commonwealth is the state, a creation of man. The state did not form man, hence man reserves the right to self-determination. If we are to carry on with the Hobbesian theory, man surrendered his absolute rights so as to co-exist with others. His rights are inherent, not granted by the state, just recognized by it. This means rights like the right to privacy, a conscience and opinion on how affairs of the state should be run are not gifts but entitlements.

All this is asserted in the Constitution of Kenya whose preamble starts with the words; “We, the people of Kenya…” The first article of the Constitution carries on with this tempo by expressly stating that:

“All sovereign power belongs to the people of Kenya and shall be exercised only in accordance with this Constitution.”

On matters to do with finance, the grundnorm as Hans Kelsen calls the supreme law; in Article 201 states the principles of public finance. The first principle of public finance is that there shall be openness and accountability. The law was drafted to include the requirement of public participation so as to achieve this objective.

The supreme law also states in Article 31 that every individual has the right to privacy. This right includes the right not to have information relating to their private affairs unnecessarily required and revealed. It also protects the privacy of an individual’s communications since they are easily infringed in this technological era. Other than the grundnorm, the other laws that protect a person’s right to privacy are laws that regulate the telecommunications industry. This industry birthed mobile money services and the law prohibits the industry service providers from sharing confidential consumer information it collects with third parties.

With the security challenges that we face as a nation, the government has pushed for enactment of laws that limit certain rights. These laws have clauses with procedures on how confidential information in the custody of a service provider can be acquired by third parties (read governmental bodies). This procedure includes the relevant governmental bodies getting a court order to compel the service provider to release the information. The taxman desires to circumvent this procedure using the secretive Finance bill 2016.

Not the first time

The right to privacy has for a long time been under threat. It is not the first time state agencies have attempted to claw it. In 2014, the Security Laws Amendment Act was passed. In it were amendments to Section 36 of the NIS Act, which required the need of court order by the agency to access personal information. These provisions were challenged in court and were found unconstitutional in early 2015.

While so much effort is being put to claw the right to privacy, legal mechanisms that ought to be in place to protect it are not there. There has been reluctance by relevant state bodies to enact the Data Protection Bill of 2013 into law. Yet it would have played a big role in regulating the information technology industry, which is ever evolving. Every day, new innovations come with new legal challenges and the law is playing catch up.

In India, the taxman is now profiling people according to their Facebook posts. Woe unto you if you are in the business of selling impressions, for you will pay what they think you need to pay and not what you should actually pay as tax. With our ambitious Kenyan taxman, snooping into people’s mobile money accounts will catch so many ‘tax cheats’, from students who receive monies from parents to people in the rural areas who always receive money from the urban areas. The taxman is likely to create an unfair tax system that will rope in many illegible persons from the profiling he intends to do.

If people are not willing to be open with their spouses on matters to do with finances, what about the state? This push for access of personal information is not only in bad faith but also likely to be open to abuse.  We should pick a lesson from the old Arab fable of the camel nose. If the camel gets his nose in the tent, his body will soon follow. Allowing a little breach will allow more breaches to take place in the future by other bodies. And our Constitution will be nothing but an aspirational document just like its Chapter 6.

The word ’burden’ is used in the constitution to describe the duty of paying taxes. This burden ought to be shared fairly. This contribution to the national bourse further gives us the right to determine the direction that our nation takes. Be it in how we want to be governed or whether we agree to KRA using our data to create individual profiles, Article 255 gives us that right of determination through a referendum. Instead of burdening citizens with taxes, state agencies that deal with finances need to look at how it deals with the issue of graft, which bleeds our public coffers.