Biometric data collection in Kenya risky

An edited version of this article was published in the  Daily Nation on February 21, 2018.

I was buying a sim card when the customer care agent asked me to pose for a photo. I asked why they wanted a photo of me as they had all my personal information including a scanned copy of my national identity card. He mumbled back that government required SIM Card agents to take subscriber’s photos. Not convinced, I probed further on this new law but he could not elucidate the reasons. I later on discovered after reading the Kenya Information and Communications (Registration of SlM-cards) Regulations, 2015 that such a requirement doesn’t exist. The customer care agent either didn’t know the requirements, or lied to me about them.

 

This was not an isolated incident. Every day people give out their biometric data to both state and non-state agencies such as professional bodies, banks and even schools. Despite this mass data collection taking place for a while now, parts of the Kenyan citizenry have always expressed their reservations with the collection of biometric data.

 

During the first biometric voter registration in 2012, rumours were rife in western Kenya region on how fingerprint scans would make it easy for chiefs to arrest petty village offenders. Joseph Kamaru’s rendition of Mau Mau’s song Uhoro Uria Mwaiguire tells of a community mourning the incarceration of their war heros who refused to have their fingerprints taken. This reservation and fear played out recently in 2017 when some Mau Mau veterans raised concerns around biometric voter registration for fear of arrest over crimes they did while fighting for independence. All these show a lingering historical concern on the use of technology that communicates how some feel about the collection and use of biometric data.

In addition, there is currently no data protection law stipulating how personal information like biometric data should be handled and processed by both private and state actors. In fact, the only place where biometrics have been mentioned in Kenyan law is in the Elections Act. According to this legislation, biometrics are unique identifiers or attributes including fingerprints, hand geometry, earlobe geometry, retina and iris patterns, voice waves, DNA, and signatures. Even the abandoned Data Protection Bill of 2013 only contained a mention of fingerprints and blood type which were to be categorised as personal information.

 

Motivation behind collection of data

Data collection is part of know your customer logic, both for efficiency, trust and security. But increasingly, data collection has in itself become the business model of most companies. The value of personal aggregated personal thoughts, habits, and social networks are as valuable as any other high end market activities, witfully branded surveillance capitalism.

 

However, the collection and centralized storage of this highly sensitive and valuable data exposes these corporations to the risk of the data being misused at best and being stolen at worst. There are many reported cases of deliberate targeting of secure systems that hold sensitive data. These sensitive data is later sold to third parties in the black market who have illegal ways to monetize it such as by sale of data to fraudsters and identity theft.

 

In jurisdictions with data protection laws, the general privacy principle for corporations handling consumer data is that data obtained for one purpose shall not be used for any other purpose. This rule has general exceptions such as when the information is public, the data subject has given consent and public interest. However, Kenya has no data protection law which leaves personal information such as biometric data at the mercy of corporations that collect it. Security breaches and data loses are reported regularly in the US and Europe, but in Kenya there is no requirement for public or private sector entities to disclose such occurrences. Thus we don’t even know the risks that we face.

 

For example, during the 2017 general elections, many voters received targeted campaign texts messages that were rather too intrusive. The texts had the name of the voter and the exact constituency where they were registered as a voter. How politicians received access to the voter register and the voters cell-phone numbers remains a mystery to date. But it also shows us how vulnerable we are after subscribing for services where personal information is required, and could be shared with others without our knowledge.

 

One way we can push for accountability is by asking our newly elected parliamentarians to breathe life to Article 31 of the Constitution by legislating a data protection law. We are in dire need of a data protection law that give us, the data subjects, more say on how our personal information is collected and used by data processors. Daniel J Solove argued in his book ‘Conceptualizing Privacy’ that privacy ‘involves more than avoiding disclosure; it also involves the individual’s ability to ensure that personal information is used for the purposes she desires’.

 

Other than just the law, there is need for a legal obligation on data processors to be transparent about what data they are collecting, how will be used and who it will be shared with. This obligation can be based on the tort and crime of misuse of personal information. It will force data processors, such as public and private entities, to take data protection more seriously while protecting the data subject’s right to privacy. While many argue that they have nothing to hide, they should always remember that they have something to protect. Next time you think of buying a SIM Card, remember that you will probably be asked for more personal information than is required and that there is no law governing the use of that information.

Strengths and weaknesses of Cybercrimes Bill

There is a new bill

A revised version of this article was published in the Business Daily newspaper on the 21st of September 2017.

The question of how prepared Kenya is to deal with cybercrimes can no
longer be wished away. Cybercrimes not only cause damage but also
leave their victims embarrassed. Hence, not so many incidences are
reported by the victims. To address this issue, the Leader of Majority
Hon. Aden Duale sponsored the Computer and Cybercrimes Bill in June,
2017. It is a major improvement from the two cybercrime bills that
were published by Senate and the National Assembly last year.

The objectives of the draft act are to protect the confidentiality and
integrity of computer systems, programs, data while preventing the
unlawful use of computer systems. The proposed law is also meant to
facilitate the investigation and prosecution of cybercrimes and
facilitate international co-operation on cross-border cybercrime
matters.

Part two of the bill provides for the offenses covers various offences
in the cyberspace. As expected, hacking offences feature prominently
in this part. Hacking offences are where security measures of a
computer system are bypassed and unauthorised access, interference and
interception take place. To complement the anti-hacking sections, the
possession and use of stuff that can be used to hack for the primary
purpose of committing a crime is going to be outlawed. Sharing of
passwords with unauthorised persons to grant them unauthorised access,
interference and interception is also going to be a crime when the
bill becomes law.

A major positive in the bill are the provisions meant to protect
critical infrastructure. This includes public utilities (electricity,
water), public transportation, communications infrastructure, banking
and financial services among many others. This protection is crucial
because the economy can really suffer in the event of an unplanned
interruption such a mobile money outage. Safaricom recorded losses
earlier in the year when their systems went down countrywide.

Reports of Al-Shabaab destroying telecommunication masts show us that
foreign foes target critical infrastructure. From the Stuxnet attack
on the Iranian nuclear program, it is clear that there is a hanging
threat of cyber-attacks on our critical infrastructure. The draft law
has a provision on how to deal with a resident who aids a foreigner in
cyber-espionage and other attack on critical infrastructure.

Fake News
The draft law intends to outlaw false publications. The motivation
behind this definitely to curb the fake news menace that has become
major issue. While the idea is welcome, there is the fear that the
provision is beyond the scope of the limits of the right to freedom of
expression as contained in the constitution. A better approach would
have been to perhaps set a test to check the damage caused by the fake
news. The danger of this, damage; is that it makes it similar to the
old crime criminal defamation. In the landmark Jackline Okuttah case,
the High Court declared the crime of criminal defamation to be
unconstitutional.

Children’s rights find their way in this draft law with a provision
cracking the whip on online child pornography. This provision together
with the provision on cyber stalking and bullying will help save lives
of many internet users who meet human predators online. Computer
forgery and fraud are also going to be crimes once the bill becomes
law and this will help the many who get scammed online. The bill also
contains provisions on confiscation of proceeds of cybercrime and
compensation of victims, which is a major plus considering this is
criminal law.

The vague
A conspicuous section of the draft law proposes a punishment for
offenses under any other law through the use of a computer section.
The openness of this provision makes it vague and open to abuse the
way section 29 of the Kenya Information and Communication Act 1998
was. The KICA provision was declared unconstitutional in 2016 by Mumbi
Ngugi J in the case of Geoffrey Andere.

The investigation procedures acknowledge the need of a warrant prior
to an investigation also the exceptions are based on the Criminal
Procedure Code. Security agents with warrants will lawfully be able to
ask service providers to give out data and access to consumer computer
systems. The draft law provides for a protection of the service
provider from any liability.

The last part contains provisions on extradition and cooperation with
foreign nations in investigation and trial of cyber criminals. This is
a plus considering the cross border nature of cybercrimes.

The bill is clearer, well intentioned and covers much of issues to do
with cybercrime. With public participation and stakeholders input, it
will be a laudable cybercrimes law.

Fake news: The battle for clicks

fake news

It is no secret that technology has disrupted the media industry. In the past few years, media houses have downscaled operations, leading to many loss of jobs and have also changed their approach and joined the muddy battle for clicks. Every media house now has an online news blog even though the quality of news that they post leaves a lot to be desired.

In this new age, media houses do not just compete amongst themselves but also against blogs for traffic. As they say, all is fair in love and war. In this war, a huge number of blogs have resorted to posting sensational news so as to get views. This is because higher site views equals to higher ad revenue from online advertisers.

But fake news hasn’t been an issue until the recent US Presidential election when its impact was seen. Whether it has the potential to destroy a candidate or make him, politicians are now keen on social media now than before. One may say that maybe because of their knack for finances (adverts) over news that main media is now losing their credibility. This has created an opportunity for random blogs who rushed to update readers with the latest unbiased news. Unfortunately, this news is usually biased. Social media is set such that the algorithms feed a user with ‘more of what they want’. Hence denying them a chance to access divergent opinions and material posted on the network.

Suggestions have been made world over on the ideal remedy for this menace but in democracies, it is hard because it goes against the principles of free speech. The Canadian Supreme Court has held in a case to strike down a false news provision of law that the provision was contrary to the constitutional freedom of expression.

“The reality is that when the matter is one on which the majority of the public has settled views, opinions may, for all practical purposes, be treated as an expression of a ‘false fact,” the Learned Justices of the Court said.

In Kenya, the law limits the right to freedom of expression to the extent that one is not allowed to spread propaganda for war, incite people to violence, hate speech and advocate for ethnic hate. These limitations also apply to the media according to Article 34. The same constitutional provision also provides for the establishment of the Media Council of Kenya.

One of the roles the drafters of the Constitution envisioned this body to play is setting media standards while regulating and monitoring their compliance. It is with this powers that are expounded on in the Media Act that the Council accredits journalists while requiring them to follow the Code of Conduct for the Practice of Journalism. While the standards on accuracy, integrity and accountability apply to journalists; these standards do not apply to bloggers.

Hence they cannot be held to have breached the Code when they post fake news online. From the angle of defamation laws, some of these stories are not defamatory. Neither do they constitute a breach of Article 33(2). For example the many speeches attributed to Presidents Robert Mugabe and Donald Trump about Kenyans and corruption. If they were to be counter checked against the elements of defamation, they will fail. The statement might be false but not damaging per se, hence not warranting a suit for damages.

Some of the sites are not even within the Kenyan jurisdiction and no claim of damage may be sustained against them

Keeping in mind that this year is an election year in Kenya, the impact of sensational stories laced with ethnic chauvinism is a major concern to all. The Communications Authority of Kenya is already threatening an Internet shut down in the event people spew hate online. Recently, an ‘international’ propaganda website full of fake news on a Kenyan politician was exposed. The writer who hid under the name David Field was discovered to be a Kenyan techie. Even though it did not contain hate, the rising of such sites is a genuine cause for alarm.

Solutions that have been fronted include presentation of scientific evidence and engaging in reasoned arguments. However, the society as a whole finds academics unpalatable overrated. Evgeny Morozov’s solution however is the most reasonable. In his article, Moral panic over fake news hides the real enemy – the digital giants, he writes that the only way we can deal with click baiting fake news is by making online advertising less in our lives, especially at work and in communication.

While people may shun traditional media because of its links to politicians and corporations, they forget that the Internet companies they run to still act the same way. Perhaps the day we finally deny social media and search engines the clout they have in problem solving in all sectors including our politics is the day we will be free from the hazards of fake news online.

Should we really regulate tech?

An edited version to this article was first published on Nairobi Business Monthly October 2016

Lady Justice Mumbi Ngugi of the High Court of Kenya declared, in May, section 29 (b) of the Kenya Information and Communication Act unconstitutional. This provision of law was found to be vague by the learned judge. Geoffrey Andare, a web developer who was charged under that Section in 2015 successfully challenged its constitutionality and the charges against him were dropped. This was the case for other bloggers who had been arrested for the offense this year.

Fast-forward to July and a Bill whose purpose is to regulate ICT practitioners surfaced. Its vagueness is stupefying to the extent that it may appear like there must be a vague law that touches on ICT at any given time.

Laws are not created to be aspirational documents and it is unfair to everyone including lawmakers to engage in acts of futility. This is why understanding the subject matter of a law is important. Information and communication technology is not only complex but also disruptive. It is a wave, which has destroyed careers at the same rate that it has created them.

The proposed law in Section 2 states the definition of ICT which ropes in all the possible uses of the technology including collecting, storing, processing, using and sending out of information. The definition includes the use of computers, mobile apparatus or any telecommunication system in the aforementioned activities. Further in the same Section, ICT practice is defined as practice of ICT for a fee or gain either in kind or cash while a practitioner is an individual who will be registered under the law to practice. From those definitions, pretty much everyone in this digital age becomes an ICT practitioner. Why? We use computers at the work place – practice for gain. Doctors use computerized machines for diagnosis- practice for gain. Use your phone to place a bet for a soccer match – practice for gain. The Bill ropes in everyone who uses technology and it raises the various jurisprudential questions. What mischief does it seek to remedy by regulating use of ICT by everyone?

Section 6 of the Bill provides for an institute and states it functions, which are already being executed by the Ministry of Information and Communication Technology and the Kenya ICT Authority. Global market forces also play a big role in enforcing some of these functions such as ensuring high standards amongst persons who engage in ICT practice. In our current digital world, enterprises compete globally. That is evidenced by the heavy use of social media and email servers that are not locally owned. Hence purporting to enforce standards for ICT nationally while the market is forcing us to catch up with the rest of the world will be jocose.

The institute in the proposed legislation will engage in protecting, assisting and educating Kenyans on matters to do with the profession of ICT. While the protection aspect of that function can be supported by Article 46 of the Constitution, existing government bodies such as the Communications Authority of Kenya already have consumer protection regulations to execute that role. Other protection mechanism exist in the market where information spreads as fast as digital media, forcing those who engage in ICT practice to prioritise user experience and consumer needs. The ICT Authority has been engaging in education activities on ICT, which renders the institute’s proposed function redundant.

On proposed function of approving of courses and administering examinations, it may be argued that the institute intends on creating uniformity in terms of qualifications like lawyers and accountants have. This function leads to the next one, which is, registration and license of ICT practitioners who according to Section 15 must have a degree and three years of experience. These requirements show a clear lack of understanding as to how the ICT industry works. Bill Gates, Steve Jobs, Mark Zuckerberg and many other prolific innovators in the ICT world have no university degrees to their names but they have changed the world. Had they been Kenyan at this time, they would not be allowed to engage in the practice of ICT. The ICT labour market tends to pick on the brilliant innovators who can do the job rather than individuals with papers. That is why it has been able to grow so fast because it is open to everyone who has something to offer. Placing restrictions based on academic qualification will outrightly amount to stifling innovation because, now even school going children are coding and making applications.

The Bill also states that the proposed institute will act as an arbitrator in any disputes between a licensed ICT Practitioner and a client. This proposal seems to be off, considering we have Chartered Arbitrators in the country and law courts. From recent history of the industry, disputes seem to be between those who engage in the practice of ICT with the example of the dispute between the brains behind Angani Cloud. The institute would have been better placed addressing such disputes because they affect the growth of the ICT industry. It would also have proposed to promote the industry internationally rather than itself though almost all listed functions are and can be executed by the existing bodies.

Sections 20 and 23 of the Bill are a noose on the necks of many in the industry currently since it insists on one having a license and prohibits those who won’t have it from recovering fees for ICT services. In our current corporate world, companies have invested in social media managers who handle their social media. No course in school teaches this yet it is a service that is so crucial to today’s business where digital presence is key. The people hired for these jobs fall under the scope of this Bill by virtue of engaging in ICT practice for gain. So will the enactment of this law spell doom for these people who engage in ICT practice in a field that is not taught in any school? Will it be illegal to be a blogger or have a YouTube channel? What about those who work for international tech companies remotely? Will this proposed law apply to them?

Lon Fuller in his book the Morality of Law writes about King Rex who promulgated a law that required his subjects to appear before the throne once summoned in ten seconds. His subjects responded by sending him a leaflet which read, “To command what cannot be done is not to make law; it is to unmake law, for a command that cannot be obeyed serves no end but confusion, fear and chaos.”

To criminalise the use of a computer or mobile phone for gain is not to make law. It is to unmake law. It is forcing our Silicon Savannah to drink hemlock. It is to command that which cannot be obeyed, enforced and even investigated, which is causing confusion, fear and chaos. The brains behind the Bill should really reconsider their stand and if possible, withdraw the Bill. If not, they should engage stakeholders. The Cabinet Secretary in charge is on record claiming that the Bill did not come from his Ministry and experts have found its provisions contradictory to the National Information & Communications Technology (ICT) Policy of 2016. As we embark on the journey of achieving Vision 2030, it is important for all of us to be on the same page so as to work together. For it is in our best interest as people that we progress together.