Biometric data collection in Kenya risky

An edited version of this article was published in the  Daily Nation on February 21, 2018.

I was buying a sim card when the customer care agent asked me to pose for a photo. I asked why they wanted a photo of me as they had all my personal information including a scanned copy of my national identity card. He mumbled back that government required SIM Card agents to take subscriber’s photos. Not convinced, I probed further on this new law but he could not elucidate the reasons. I later on discovered after reading the Kenya Information and Communications (Registration of SlM-cards) Regulations, 2015 that such a requirement doesn’t exist. The customer care agent either didn’t know the requirements, or lied to me about them.

 

This was not an isolated incident. Every day people give out their biometric data to both state and non-state agencies such as professional bodies, banks and even schools. Despite this mass data collection taking place for a while now, parts of the Kenyan citizenry have always expressed their reservations with the collection of biometric data.

 

During the first biometric voter registration in 2012, rumours were rife in western Kenya region on how fingerprint scans would make it easy for chiefs to arrest petty village offenders. Joseph Kamaru’s rendition of Mau Mau’s song Uhoro Uria Mwaiguire tells of a community mourning the incarceration of their war heros who refused to have their fingerprints taken. This reservation and fear played out recently in 2017 when some Mau Mau veterans raised concerns around biometric voter registration for fear of arrest over crimes they did while fighting for independence. All these show a lingering historical concern on the use of technology that communicates how some feel about the collection and use of biometric data.

In addition, there is currently no data protection law stipulating how personal information like biometric data should be handled and processed by both private and state actors. In fact, the only place where biometrics have been mentioned in Kenyan law is in the Elections Act. According to this legislation, biometrics are unique identifiers or attributes including fingerprints, hand geometry, earlobe geometry, retina and iris patterns, voice waves, DNA, and signatures. Even the abandoned Data Protection Bill of 2013 only contained a mention of fingerprints and blood type which were to be categorised as personal information.

 

Motivation behind collection of data

Data collection is part of know your customer logic, both for efficiency, trust and security. But increasingly, data collection has in itself become the business model of most companies. The value of personal aggregated personal thoughts, habits, and social networks are as valuable as any other high end market activities, witfully branded surveillance capitalism.

 

However, the collection and centralized storage of this highly sensitive and valuable data exposes these corporations to the risk of the data being misused at best and being stolen at worst. There are many reported cases of deliberate targeting of secure systems that hold sensitive data. These sensitive data is later sold to third parties in the black market who have illegal ways to monetize it such as by sale of data to fraudsters and identity theft.

 

In jurisdictions with data protection laws, the general privacy principle for corporations handling consumer data is that data obtained for one purpose shall not be used for any other purpose. This rule has general exceptions such as when the information is public, the data subject has given consent and public interest. However, Kenya has no data protection law which leaves personal information such as biometric data at the mercy of corporations that collect it. Security breaches and data loses are reported regularly in the US and Europe, but in Kenya there is no requirement for public or private sector entities to disclose such occurrences. Thus we don’t even know the risks that we face.

 

For example, during the 2017 general elections, many voters received targeted campaign texts messages that were rather too intrusive. The texts had the name of the voter and the exact constituency where they were registered as a voter. How politicians received access to the voter register and the voters cell-phone numbers remains a mystery to date. But it also shows us how vulnerable we are after subscribing for services where personal information is required, and could be shared with others without our knowledge.

 

One way we can push for accountability is by asking our newly elected parliamentarians to breathe life to Article 31 of the Constitution by legislating a data protection law. We are in dire need of a data protection law that give us, the data subjects, more say on how our personal information is collected and used by data processors. Daniel J Solove argued in his book ‘Conceptualizing Privacy’ that privacy ‘involves more than avoiding disclosure; it also involves the individual’s ability to ensure that personal information is used for the purposes she desires’.

 

Other than just the law, there is need for a legal obligation on data processors to be transparent about what data they are collecting, how will be used and who it will be shared with. This obligation can be based on the tort and crime of misuse of personal information. It will force data processors, such as public and private entities, to take data protection more seriously while protecting the data subject’s right to privacy. While many argue that they have nothing to hide, they should always remember that they have something to protect. Next time you think of buying a SIM Card, remember that you will probably be asked for more personal information than is required and that there is no law governing the use of that information.

Quick Thoughts on Biometrics, General Elections and Security in Kenya

In 1927, Liberian opposition presidential candidate Thomas J Faulkner was confident of unseating the incumbent in the general elections. The Faulkner-led People’s Party had marshalled support from all corners of the country and across all classes of people. On Election Day, Faulkner received 9,000 votes in what was supposed to be a landslide win. In the end, Faulkner lost to the incumbent Charles D. B. King who received 243,000 votes in an election with only 15,000 registered voters! Charles D.B. King’s script has been replicated in many African states and in the year 2007, it was replicated in Kenya.

In 2007 General Elections, voting irregularities were the order of the day and the results were violently contested. Many lost their lives and hundreds of thousands had to flee from their homes. The international community mediation team led by former UN Secretary General Kofi Annan came and negotiated a power-sharing deal between the incumbent Mwai Kibaki and opposition candidate Raila Odinga thereby forming a national coalition government.

To read the rest of the article, click here.

Is the Kenyan legal system ready for the Big data industry?

This article was first published in the Business Daily newspaper on the 22nd of June 2017.

Source: Forbes

Thousands around the world have signed up to online platforms for different services such as email, social media and news. Due to the borderless nature of the internet, markets are unlimited and people from different jurisdictions can subscribe to these sites. Note that despite the universal access, internet borders exist to enable people to pay for stuff using their local currencies, to provide use of local languages to users and regulation purposes.

Silicon Valley giants tend to have the advantage of the ‘data-network effect’ which enables them use data collected from customers in exchange for ‘free’ services such as email and social media. They use this data to attract more customers who generate more data that is used in improving services which attracts more customers. Behind this phenomena is a lot of behavioral economics, big data analysis and ad targeting.

Most of these data usually comes from personal communication devices, hence within the ambit of privacy laws and regulations in the nations where they are registered. In jurisdictions like Kenya where there are no strict privacy laws, it is usually up to the service providers’ good will to vet what data they will use and what they cannot use.

While it may appear to be a win-win situation because people don’t pay for access to online platforms, a data subject ought to have more say in how their personal information is being used. Many internet corporates have turned their subscribers to data mines which raises many ethical and legal questions.

First, there is the constitutional right to privacy. This is enshrined in Article 31 of the Constitution which protects the privacy of ones communications from being infringed. The Data Protection Bill is for an act that will give effect to Article 31 while regulating the processing and use of personal data.

The European Union laws on the right to privacy are really strict and they give more power to the data subject on their data unlike the US laws which are lax. In March, the US Congress passed a resolution to roll back the Federal Communications Commission (FCC) privacy rules which would have required Internet Service Providers to get a customer’s express permission before selling “sensitive data” like their browsing history. These regulations would have given the data subject a stronger say over their data like in Europe but the Congress voted against it.

A perusal of the draft Kenyan data law shows that service providers will still have a lot discretion, pertaining the use of personal data as they will be required to only notify the data subject. It allows the sale of personal data if permitted by any other law. It would be great if individuals are legally empowered to allow their personal data to be used by service providers who collect it like in the EU region.

The challenge of such a provision is that people have “learned helplessness”, where no one cares to read the terms and conditions of the online services they subscribe to according to Alessandro Acquisti of Carnegie Mellon University. Hence there is a possibility that very few will exercise this right even when they are codified.

Secondly, data is “non-rivalrous” hence it can be copied and used by more than one entity at a time. This means that data can easily be used for other purposes than those agreed between the data subject and data controller (service provider). This has been the case in Kenya where people have raised complaints that they are receiving geographically targeted text messages from political aspirants. Such incidences are a definite breach of a data subject’s rights.

Thirdly, the Kenyan data protection bill has provisions for mandatory data sharing with government agencies. This not unheard of as nations such as Germany have laws that require insurers to jointly maintain data on issues such as car accidents that smaller firms cannot compile on their own. This data sharing is even part of the European Union’s new General Data Protection Regulation (GDPR), that will require online services to make it easy for data subjects to transfer their data to other service providers including competitors. However,

Regional legislation of cyber laws has worked for Europe who can boast of the right to be forgotten. For African countries, that may be the best approach since a united market has bigger bargaining power than individual states. There is a draft convention, the African Union Convention on Cyber-security and Personal Data Protection which contains regulations on data protection. If this draft is ratified, we can even demand that the some of servers of the biggest internet corporations be hosted within in the continent and prohibit transfer of personal data from outside Africa. China has draft regulations that require firms to store all “critical data” collected on servers based in the country. The United Kingdom Data Protection Act prohibits data controllers from transferring personal data outside the European Economic Area.

Consumers of online services need to remember that there is nothing like free lunch. Where the product is free, the product is probably you. Online corporations have become dependent on free data and they clearly have no interest in changing their deal with their users. Despite that, it is important that fundamental rights such as the right to privacy are protected.

Edited version of the article as published in the Business Daily

Screen shots, consumer protection and online (in)justice

This article was first published in the Nairobi Business Monthly December 2016

Web presence is a requirement in modern business. It is hard to trust a business entity which you cannot Google. How else will you know about the previous customers’ feedback?
Trending online can really boost sales and businesses strive to trend for all the right reasons. The biggest nightmare is trending online negatively. The people online are more courageous and unforgiving due to their presumed anonymity.

A lot of customer service is done on social media platforms. Service providers and their customers prefer this since it is convenient. This can be said to be in line with consumer protection right under Article 46 of the Constitution. This exercise can be said to be enabled by the exercise of the right of freedom of expression and the right to information.

Other than customer care, people have used online platforms to push for proper governance and to ask for accountability. People have even pressured public officers into doing their duty like in the Koffi Olomide incident where the musician kicked his dancer at the airport and the pressure on social media forced government officials to take action and the musician was deported.

Screenshot Era

Online forums are sharing platforms. Media files in the form of videos and photos circulate by the minute. Since the Internet has revolutionized communication, a lot of it is done online. Smartphones now can have over three messaging applications for users. These phones enable users to take screenshots and users have developed a habit of sharing screenshots of their communications with others.

In 2015, screenshots of ‘Brother Ocholla’ circulated all over the Internet. ‘Brother Ocholla’ had apparently sent a rather inappropriate text to his prayer group on WhatsApp forum and a member leaked a screenshot. The screenshot trended on social media for a while with people making fun of the situation that ‘Brother Ocholla’ was in.

All too recently, a customer care agent of a telecommunication company contacted a customer whom he had served. The customer wasn’t too amused by his deeds and not only told him off by sharing the screenshot of the brief chat with the world. As a result, the young customer care agent lost his job since his employer had to show that it is doing something concerning the alleged privacy breach.

According to Kenya’s Evidence law, screenshots are admissible in a court of law. Section 106B of the Evidence Act states that any information contained in an electronic record shall be deemed to be a document, hence admissible. This is subject to several statutory conditions though.

The general rule is that whatever is posted online is not subject to privacy laws. This was the position in the US case of Palmieri v. United States. In this case, the American court found that if an individual discloses information to their Facebook friends, they have potentially disclosed it to the entire world. The petitioner had shared information with a friend on Facebook and the friend shared the information with the US government.

The court, in its analysis stated that from the moment the petitioner, Palmieri, disclosed information to his Facebook friends, they were free to use it as they wished. Because of this, he could not claim that his rights to privacy have been breached. And the same principle applies to anyone who sends an email or even writes a letter; they lose any expectation of privacy once it is delivered.

While we have a right to free speech, sometimes sharing screenshots can amount to a breach of the right to privacy. People ought to be careful not to expose too much information about others arbitrarily. If the image contains sensitive information, blur it. It is not yet law, but it is good practice. A suspected pedophile recently boasted of his misdeeds on social media. The young man even posted the child’s picture on his timeline.

Due to rage, people online shared the screen shot while calling for his arrest. In the process, they breached the minor’s rights as a victim of alleged defilement.

Similarly, the lady who complained online about the customer care agent’s privacy breach ought to have at least blurred the young man’s contacts before sharing the information online. Though she was enraged, the maxim states that he who goes to equity must do equity. The young man still had a right to be heard before any decision was made under application of the maxim audi alteram partem.

According to the Kenya Data Protection Bill, personal information or data includes contact details including telephone numbers of the person. This provision puts contacts at the same ambient as health records which we all agree is sensitive information. Hence it is safe to say that the lady had a prima facie case, but her mode of handling it leaves a lot to be desired. Social media is not even a genuine court of public opinion since it usually depends on the opinions of the influencers. The loudest in terms of traffic win even if they are wrong.

It would have been better to publish that information after inaction from the service provider after reporting it. A best-case scenario is the online reporting by Karimi Mwari who shared her experience with rogue Dakika Sacco matatu crew online after reporting the matter to the authorities. Action was taken and the culprits were apprehended.

Experience has shown us not to place absolute trust on the people in these online platforms. This is a lesson Peter Kenneth and Hillary Clinton know all too well. It applies to other situations too, such as seeking justice. It is advisable to follow due processes before sharing it because once it is out it is out.

Consumer Privacy and data protection in E-commerce in Kenya

Cyber-Security-2

This article was first published on Nairobi Business Monthly April 2016.

We have recently watched the standoff between technology giant Apple and the US Department of Justice over an order from a Federal Magistrate in California. The Magistrate asked the company to help the FBI to get into Syed Rizwan Farook’s iPhone by disabling a security feature that is likely to lock investigators out if they made 10 unsuccessful tries to determine the correct password. The move by Apple had been applauded by privacy rights groups all over the world as a step into the right direction in their cause. Back in Kenya, though not really moved by those events, we are one of the top nations in m-commerce since our e-commerce is through our cell phones.

We never ever give much thought about the security of the personal data in our communication gadgets. No one pays attention to the sheets of paper written “terms and conditions” that they sign. All they want is services, to send and receive money.

When Samuel D. Warren and Louis D. Brandeis wrote The Right to Privacy for the Harvard Law Review, they did not know that many years later technology would have brought forth a risk to informational privacy. Currently, there is the ability to learn the most intimate things about a person and unprecedented access to information about people. Prior to their 1890 article, there was no legal mechanism to protect the breach of this right. They called for the protection of the person, and for securing to the individual the right ‘to be let alone.’

Erwin Chemerinsky in his 2006 article Rediscovering Brandeis Right to Privacy has argued that what Warren and Brandeis had in mind was informational privacy and not privacy in the sense of autonomy, abortion, among others. According to his interpretation, the two stated that a principle, which protects personal writings and any other productions of the intellect, is the right to privacy. They concurred that the law had no principle to formulate the extent of this protection to the personal appearance, sayings and to personal relations.

50 years later, in 1948, the drafters of the Universal Declaration of Human Rights recognised the right to privacy in Article 12. This right has been enshrined in various international human rights instruments other than the Universal Declaration of Human Rights.  As technology advanced so has the need for the law to be developed to keep up.

The right to privacy is inseparable from the right to personal data protection. Other than standing for “the right to be let alone” and “concealment of information” from others, privacy also has to do with the “control over information about ourselves”. The European Union has recognised that and the European Union Data Retention Directive intertwines interferences with the right to privacy along with the right to data protection.

The Kenyan Constitution, which was enacted in the year 2010, states in Article 31, “Every person has the right to privacy, which includes the right not to have information relating to their family or private affairs unnecessarily required or revealed and the privacy of their communications infringed.” The drafters of this clause must have had in mind the fact that in this age of the Internet and advanced telecommunications, corporates could access personal information without consent of the owner.

In the year 2013, the Data Protection Bill 2013 was drafted to give effect to Article 31(c) and (d). This can be said to be because most claims made whenever there is a breach of consumer data confidentiality; especially in jurisdictions where there are no laws on data protection, are made under breach of right to privacy.

How companies use consumer data

It is important to note that the more we advance in technology, the more we lose our grip on one fundamental human right that is crucial for our being. Every day, we give up key components of our right to privacy for the allure of being tech-savvy. Information and communication technology service providers like telecommunication companies, search engines; social media sites in the course of doing business collect data on their consumers.

They use this data to strategise and study their markets. They also use it to know the viability of their different business products.

The use of the collected data is not governed by any written law. These companies have the discretion to use the data in other commercial activities such as Targeted Online Advertising also known as Online behavioral advertising (“OBA”) where web companies engage collect information about your specific online activity (like WebPages you frequently visit) and use the information to show you advertisements and content that they believe might be of relevance to you.

While this might sound wrong, consumers actually agree to this in the terms and conditions when they sign-up and set up their online accounts with the different service providers. Hence, Internet companies are absolved of any blame when it comes to breach of the right to privacy.

A review of top service providers’ terms and conditions show that they claim that they have rights over the data they collect. Google’s Terms of Service state that by using their services, a consumer agrees that Google can use his or her data in accordance to their privacy policies. In their privacy policies, they indicate that they use the information they collect from all their services to provide, maintain, protect and improve them, to develop new ones, and to protect the company and their users. They also confess that they use the information to offer consumers tailored content like more relevant search results and adverts. Considering that consumers do not pay for these services, the collection and use of consumer data by companies like Google and Facebook can be justified.

Kenyan companies have not been left behind in the exploiting of consumer’s personal data. In the Terms and Conditions of the Okoa Stima Service clause 11, a consumer authorizes the service provider (Safaricom) to reveal, receive, record or utilize consumer data relating to their use of the service by merely registering for it. The terms also state that the service provider may reveal consumer data to a third party involved in the provision of the services including but not limited to Kenya Power; who is the sole electricity provider in Kenya, perhaps the only reason why a consumer registered for this service. It further states that it may reveal for reasonable commercial purposes connected to your use of the Services, such as marketing and research related activities.

How far can they go?

But questions always arise on how far is too far with the use of data collected from consumers and clients by these companies. In 2014, the Canada’s Privacy Commissioner found that Google Inc. had violated Canadian privacy law through targeted online advertising. This was after a man complained about adverts targeted to him based on a medical condition. He had searched for a device to help with his sleep apnea when he later noticed adverts for similar devices when he visited other websites. The adverts were delivered by Google’s AdSense service. The Interim Privacy Commissioner Chantal Bernier said that it is up to the organization collecting the data (in this case, Google) to identify what is sensitive information and ensure it is not used improperly.

This case brought up the debate on what is sensitive information that cannot be used by service providers. In Canada, the law allows an organization to collect personal information without consent of the individual but that section of the law has a claw back. The collection has to be in the interests of the individual especially where consent cannot be obtained in a timely way. That law gives further guidance on how the information can be used.

According to section 2 of the UK Data Protection Act 1998, sensitive personal data is personal data consisting of information on the racial and ethnic origin of the data subject, his political opinions, his religious beliefs or other beliefs of a similar nature, whether he is a member of a trade union, his physical or mental health or condition, his sexual life and the commission or alleged commission by him of any offence, the disposal of such proceedings or the sentence of any court in such proceedings. The Kenyan Bill on Data Protection has borrowed from the UK law verbatim but the process of enacting seems to have stopped.

The Bill has been criticized by experts as wanting in some crucial aspects. It has no provision for extraterritorial jurisdiction which is crucial considering the nature of the subject matter and advancement of technology. The bill also does not cover direct marketing yet it can be a serious breach of privacy and data protection rights. This is because a consumer’s contacts and personal activities are usually used to profile an individual. The Bill does not restrict the transfer of personal data to other third parties who may be in or outside Kenya. This tends to happen even when a company is sold and its assets are acquired by other entities during mergers and acquisitions.

The only source of protection to personal data seems to be the Kenya Information and Communications (Consumer Protection) Regulations Section 15, which is on confidentiality.

This section prohibits service providers from monitoring and disclosing the content of any information transmitted through their licensed systems by intercepting communications and related data. It also prohibits service providers from selling personal information without the consent of the consumer. Section 17 of that law prohibits unsolicited communications, which is usual with marketers.

The country is in dire need for a data protection law that will regulate the handling of consumer personal data. The proposed Bill should be passed with relevant changes that will protect consumers from data mining activities that are likely to happen. The proposal in the Bill to have the Commission on Administrative Justice to act on breach of data protection laws can be said to be a step in the right direction since the Commission has offices in all Huduma Centres, hence very accessible to members of the public.