The acquisition of a snooping device by the telecoms sector regulator, the CA, has sparked an industry storm that is expected to persist in coming months as the country goes to the polls.
The device, which can collect text, voice and identity data from devices is facing strong opposition from consumer rights protection groups and mobile phone operators fearing a possible slowdown in the take-up of their services as consumers move to safer channels of communication.
It has emerged that the Communications Authority of Kenya (CA) has quietly installed and is testing a Device Management System (DMS), which rides on mobile networks to remotely identify electronic devices and their users as well as collect voice and text data.
The CA has, however, insisted that the device will only identify and ban counterfeit, stolen or illegal mobile devices from being used on local networks.
Telecoms market-leader Safaricom and a consumer lobby have, however, raised concern that the DMS could be used as a backdoor to gain access to sensitive customer data – exposing telecoms operators to legal risks.
“We are aware that the Communications Authority intends to implement a monitoring system, whose objectives include getting access to customer information…. All operators (and here I believe I speak for the industry) are not in favour of any third-party system that would have access to confidential customer information,” said Safaricom corporate affairs director Steven Chege.
Mr Chege, who was answering questions on the Kenya ICT Action Network, an online industry forum, said Safaricom had communicated to the regulator its “strong reservations” on the system.
Airtel Kenya, Kenya’s second largest telecoms operator, declined to “discuss” the monitoring system, but had said in earlier tweets that it was in talks with the regulator on how to operate it “without infringing on the consumers’ rights.”
Telkom Kenya, the third operator, said it has its own system to track mobile devices and that its acceptance of the DMS would depend on ongoing negotiations with the regulator.
“The proposal is still under discussion with the MNOs (mobile network operators) on among other issues, whether its implementation will infringe on customer privacy; the pushback from the MNOs is essentially on any design that will infringe on this privacy,” the company said in a statement.
The CA invited bids for the DMS last year and indicated that the technology would be connected to the networks of Kenya’s mobile operators. The system is expected to build a database of all active mobile devices in Kenya.
It can identify the devices by their International Mobile Equipment Identity (IMEI) number, a unique 15-digit identifier that is given to mobile phones in the factory.
The system also comes with the capability to identify devices that are in use, but are not type-approved. SIM Boxes, devices that facilitate illegal termination of international traffic in Kenya, will also be targeted.
Kenyans, who import phones and fail to register them with customs agencies, will also be on the spot as the system will identify the devices. Once the data is collected, subscribers will be asked to authenticate illegal devices or have them blocked from network use in Kenya.
“All mobile operators will be required to connect to the DMS and ensure that blacklisted devices do not access their services,” the CA said in a statement.
Data collected from the system will be shared with various government agencies, including the Kenya Revenue Authority (KRA), the Kenya Bureau of Standards (Kebs), the police and the Anti-Counterfeit Agency.
The plan is to establish an internet-based user interface that will enable the agencies to simultaneously view the information.
The Consumer Federation of Kenya (Cofek), a lobby group, reckoned that even if the DMS does not intercept text messages or calls, the wide sharing of the data would still infringe on the privacy of consumers.
“In simple terms there is a possibility that you can collect all information. The tool gives you the ability… this technology is able to collect everything from call logs to text messages,” said Cofek secretary-general Stephen Mutoro.
A Kenyan firm, Broadband Communications won the Sh207 million tender to supply and install the device and is working with Invigo Off-Shore Sal, a Lebanese company.
The CA has, however, denied claims of spying arguing that the DMS has no access to certain subscriber information and that the monitoring system will be an upgrade of existing modes of identifying and blocking counterfeit devices.
There are also concerns that the CA did not adequately consult stakeholders and the Kenyan public as required by law.
“If it is nothing more than what they say, they (CA) should let the public inspect the system. We can’t take their word for it because privacy issues are very critical,” said Ali Hussein, who heads a local technology consultancy.
“We must strive for balance between security and privacy… We need to be told how data will be collected and for what purposes so that we can consent,” said Dr Bitange Ndemo, a University of Nairobi lecturer and former Information permanent secretary.