US social media giant Facebook has confirmed it is collecting extra levels of personal information in Kenya, across both Facebook and non-Facebook users, from access points for the Express WiFi service, now in place in more than 20 towns across the country in 1,000 hotspots.
This is despite the fact that the data collection and transmission is unlicensed, with the Communications Authority of Kenya (CA) confirming that it has never been informed of the direct data gathering, which represents a potential breach of Kenyan regulations.
However, the new equipment and software has massively extended the amount of data that Facebook is gathering in Kenya at a time when the US corporation is being investigated by multiple agencies, including the UK parliament and US senate, for allowing data firm Cambridge Analytica and others to collect personal data on more than 87 million people via its platform.
The data breaches have driven a rising scandal following claims by Cambridge Analytica that it used the data to influence US and Kenyan elections.
It is, however, the revelation that Facebook is collecting personal data directly from Kenyan WiFi access points that is new and worrying — representing as it were a new and larger access to data than has yet been reported anywhere else in the world.
Under the Facebook WiFi Express partnerships, Facebook has supplied the access points, at a cost of around $450 each including installation, for locally registered and operated ISPs.
In a statement issued last week in response to the Business Daily’s exposé on the local software changes that Facebook demanded from the access point manufacturers, Facebook confirmed that it had added ‘functionality’ to the WiFi access points, and that the hotspots are now delivering non-Facebook data directly to Facebook.
The social media firm, however, vigorously denied that it is ‘mining’ this direct data flow to achieve further insights into Kenyan consumers.
Instead, sources close to Facebook claim, it is collecting the additional data to improve the customer experience for its partners’ services, by ensuring that the hotspots are working well, by examining the traffic usage.
Normally, the internet service provider (ISP), which is Internet Solutions Kenya, formerly known as Access Kenya, and its associated partner, Surf Kenya, would monitor for service quality.
The adapted access points are also collecting customers’ names and phone numbers. But sources close to Facebook explain that collecting these in the adapted access points, rather than, as is normal, on the local ISP’s central servers, is making accounting easier for the local ISPs than it is for the rest of the world’s WiFi hotspots.
Across both interventions, Facebook has been unable to provide details of the full scope of the additional data being sent to the corporation.
It has also been unable to explain its decision not to open the software amendments to any normal process of peer review, where they are tested and analysed by software experts.
Yet as legislators around the world continue to investigate Facebook’s data use and data controls, the company’s personal data practices have been further scandalised by the leak of an internal memo stating that it takes anything that gives it deeper insights into personal data as positive.
“The ugly truth is that we believe in connecting people so deeply that anything that allows us to connect more people more often is ‘de facto’ good…That’s why all the work we do in growth is justified. All the questionable contact importing practices. All the subtle language..”
This is the backdrop against which the data Facebook is receiving from initiatives such as Kenya’s WiFi is considered deeply sensitive, as it shows what people are doing online, tracking every website they visit, and typically giving access to any unencrypted data they are sharing online.
The data is known as ‘metadata’ and constitutes a log of all online activity through the hotspot.
Such data is normally only accessible by the ISPs themselves, who must ensure it is kept private or risk losing their licences to operate.
The only third party that may access the data, by law, are government and security services, on the serving of a court order.
Yet, in achieving the sending of metadata as a direct feed to Facebook from the WiFi access points, Facebook has secured the transmission of Kenyan data to a foreign corporation without a court order, and without the data movement being subject to Kenyan data regulations.
The CA says its licensing regulations “guarantee privacy and confidentiality of consumers and prohibit unauthorised use of apparatus, which is capable of recording, silently monitoring, or intruding into consumer’s communications,” the exact thing that is happening with WiFi Express.
That Facebook is not an ISP, but has merely provided the access points that it has adapted to monitor the hotspots, means it has not been licensed to collect data in the manner it has been doing and therefore basically operating outside the purview of Kenyan laws.
In securing this novel monitoring tool and direct data feed to the US, Facebook did, however, hit objections from the world’s leading access point manufacturers, who initially refused to make the hotspot software amendments that Facebook needed to create the third-party data feed.
Facebook was subsequently able to secure the changes through the strong links between its local ISP partner and an alternative access point manufacturer that agreed to its demands.