Nowhere to hide as technologies lift privacy curtain


Corporates’ privacy has not been spared as the line between office and personal data gets blurred. FILE PHOTO | NMG

Like many other Kenyans, Prof Bitange Ndemo, a former PS in the Ministry of ICT was excited about Black Panther, a film featuring Kenyan-Mexican actress Lupita Nyong’o.

And so, he took his wife to one of the city theatres to watch the film that cost Sh20 billion to make. Thrilled by the scene, his wife opted for selfies.

The following morning, Prof Ndemo’s friend send him the same photos registering his amusement of seeing him in goggles. It dawned on him that the photos that his wife took via phone had been backed up by Google Photos app and made public to his friends.

“What if she was not the one?” posed Mr Ndemo referring to the potential harm such an email could cause.

Under Google terms of service, when you upload, submit, store, send or receive content to or through its services, “you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works, communicate, publish, publicly perform, publicly display and distribute such content.”

With so many other technologies at play, the risk of giving away privacy has increased, leaving people with nowhere to hide.

Recently, the country was treated to a leaked phone conversation between Nairobi Governor Mike Sonko and Kiambu governor Ferdinand Waititu in which Sonko was accusing his counterpart of mixing friendship with work to break the law.

“You remember how we have traversed Nairobi together? We are still going to go far together,” Mr Waititu is heard pleading.

This, supposed to have been a conversation between two governors, is now in the public with questions still lingering over who could have recorded the call, why and whether he or she can be traced.

According to Prof Ndemo, also an associate professor at the University of Nairobi’s Business School, in the absence of data protection law, people’s privacy is so much exposed.

“(Mr) Sonko should have asked Waititu for a permission to publically use the recorded call. Otherwise that amounts to abuse of someone’s privacy,” he says.

By law, telcos may at given times be compelled to disclose details such as calls, emails, SMSs, data or other personal information. But this is for selected reasons like for fraud prevention or law enforcement.

But with advancements in technology, anyone can now use a smartphone to install recording applications for free and tape conversations. This means that recording, storing and sharing phone conversations is no longer a preserve of telcos.

Android play store commands 86.2 per cent of smartphone operating system market in the world, according to 2016 report by Garter. This means that majority of owners of smartphones in Kenya can record conversations, leaving the other party vulnerable to attacks.

Screenshot, an additional capability for many smartphones has meant that text messages, photos or any nature of communication can be copied and used for or against an individual.

This, added to the menace of hacking, pose additional threat on privacy. And corporates’ privacy has not been spared either as the line between office and personal data gets blurred.

Many workers now store and access company data on personal devices such as smartphones and laptops. In the end, work emails have easily landed in third parties’ hands in instances of lost devices.

And with rising allure for digital transactions privacy threats have emerged. According to a recent report by online marketplace Jumia, there are currently over 25 digital credit providers in Kenya.

According to a March 2018 report by Financial Sector Deepening Kenya (FSD- Kenya) over a third (35 per cent) of the digital borrowers have been on multiple applications looking for loans.

This has seen the entry of new digital lenders to compete with early entrants such as Commercial Bank of Africa, Equity, Kenya Commercial Bank, Branch and Tala Kenya as borrowers get attracted to relaxed conditions such as no need for collateral.

READ: Why EU's data privacy rules matter for Kenyan businesses

Mobile loan lenders rely on predictive analytics to grade a customer’s credit worthiness. Borrowers therefore have to give away private information such as bank account balances, mobile money balances, location, social media chats, SMSs and call logs in order to get loans.

But in the absence of laws on data protection, FSD warns that the entry of so many unregulated players who do not respond to any law or regulatory authority, could spell doom for safety of data.

“An oversight body should be designed to monitor this growing market segment,” says FSD.

In July, five financial sector regulators including the Central Bank of Kenya, warned the public to keep off unlicensed and unregulated financial services and products that are available on platforms such as the Google Play Store and Apple Store.

In the absence of an oversight body, gullible Kenyans may lose money and data in such digital arrangements, now being described as debt traps for many low end borrowers.

Kenya has been a leader in the adoption of mobile and digital payments, which unfortunately brings with it a growing risk of fraud, according to Fabien Delanaud, General Manager of Myriad Connect.

In their recent Kenya Financial Transaction Fraud study, the Paris-based technology firm with operations in Kenya said that 57 per cent of SMS, 73 per cent of phone calls, 17 per cent of social media and 19 per cent of emails were channels though which Kenyan consumers were targeted to be victims of financial service transaction fraud.

Yet many of the digital loan apps ask for permission to access SMS, phone calls and social media to complete their predictive analytics.

And for mobile money transfers, which Communication Authority of Kenya put at 663.7 million transactions valued at Sh1.87 trillion from 29 million users by end of March, the risk is not so far away.

Completing a mobile money transfer requires one to surrender details such as mobile number and identification number to agents.

Cases of some agents contacting clients for reasons other than the transactions have been reported.

The bits of personal information shared on different digital platforms have led to increased cases of social engineering, where a criminal puts together such information to impersonate.

Safaricom, which has been hit by SIM swap fraud involving some of its employees is now thinking of introducing finger biometrics to beat fraudsters.

“We vet people quite carefully. It is only that some come in clean then become corrupted,” Safaricom CEO Bob Collymore said

As the country mulls strict laws to govern data through the Data Protection Bill 2018, the headache for many companies is to ensure that all their staff are ethical. The bill proposes new rights for people to know how their data is used, and to decide whether it is shared or deleted by businesses.

But until then, Kenyans have already given out their data, making them prone to attacks.