Why data privacy is under siege from all corners

The sky was scudded with clouds promising heavy rains. AbdulAziz Salim walked fast along Kimathi Street, Nairobi, to his car to avoid the impending rains and also so that he could drive to South C before the rush hour. But three men, who had apparently been following him approached him from behind, and suddenly he felt a hand grip his.

“My phone rang and as I put my hand in the pocket to get it, one of them put his leg across mine and they pushed me to the ground and then I was handcuffed,” Mr Salim said, adding that the three verbally identified themselves as police officers.

With a tone that hinted amusement, Mr Salim said, the ‘police officers’ who had hunkered over his helpless self, told him that they had tracked his phone and realised that he had been in constant communication with one of the Al-Shabaab terrorists on the most wanted list in Kenya.

“I was shocked and as they lifted me from the ground, I sought in vain to find out from them if indeed they were police officers, but they just dragged me wading through a curious crowd that was already forming.

“They bundled me into a car and across the street and then drove off with sirens to the Nairobi County Police Headquarters, where I was interrogated. I was shocked to find out that one of the police officers actually had a print out of all my phone data. Everything that I had done with my phone for the last six months,” he said.

Mr Salim was arraigned in court and tasked to explain how well he knew one of the terror suspects killed during the Dusit D2 attack that left 21 people dead.

“I later came to realise that I had made a call to one of the suspects one day as I inquired about a car he had been selling on an online platform,” he said.

“After I called him, he actually made several calls to me asking me when I would meet him so that I could see the car.”

Yet all this drama that befell Mr Salim is well grounded in the law. The Prevention of Terrorism Act (2012) grants extensive powers to state authorities to limit fundamental freedoms and encroach on the right to privacy through surveillance. Article 35 of the Act states that the rights and fundamental freedoms of a person or entity to whom this Act applies may be limited.

“Limitation of a right or fundamental freedom shall apply only for the purposes of ensuring the investigations of a terrorist act the detection and prevention of a terrorist act; or that the enjoyment of the rights and fundamental freedoms by an individual does not prejudice the rights and fundamental freedom of others,” the law states.

Intercept communication

The Security Laws (Amendment) Act (2014) states in article 69, which is an amendment of the Prevention of Terrorism Act, that The National Security Organs may intercept communication for the purposes of detecting, deterring and disrupting terrorism in accordance with procedures to be prescribed by the Cabinet Secretary.

“The right to privacy under Article 31 of the Constitution shall be limited under this section for the purpose of intercepting communication directly relevant in the detecting, deterring and disrupting terrorism,” it says.

Kenyan and international civil society groups have however raised concerns over high levels of extrajudicial surveillance by those who work in the security forces.

Just recently, a police officer attached to Kilgoris Police Station in Narok County allegedly shot his wife dead after he obtained information from her phone showing that she had been communicating with another man.

Friends and colleagues alleged that Constable Solomon Muchui requested call data for his wife Eunice Kerubo from a colleague who works for a mobile service provider.

Just last year, the government initiated a programme that requires commercial banks to actively snoop on accounts of millions of Kenyans in order to flag and report on suspicious activities linked to financial crimes.

The banks were required to create a special database of people referred to as ‘Politically Exposed Persons (PEPs)’ as well as their relatives and close business associates and report to the security agencies, any changes in the patterns of the persons’ transactions.

Recently, the Human Rights Organization Privacy International recently raised concerns that the Kenya government had been obtaining too much private data from its citizens, some of which it said, had been used by security forces to victimise innocent civilians.

Unsolicited messages

But it is not only government that accesses these data. Kenyans have been complaining about receiving texts from politicians during campaign periods, supermarkets and betting companies among others.

Although the Data Protection Bill, 2018 presented by chairperson of the Committee on Information, Communication and Technology - and Baringo County Senator, Gideon Moi contains provisions that will significantly change how public and private entities handle information entrusted to them, civilians are still concerned at just how much information about them is out there.

“You walk on the streets and CCTV cameras capture you, National Transport and Safety Authority (NTSA) has all the details about you and your car, a police officer can access information about you and your bank account at any time,” a security analyst Enoch Maina said.

“You go to a building and they take your name, ID number, car registration, phone number and record them in a book saying it is for security purposes. But really, these details are never really secured and we have seen them being used by conmen.”

The European Union last month passed the General Data Protection Regulation (GDPR) and Kenya could be the second country in East Africa after Rwanda to have legislation dedicated to data protection.

The GDPR has been hailed as the first step in checking the excesses of powerful technology firms that collect vast amounts of personal data from their users for commercial or competitive advantage.

Apart from cellphones and CCTVs, laptop web cameras, employee ID cards, credit cards, video game motion sensors, passports, medical insurance cards, smart TVs, smart refrigerators, microwaves and basically almost every electronic device that has access to the Internet transmits information about the user at any time even without permission.

Even as the security agencies invade on the public privacy, the Kenyans themselves have been voluntarily sharing personal details about them on Facebook, Twitter, Instagram, Google Location, Viber and others, broadcasting even their most private information to the world. This information could potentially be used to steal, blackmail or frame individuals.

“Most of us inadvertently give all information to the public through spaces like Facebook, without taking cognizance of the devastating effects that could cause. You have in your list of friends, people that unknown to you, you post pictures of your car number plate, your children’s schools, the house you live in, what you have in the house, your children’s faces and other information. If someone was to target you, you already made it very easy for them,” Mr Maina says.

Amendments

And even with all these widespread vulnerabilities, the government is in the process of making amendments to the Registration of Persons Act to allow collection of people’s personal information – including DNA samples, biometric data like fingerprints and retinal scans and GPS information about citizens.

Mercy Muendo, a lecturer in IT and the Law, Daystar University recently argued that the problem with the government having such details is that there is no specific legal framework to guarantee that personal sensitive data is protected and people’s privacy is not violated without cause.

“All of this information, and particularly unique markers like DNA and biometrics, must be properly safeguarded. If they’re not, there’s a risk this data can be used against its subject,” Ms Muendo wrote.

“This could happen through data being mishandled, or through investigators engaging in targeted profiling.”