How your free personal data helps companies mint cash

Bright Mawudor
Bright Mawudor, head of cyber security services at Internet Solutions Kenya. FILE PHOTO | NMG 

It’s hardly 8.30am on a Thursday but dozens of people have already filled the waiting bay of an office in Ongata Rongai, Kajiado County. Mr Silas Jamakro (not official name), an ex-banker-turned-housing agent says there is nothing unusual about the numbers “since I prefer to handle all complaints first thing in the morning.”

The previous week, he too had called the Business Daily to complain about “the pesky firms and individuals swamping my phone with unsolicited promo messages.”

“I don’t know how they get my details but the messages whose senders seem to know my location also address me by name,” he said. A quick scroll through his text messages and an all familiar trend emerges. A beer maker is alerting him about its latest sales promotion and prize offers. A supermarket points him to a “dealz wazimu” that is just getting to its peak the weekend ahead, promising 50 percent discount on prices of electronics, clothes, furniture, mattresses, crockery, foodstuff and hygiene products.

A hospital wants him to show up with his wife (who, curiously is actually expecting a baby) for a pregnancy test fair the same weekend that a digital TV service provider has asked him to stay home and enjoy 100 percent bonus “plus fantastic rest if you pay subscription fees on time.”

“Some of these intrusive messages are unhelpful but majority speak to my needs as though the senders are with me all the times,” he said, displaying one of them promising a return-to-school discount on eye glasses. “Honestly, my daughter needs a pair. Also take a look at this other message from my bank which is asking me to buy a two-day insurance policy cover to protect my house as if they know I plan to leave property unattended next weekend!”


In the absence of data protection law in Kenya, anyone with an active smart phone, an e-mail or a social media account is familiar with Mr Jamakro’s dilemma.

Experts, while blaming mobile service providers for sharing clients’ data with third parties maintain a lot of personal information is also given out voluntarily by customers.

“We share lots of our personal information with mobile service providers and this gives them the privilege to profile us based on our expenditure behaviour,” says Mr Brian Mwau, team leader at Tribus-TSG, Centum Investment’s cyber security arm.

“Expenditure behaviour can be easily picked from our mobile money transfer, withdrawals and payments we make on daily basis.”

That means at any point in time, a third party who gets unauthorised access to your personal information can infer your spending behaviour without much struggle.

“For instance,” says Mr Mwau, “If they notice that most of your mobile money payments are made to a Pay-Bill number belonging to a bar, restaurant or a club social area they can then tell that you are an outgoing person.”

He says the third party can analyse specific time the payments take place and reference the findings to check whether football games are going on at that time, for instance, “and if yes, that qualifies one to be a potential gambler”.

“With such discrete profiling on people, the service providers then build up their dictionary of data, which they can sell. Service providers have been misusing the privilege since they don’t have the consent of sharing the harvested data without the knowledge of their clients,” notes Mr Mwau

He adds, “The next time you receive unsolicited promo messages from firms and sites you have not signed up for then know there is someone taking advantage of your personal information for financial gains.”

Other than what is leaked by mobile phone service providers, Kenyans easily share out personal information to obtain loyalty cards at retail outlets or when they participate in various sales promotion campaigns promising cash prizes.

Dr Bright Mawudor, head of cyber security services at Internet Solutions, a technology services provider for government and private sector entities, says “so much” personal details, including confidential aspects are already out there.

“A lot of personal data are readily available in places such as hospitals, hotels, learning institutions and banks. You also give out a lot of personal information when you subscribe to a service online or clink on links designed to collect personal information,” says Dr Mawudor.

The Digital Economy report published early this month by the United Nations Conference on Trade and Development also ranks Kenyans among the world’s easiest target of data miners as only 44 percent worry about security of private information shared online. This compares to a global average of 80 percent.

“If you search your name on the Internet, how many pictures of yourself, family, close associates and things that you own will you see on the results?” Poses Mr Mwau.

The 90 percent of Kenyans on social media platforms are always at the risk of identity theft because their carefree posts make it easy for online criminals to connect the dots.

Once they have the official name, they are able to Google-search a target’s images and create a cloned identity for purposes of soliciting favours or just to damage one’s reputation.