Monday 20 May 2019

If you are a Kenyan citizen, your private data is not safe

If you are a Kenyan citizen, your private data is not safe

A man looks into the camera as an official collects data as part of the 2017 general elections voter registration exercise in Nairobi, Kenya on January 16, 2017 [File:Thomas Mukoya/Reuters]
A man looks into the camera as an official collects data as part of the 2017 general elections voter registration exercise in Nairobi, Kenya on January 16, 2017 [File:Thomas Mukoya/Reuters]
One of the most surreal moments of the August 2017 Supreme Court hearing on Kenya's presidential election, an event that would culminate in the unprecedented rejection of the results announced by the electoral commission, happened on its first day.
Lawyers for the opposition demanded that the servers containing data for the 19.2 million registered voters in Kenya be opened and checked for electoral fraud. Lawyers for the electoral commission insisted that it could not be done because the servers were in France.
Millions of Kenyan citizens' biometric data was collected over an extended period of time in preparation for the highly contested 2017 vote. However, when the data was most needed, at the point when it was necessary to verify the results announced by the electoral commission, it was unavailable. Apparently, a private foreign entity, a French firm known as OT Safran Morpho, owned the information and the government struggled to get the corporation in question to make the information available on demand.
In February 2019, Kenya is gearing up to launch another massive citizen data collection drive called "the Huduma Number". Over a 30-day period, the government will compel citizens in a number of counties to register their biometric details, other identity numbers and their physical address to receive a new number to be used as "a unique identifier".
Further digging reveals the government has done a deal with MasterCard to link the Huduma number to a prepaid card with chip and pin that will be used by citizens to pay for an array of government services.The government denies that the two initiatives are connected, but given similar initiatives in countries like Nigeria, there is credible fear that the initiatives will eventually be combined. Regardless, the Huduma programme will add yet another number and card to the litany of numbers and cards that Kenyans must wield to prove their Kenyan citizenship to their increasingly predatory state.
The Huduma card will join your ID, passport, driver's licence, birth certificate, National Social Security Fund card, National Hospital Insurance Fund card, Kenya Revenue Authority Tax PIN, etc.
Critically, the invitation to apply comes with a threat: Anyone who does not register will be denied government services.
There are many wrong and, indeed, dangerous elements to this initiative.
For one, forcing citizens to sign up for a financial product under the threat of denying them important government services isn't governance, it is blackmail. Kenya's constitution provides that all legislation must be subjected to public participation.
Therefore, it is prima facie unconstitutional for a government ministry to make a "roadside declaration": to create a new legislative hurdle for gaining an important citizenship document without allowing the public time to reflect and respond.
Yet, this ill-informed initiative was announced at a press conference and information about it was distributed on both traditional and social media: a roadside declaration with 21st-century tools. 
Secondly, Kenya still does not have a data protection law. That means that this massive data collection exercise - including facial recognition, fingerprints and other key citizen data - will be in place in the absence of any real legal oversight.
Remember the surrealism of Kenya's electoral servers, still owned by OT Safran Morpho, and apparently inaccessible from Kenya without interlocution by the French? There are currently no legal provisions, certainly none in the public domain, that prevent OT Morpho Safran from monetising data that Kenyans provided to enhance their democratic processes.
In my book, Digital Democracy, Analogue Politics, I call this "digital colonialism" - where a private corporation in one country is given political power over citizens of a second country for its own economic benefit.
The fact that Kenya's election database could not be made available on demand for what was arguably the most important legal process in the country's history is cause for major concern. Kenyan electoral data is now a product for digestion and monetisation in a legal domain beyond our control.
How free can a country be when citizen information that is central to government and governance is nothing more than a commercial product owned by a foreign corporation?
Significantly, the Kenyan government has not demonstrated that it can be trusted with Kenyans personal data.
report from Tactical Tech reveals the extent of abuse that occurred during the 2017 presidential election in the absence of a rigorous data protection law. Voter registers were available for sale and were publicly available through SMS and web, which allowed politicians to send unsolicited text messages and even make calls to voters.
Party lists collected by the various political parties also contained key private data and were not secured in any meaningful way. 
Outside the election, Privacy International has also reported on how mobile data from Kenyans is routinely handed over to the police and other security actors to facilitate other forms of human rights abuse, like extrajudicial executions or arbitrary arrest and detention.
Kenyans also routinely complain of their private mobile data being sold to third-party service providers without their consent. They often receive a barrage of unsolicited text messages and have to pay to unsubscribe from such premium services.
Women have also complained of being harassed by security guards to whom they must provide key contact details before accessing any public or private buildings.
As it stands, if you are Kenyan, your data is not secure or safe, especially not from a government that has routinely avoided creating a legal framework to at least give citizens some form of recourse when violations happen. This Huduma number is an ill-timed, ill-advised initiative that should be suspended until further public participation and consultation occur.
The views expressed in this article are the author's own and do not necessarily reflect Al Jazeera's editorial stance.


1 comment: