Surveillance in a legal vacuum: Kenya considers massive new spying system

Without warning, Kenyans learned last month that Safaricom, Kenya’s largest telecoms operator, had contracted with the government to provide a new communications and street-level surveillance system. The new system integrates 2,000 video surveillance cameras, video conferencing, digital radios, and a mapping system into a central command center.

Worryingly, this contract likely entails many forms of street-level surveillance including license plate readers, facial recognition technology, and real-time tracking across major cities like Nairobi and Mombasa.

The arrangement between Safaricom and President Uhuru Kenyatta’s government has come under scrutiny by the Kenyan Legislature, but only for its bidding process, not human rights concerns. Evidently, Safaricom was the only bidder for the contract, whereas some lawmakers would have preferred an open bidding process. The deal requires Safaricom to spend about 12 billion Kenyan Shillings (approximately 137 million USD) for the new system, which is meant to assist the Kenyan government in combating crime, and mimics a system in place in London.

Kenyan providers have violated user privacy in the past, and users have few legal options to seek remedy. The right to privacy of communications is guaranteed in the Kenyan Constitution, but Kenya lacks comprehensive data protection laws, so the government and Safaricom will be operating this powerful new surveillance network effectively without checks or balances.

Safaricom is 40% owned by Vodafone, the UK-based giant that issued a transparency report last week detailing surveillance laws in 29 countries, including Kenya. Per the report, various Kenyan laws compel the operator to provide information to the government and other foreign governments, but these laws do not outline how the data can or should be protected from abuse, such as transfer or sale to third parties without customer consent.

Little privacy for Kenyan users

It is not difficult to find examples of the kind of privacy abuse that can occur in this environment. A few years ago, a number of Kenyans were unknowingly registered with various Kenyan political parties without their consent using data obtained from Safaricom databases.

In another example, in 2013, a research report published by the Harvard School of Public Health in collaboration with Oxford University, detailed how researchers gathered the mobile phone location data of 15 million people in Kenya, seemingly without their consent. The data was used to build a picture of how travel within Kenya might contribute to malaria transmission.

Indeed, it’s hard to imagine that the researchers obtained explicit, affirmative, informed consent from half of the country’s mobile users to have their every move tracked. If true, obtaining location data without the target’s consent would likely constitute a violation of Article 31 of the 2010 Constitution of Kenya, which states: Every person has the right to privacy, which includes the right not to have …  (d) the privacy of their communications infringed.”

The Harvard report does not cite which telcos were involved in this study. However, given Safaricom’s 60% share of the approximately 30 million registered mobile phone users in Kenya, some of the 15 million Kenyans were likely Safaricom subscribers.

While the Kenyan internet is ranked as “free” by Freedom House, there has been evidence of Blue Coat Devices, capable of filtering, censorship, and surveillance, installed on netblocks associated with Hughes Network Systems, a satellite-based internet provider in the country. The new contract with Safaricom, threatens a further erosion of Kenyans’ privacy rights.

Way forward for the government

With this massive new surveillance contract, the Kenyan Government must take a number of steps immediately to ensure data protection of Kenyan mobile phone subscribers and respect of their human rights.

First, the Executive should adopt the Legislature’s recent recommendation to postpone installation. This project should only resume after a thorough human rights impact assessment (HRIA) is conducted by an independent human rights expert such as the Kenya National Human Rights and Equality Commission.

Second, the government should open a public consultation period and field comments from civil society and at-risk groups such as gender activists and internet users groups.

For its part, the Parliament must pass a strong data protection law. The 2010 Constitution of Kenya requires that the Parliament pass a data protection bill, but the draft law has yet to be voted upon, despite being ready for adoption. The bill should be passed quickly to ensure respect for human rights online.

Indeed, a strong data protection law couldn’t come at a more important time. In addition to proposing this new surveillance project with Safaricom, In July, the government will embark on a major data consolidation/collection project to assist in surveilling the Kenyan network in the name of stopping crime. However, without specific data protection laws the centralized database is open to abuse, data leakage, and unauthorized transfer and raises further questions about how the data will be collected, who will have access to the database(s), and how the data will be encrypted and protected.

Safaricom, too, must act quickly to protect the privacy rights of Kenyan citizens

Safaricom has recently stated that it will use an independent 4G network, apart from the commercial network, to link police communications and surveillance. The company must stick to this promise of using an independent network, so as to not disrupt or interfere with private communications.

Additionally, Safaricom must take action to ensure its network is not abused for unlawful purposes. For instance, Safaricom and other telcos and ISPs in Kenya should conduct a thorough human rights impact assessment (HRIA) through independent human rights experts. Based on these assessments, providers should reform their policies impacting user privacy and freedom of expression, and implement new measures to prevent rights abuses. These measures include: issuing regular transparency reports detailing government requests for user data; disclosing actions they take to respond to government requests; publishing relevant corporate policies; and meeting with civil society to review policies and implementation. Finally, to the extent possible under law, providers should reject government requests for direct access to their networks or for network shutdowns.

More policy guidance is available: The Access Telco Action Plan outlines ten steps every rights-respecting telco should take, and the Institute for Human Rights and Business issued a comprehensive Case Study on Safaricom’s efforts to combat hate speech in recent elections. IHRB’s Case Study also counsels Kenyan providers on how to adhere to the United Nations Guiding Principles on Business and Human Rights.

Conclusion

If there is a ‘silver lining’ to this new surveillance contract, it is that recently some of the Kenyan Members of Parliament have begun talking about privacy rights, many for the first time. This will hopefully facilitate greater public debate and make users more aware of their privacy rights online. Access looks forward to contributing to this public discussion. For now, we strongly urge the government and Safaricom to delay the planned project in order to ensure that there is more time to study its impact on the human rights of all Kenyans.