When brokers of data descend

Wednesday, July 21st, 2021 00:00 |
How to become an ethical hacker. Photo/Courtesy

From receiving campaign messages to being registered to political parties without their consent, Kenyans are up in arms about the security of their data, highlighting fear of impersonation and fraud.

Adalla Allan @Adalla_Allan

Weeks to the Kiambaa constituency and Muguga ward by-elections, voters came out to complain that they received texts and calls from election campaign managers and candidates asking for votes.

Their concern was how these callers got their contacts, raising attention to data safety and security.

It is not strange to receive unsolicited texts and calls from mobile loans companies, betting companies, offers from supermarkets among others. 

Mugambi Laibuta, a privacy and data protection expert and a member of the Data Protection Commission reveals that data brokers are to blame for such texts.

These are individuals or companies that collect personal information about individuals and sell it to other individuals, companies or even the government, who in turn use it for commercial, political, surveillance or social purposes. 

Data brokers collect personal information including name, age, sex, phone number, email address, location, interests that help them learn the user’s purchasing behaviours.

Common leaks

“Data brokers have mastered the art of scrapping personal data from social media sites, mobile money agents, sign sheets used at security points when accessing buildings, loyalty cards, health facilities and public records.

They may also access census data, voter registration information, motor vehicle records, collect or purchase data from credit card providers and retailers.

Some personal information is collected from online data leaks that have now become common,” he says. 

The data brokerage industry is currently unregulated. However, the Data Protection Act, recently published for public participation, says it will be mandatory for businesses that are in direct marketing to register with the Office of the Data Protection Commissioner, and in making an application for registration, these companies will be required to provide information on the description of personal data they will be collecting, from whom they will collect this data, the purpose of collecting and persons or institutions with whom they will disclose or share any personal data collected.

However, Laibuta says that the office of the Data Protection Commissioner cannot be fully operational.

Data Act

“We have the Data Protection Act since November 2019 through the Data Protection Commission, but the regulations are yet to be put in place.

The government only allocates Sh50 million, meaning that this office will struggle to carry out its mandates.

Further, it is this office that answers to the cabinet secretary for Information and Communication Technology (ICT) under the Data Protection Act.

It comes with reports about data protection and gets funded by the  ICT ministry, which clearly shows it is not independent,” he adds. 

Laibuta advises data brokers to stop using personal data for direct marketing without consent of data subjects. 

“It is just a matter of time before the Office of the Data Protection Commissioner starts issuing administrative fines to persons and institutions that don’t comply with the Data Protection Act.

Article 31 of the Constitution already provided for the right to privacy, which includes the right not to have one’s information relating to their private affairs required or revealed or one’s communication privacy infringed,” he explains. 

It is no the first time Kenyans on a large scale are complaining about  data breaches.

About a month ago, many Kenyans woke up to find their names registered to different political parties on the e-Citizen portal without their consent. 

They termed it an infringement of the right to privacy and needed answers from the registrar’s office. 

Although the registrar of political parties was quick to defend the validation of party membership,  Laibuta says the statement  was vague and that public litigation is required to ensure data protection rights are upheld. 

Laibuta states that a section of Kenyans is also concerned about data they shared on the Huduma Number registration which the government didn’t tell its clear intentions on its registration. 

Breached rights

“The government should tell its citizens the other functions of Huduma Number other than registration.

Most Kenyans were reluctant to register due to the uncertainty of how their private data will be protected. 

“They fear that their data will be used for financial purposes. If you have seen the Kiambaa constituency and Muguga ward residents grumbling about how their contacts were obtained by campaigners, this means the right of privacy is breached.

Through this, there will be a rise in cases of impersonation, cyber security and banking fraud unless the correct data protection policies are set,”  he says. 

In 2020, the High Court halted the Huduma Number registration process, with judges saying the availability of extensive personal data on a click of a button would put Kenyans at risk if data was misused.

It also said it was unconstitutional to collect individuals’ DNA and residential GPS.

Vivian Eyase, an advocate of the high court asserts that the data protection safeguards set as stated in the Huduma Number Bill, 2019 may not be sufficient. 

“There should be maximum confidentiality to ensure data is used for a specific purpose. There should also be a restriction on data sharing.

The Bill states that a data officer will be designated to be in charge of compliance with the data protection Act. Are they (data officers) enough to do this?” she questions. 

More on Science Tech & Innovation