Security agencies in Kenya have an unlimited access to all your mobile phone communication, a new investigation has confirmed. The probe by United Kingdom’s think-tank Privacy Internationalrevealed the National Intelligence Service (NIS) has direct access to the country’s telecommunications network and can even bypass mobile service providers to access your data.
This means the NIS is able to track and intercept information on virtually any device belonging to anyone on the country’s communications network in real time. The think-tank terms this surveillance as blatant violation of users’ privacy rights with the information gathered often abused by the security agencies.
“The NIS intercepts both communication content and acquires call data records without warrants to gather intelligence and prevent crime; and police agencies acquire communications data with warrants to prepare criminal cases,” explained the report in part.
As such, mobile service providers are reportedly forced to comply and are at times threatened that their licenses will be revoked if they do not hand over users’ data. “Telecommunications operators end up handing over their customers’ data because they largely feel they cannot decline agencies’ requests, in part due to the vagueness in the law and accompanying telecommunication industry regulations,” the report adds.
Digital privacy treaties
The report quotes several statements between Communication Authority of Kenya (CA) officials, Safaricom employees and NIS agents corroborating each other providing a comprehensive account of the surveillance operation. One of the alarming allegations states that up to 10 NIS officials currently occupy one floor at Safaricom’s Waiyaki Way headquarters.
“NIS agents are also informally present in the telecommunication operators’ facilities, apparently undercover,” states the report in part. “They provide information to all police branches.”
Both Safaricom and the CA have denied these allegations but ICT experts have criticised the acquisition of digital surveillance equipment by the authority as unconstitutional and in violation of international treaties safeguarding digital privacy.
Article 31 (d) of the Constitution enshrines the right to privacy of all Kenyans including; the right to have one’s person, home or property searched, their possessions seized, information relating to their family or private affairs unnecessarily required or revealed or the privacy of their communications infringed.
Further, the mass surveillance is in violation of the UN resolution 68/167 passed in December 2013 by 67 member states. The declaration reaffirms the human right to privacy and protects the privacy of one’s family, home or communication from undue interference.
The report dubbed Track, Trace, Kill; Inside Communication Surveillance and Counterterrorism in Kenya, contains first-hand accounts from current serving NIS, general police and military serviceofficials.
This is the third time in as many months the top state regulator is facing a storm over claims of surveillance on mobile and internet users.
In January, CA faced a backlash following revelation it had acquired more than Sh2 billion worth of surveillance equipment to monitor online and offline communication networks during this year’s election. The CA stated that the surveillance equipment was obtained in a move to fight hate speech online and thwart violence as experienced after the December 2007 General Election.
And last month, the High Court stopped the planned installation of the Device Management System (DMS) that the authority was seeking to install with the cooperation of mobile service providers. Mobile service providers led by Safaricom and the Consumer Federation of Kenya, CoFEK opposed the move stating the DMS has the potential to gather and record user data infringing on users’ right to privacy.
The CA denied the reports stating the DMS was a benign database meant to identify and block out unauthorised devices in real time. “We have held meetings over the implementation of this device with the telcos since early last year and agreed the system is important and they know it’s just a database so I am surprised by this reaction,” CA Director General Francis Wangusi exclaimed in a live news briefing called to address the controversy last month.
According to a source inside the CA, mobile service providers have not kept their end of the bargain in a deal hatched in 2010 to blacklist counterfeit devices from the country’s mobile phonenetworks. “The simple reason is commercial interests,” explained the source who declined to be named because he is not authorised to speak on the matter. “These phones are calling, sending texts and using data and this is a revenue stream telcos are reluctant to kill.”
On it’s part, Safaricom has stated it only provides information as required by courts in the administration of justice and upon receipt of relevant court orders. “At present, all customer information at Safaricom is kept under strict provisions as stated within our license as well as six specific laws that contain laws and regulations to govern how authorities may intercept communication and obtain access to communication data,” stated Safaricom in a letter responding to PI seen by the Standard.
Safaricom further stated that it worked with law enforcement agencies on several issues, including fraud management but denied setting up office space for the field officers. “We would like to state that we have no relationship with NIS...and we do not have any officers or other representatives of the NIS who are employed formally or informally at Safaricom,” said the firm in the letter.
Responding to online queries on the Kenya ICT Action Network KICTANet, Stephen Chege, Safaricom’s director of communications, last Wednesday said: “Our position is captured clearly in the annex of the report. With this and other similar reports the issue remains who you want to believe.”
Privacy International, however, states Kenya’s surveillance capacities do not yet appear to have reached the scale of massive automated collection and storage of call content and data. Unlike government mass surveillance programmes exposed in the US and the UK where authorities trawl telecommunication systems for data, PI says Kenya’s surveillance programme is more targeted.
Days after the Westgate terrorism attack in September 2013, The Standard on Sunday published details of a leaked NIS report stating there was prior intelligence of an impending Al Shabaab terrorism attack several months prior to the raid.