How lack of data laws exposes Kenyans to fraud

**Residents of Nakuru during public participation on Data Protection Bill, 2019. The bill was aimed at safeguarding personal data.** [Mercy Kahenda, Standard]

Last week, this writer received a phone call from someone supposedly calling from the Safaricom customer care centre.

The caller addressed the writer by his full name and said his line had been registered twice and that they needed him to verify his registration details, failure to which his line would be blocked.

The caller cleverly imitated the demeanor of a customer care agent and there were even voices of other “call centre agents” in the background on similar calls.

However, the phone number used to call was a personal line and the “customer care agent” grew defensive and aggressive when this writer asked for verification that they were indeed calling from Safaricom, and the line abruptly went dead.

A subsequent call to Safaricom’s helpline established that the caller was a fraudster who was after the customer’s PIN number to gain access to his M-Pesa account.

This is just one of numerous cases where fraudsters have obtained the personal data of Kenyans and attempted to use the same to dupe unsuspecting users to divulge information that can be used to access their mobile money accounts.

In the past few years, Kenyans have grown accustomed to receiving unsolicited text messages from betting companies and supermarkets promoting their wares or prompting them to sign up for a service.

Recently, fraudsters have upgraded to making phone calls that can be difficult to distinguish from legitimate calls from service providers given the fact that the callers appear to have intimate details of their targets.

Lack of a data protection law and lethargy among policymakers and regulators in the ICT ministry has exposed Kenyans to extortion from fraudsters and exploitation of their personal data by both local and international service providers.

In the 2017 election, some officials of the Independent Electoral and Boundaries Commission (IEBC) sold the personal data of millions of voters, including names, phone numbers, and geographical locations to political aspirants.

The information was then used to spam users with campaign messages in the days running up to the elections.

Bright Mawudor, head of Cyber Security Services at Internet Security says Kenyan companies and public agencies hold a lot of data on their consumers and the biggest threat to data breaches are insiders.

“Most of the cybersecurity issues we have come across are caused by insiders,” says Dr Mawudor.

“You have a situation where former employees or those that are disgruntled collude with outsiders to leave systems exposed or install malware that allows Sh110 trillion lawsuit for allegedly violating the data privacy of millions of its consumers.

In the ongoing legal dispute filed at the High Court, a Safaricom subscriber accused the company of breaching the privacy of 11.5 million of its customers by exposing their sports betting history and biodata.

The applicant, Benedict Ndung’u, says he was approached by an individual who had in his possession the personal data of more than 11.5 million Safaricom subscribers.

“The data which the petitioner herein viewed personally was specific to gamblers who had used their Safaricom mobile numbers to gamble on various betting platforms registered in Kenya,” he says in his petition.

The data allegedly contained specific identifying details of subscribers including full names, their mobile phone numbers, gender, age, identity numbers, passport numbers as well as the amounts gambled.

Also included in the data was the make and type of device used by the subscriber as well as the location of the subscriber.

In a related case, two Safaricom employees have been charged for trying to obtain Sh300 million from the company by illegal means.

Simon Kinuthia and Brian Wamatu were accused of transferring privileged information on a subscriber from the company’s database and sharing it with an unauthorised person.

A new report by the United Nations Conference on Trade and Development (Unctad) says increasing digitisation by businesses, governments and individuals has created a data economy that is expanding at unprecedented speed.

“Global Internet Protocol (IP) traffic, a proxy for data flows, grew from about 100 gigabytes (GB) per day in 1992 to more than 45,000 GB per second in 2017,” says the report released last week.

“The world is only in the early days of the data-driven economy; by 2022 global IP traffic is projected to reach 150,700 GB per second, fuelled by more and more people coming online for the first time and by the expansion of the Internet of Things (IoT).”

However, much of this data and the profits accruing from it is concentrated on a handful of corporations mainly in the US and China, raising concern that citizens in developing countries are losing out on both the resources and profits that accrue from the digital data they generate.

Unctad Secretary General Mukhisa Kituyi was in Nairobi last week where he reiterated that regulators in developing countries need to review current corporate and taxation legislation to ensure income inequalities are not exacerbated.

“We are seeing a phenomenal expansion of not just digisation of data but also platformisation of data,” he said.

“From a developmental perspective, this means all of us are voluntarily surrendering out private raw data; personal information, business information and national statistics for free.”

Dr Kituyi said tech giants mine, analyse and monetise the data obtained for free, without any profits going back to users or the countries in which they operate.

“Eventually it goes beyond the abilities of national jurisdictions and it is going to reshape discourse and how we restructure regulation and corporations across borders, balancing between local regulation and fair taxation,” he said.

Expanding technologies

Kenya’s policy makers, despite talking big on the advances the country has made in expanding digital technologies in the region, are playing catch up to local and international technology service providers.

The Communications Authority of Kenya, (CA) has for the past two years failed to appoint a consultant to draw a study to inform the parameters for bringing tech giants under a regulatory regime covering tax and data.

The Data Protection Bill 2018 has been in development for more than five years without any significant headway.

At the same time, the National Treasury proposed the introduction on taxes on digital economic activities in the Finance Bill 2019 to increase revenue collection.

Last week, the Kenya Revenue Authority (KRA) kicked off the search for a technology service provider to install a monitoring and payments system to track transactions between local and international digital merchants and their customers.

The tax collection system will entail an integrated payment gateway solution to identify and authorise payments through settlement of data to and from merchants’ online portals to merchants’ banks.

KRA wants the system integrated with all internal revenue systems for data sharing purposes and updating of taxpayers’ ledger accounts, a requirement bound to raise opposition from service providers.