Why Safaricom raised the red flag over call snooping system
SCI & TECH
By Kamau Muthoni
| Apr 28th 2020 | 7 min read
SCI & TECH
Safaricom had raised concerns about mobile phone users’ privacy after the Communication Authority (CA) informed the telco it would install a Device Management System (DMS) and synchronise it with their network.
The objections about the controversial system were contained in exchanges between Safaricom’s former CEO Bob Collymore and the authority.
CA wrote to Safaricom, Airtel and Telkom on October 10, 2016 notifying them that it intended to install the system, the reason being combating the proliferation of counterfeit mobile phones and international calls which were masked as local calls, and which denied the telcos revenue
In court, Airtel and Telkom opted to keep off the fight, saying they would abide with whatever the court decided.
Former CA Director-General Francis Wangusi, in his replying affidavit to the case filed in the High Court by activist Okiya Omtatah, told the court that each of the Mobile Network Operators (MNOs) have their DSMs, but the government needed a centralised system.
Safaricom said CA never convened any meeting to discuss the design or rules to run the system, only opting to communicate the specifications and the design in a letter dated October 10, 2016.
Seven days later on October 17, 2016, Collymore responded saying the system raised key concerns, among them privacy and confidentiality of consumer information as CA had hired a third-party — Broadband Communication Networks Limited (BCNL) which was partnering with Invigo Off-Shore Sal, a Lebanon based firm — to run the system for Sh187 million.
Safaricom’s then head of Regulatory and Public Policy in the Corporate Affairs Division Mercy Ndegwa, in her affidavit, told the court that CA held only one technical committee meeting on November 23, 2016 at which the firms raised concerns of consumers privacy.
Court record reads that two months later on January 31, 2017, CA wrote to them stating that it had commenced the DMS project and integration and it needed them to grant Broadband BCNL access to their sites for installation. “We are in the advanced stages of setting up the connectivity links between DMS and your network. The purpose of the visit is to survey and discuss with your technical team the integration of the DMS and your network. The key highlights of the visit will be on the following matters,” the letter by CA and quoted in the High Court case read. They were to discuss the architecture of connectivity between the DMS and the telcos system to access information on the IMEI, IMSI, MSISDN, and CDRs of subscribers.
IMEI is a unique number that identifies your mobile phone, International Mobile Subscriber Identity (IMSI) is a number which uniquely identifies every user of a cellular network. Mobile Station Integrated Subscriber Directory Number (MSISDN) is your mobile number. Meanwhile, CDRs (Call Data Records) are records containing details of a telephone call or other transactions. They include your location, time, duration, the receiver and whether the call was connected.
According to Ndegwa, the sole concern was whether BCNL would have unfettered access to the consumers’ call data records, location information, credit card and M-Pesa information, identification information and SMS information, which equates to all the records of any consumer with a registered mobile device. She says the authority never addressed the concerns and Safaricom concluded that subscribers were at risk of having their details, telecommunications, short message services, social media messaging and data exchanges being interfered with by installation of the device.
CA denied DMS would give automatic access to consumers’ information. However, Safaricom’s lawyer told the High Court that besides BCNL, the National Police Service, the Anti-Counterfeit Agency, and Kenya Bureau Standard (Kebs) will also have access to the DMS system, hence escalating concerns of listening, tapping, surveillance and storage of communications and related data.
The Coalition for Reforms and Democracy (CORD) also supported the case arguing that surveillance and intercepting calls violates the right to privacy. While agreeing with Omtatah, Safaricom and CORD, Justice John Mativo found that CA did not give a convincing argument that would water down the argument on its capability to snoop into peoples’ private mobile lives.
“Subscribers data held by the first to the third interested parties can only be released under the circumstances permitted by the law, and in particular Section 27A of KICA. There is no argument before me to demonstrate that the DMS fits any of the circumstances contemplated under the said section. Nor is there a strong argument by CA rebutting the position taken by the petitioner and Safaricom on the capabilities of the DMS,” he ruled. “In any event the letter dated January 31, 2017 which triggered this petition stated in clear terms that the DMS was meant to “...access information on the IMEI, IMSI, MSISDN, and CDRs of the subscribers on your network.”
He also found that CA ought to have conducted meaningful consultations and public participation to come up with regulations to run the system. In the end, the judge barred CA from continuing with the project, noting that the work that CA wanted to do could also be done by Kenya Revenue Authority, the police, Kebs and even the telcos as they had a system of identifying unregistered sim cards and mobile phones. He noted that more than 1.89 million mobile phones had been successfully blocked with the help of the mobile phone services firms.
“An order of prohibition be and is hereby issued prohibiting the first respondent (CA), its servant or agents from implementing its decision to implement the DMS system to establish connectivity between the DMS and the first, second and third interested parties system to access information on the IMEI, IMSI, MSISDN and CDRs of their subscribers on their network,” Mativo ruled.
Aggrieved, CA moved to the Appeals court and that court overturned Justice Mativo’s verdict. Here, CA’s lawyer Wambua Kilonzo argued that the case was premature as DMS was at the design stage.
It claimed that although the device had been procured, the methodology of its use and interaction with other MNOs was still under discussion. The court heard nothing was produced on its alleged spy capabilities. According to CA’s lawyer, DMS is not a new system but a continued upgrade to control or stop the proliferation of illegal devices. BCNL supported CA’s case, arguing that the source of fear claims emanated from stories published by The Standard and Daily Nation.
The Standard ran a story headlined ‘Big brother could start tapping your calls from next week’ while Daily Nation published a story ‘Bold plan to spy on calls, texts rolled out from Tuesday next week.’
Safaricom, which was the seventh respondent through its lawyer Nani Mungai, urged Justices William Ouko, Martha Koome and Daniel Musinga to dismiss the case.
Nani told the three judges that the key criteria of the system in the tender was for it to have the ability to track the location of the mobile device, access to various sensitive components and records of customer devices at any time, which include call data records (CDRs), billing systems and home location registers and records of MNOs.
Kenya Human Rights Commission (KHRC) also urged the court to dismiss the case, reiterating that the system was likely to spy onprivate communication. KHRC argued that other agencies, like anti-counterfeit agency and police, would equally weed out stolen and counterfeit phones. While reversing the orders by the High Court, Justices Ouko, Koome and Musinga faulted Justice Mativo, saying he ought to have considered that those dealing with counterfeit and stolen phones had gone a gear further to clone genuine IMEIs. They said the judge had over dwelt on interpreting ‘access’ but failed to consider the challenges raised by CA.
“The judge went into so much interpretation of the general human rights protection but did not give similar regard and attention to the challenges that needed to be addressed with solutions. We think the judge over concentrated only on the interpretation of an aspect of the term ‘access’ in a narrow sense in regard to retrieving data, which he took to mean intrusion of privacy to communication,” they ruled in a judgement read by Justice Koome.
“He, however, did not consider other aspects of ‘access’ such as making use of the resources to address the challenges at hand. We state this cautiously, noting that in accessing the data there was fear that the right to privacy was likely to be infringed, which seems to have preoccupied the judge,” they ruled.
Although Safaricom had raised concerns about spying, the three judges found that there was no evidence that DMS was going to intrude private communication other than ‘newspaper cuttings.’
The court noted the headlines were sensationalised and their authors ought to have been examined in court if they were to be admitted as evidence.
They said CA would have addressed Safaricom’s contention were it not for the High Court issuing orders which halted the project. They set aside the orders paving the way for CA to continue with the system, but with consultations with stakeholders and mobile network operators.
EABL invests Sh5b in biomass plant
- Ethical procurement practices key to fostering Kenya's growth
By Chilion Ogol
- M-Pesa profile in Safaricom rises as voice revenue stutters
- Kenya to import 540,000 tonnes of maize to avert looming shortage
- Toyota Probox: What this workhorse offers, but also a look at its problems
By Mate Tongola
- CBK fees waiver pushes M-Pesa daily deals with banks to Sh15b