Nowhere to hide: How loan apps mine your personal phone data

Six years ago, Alice Njeri Maina was shocked to find her name listed at a credit reference bureau for defaulting on a loan she never took.

The account was registered under her son’s name. A puzzled Njeri, therefore, visited her bank’s Nakuru branch to follow up on the issue. The bank promised to investigate.

Unknown to her, another borrower with an identical name and an account at the same bank had taken a loan in 2011, which was in arrears for Sh167,000. Njeri’s name had been mistakenly listed at the CRB for four years.

She sued the bank, citing defamation, emotional distress and failure to get a credit facility on account of her wrongful listing.

The judge awarded her Sh200,000 in damages, finding that the bank had erred in listing her without informing her.

Njeri’s case highlights the challenges borrowers face when lending institutions that process millions of customers’ information make mistakes in handling their data. But it’s not the only mistreatment of the data that is of concern, these institutions unlawfully mine your data for personal use.

The adoption of mobile loans means the risk of mishandling consumers’ data today has grown significantly, and experts are now warning that regulators and the existing regulations are unable to compel fintech (financial technology) to comply with data protection laws.

A new report found that digital lending apps and commercial lenders are harvesting vast amounts of personal data from their users, often without their knowledge.

According to a new report by Strathmore University’s Centre for Intellectual Property and Information Technology Law (CIPIT) and Citizen Labs, digital lending apps are linked to tracking and advertising software, raising questions over the sale of Kenyans’ personal data to third parties.

“All the apps read contacts, location data and have access to network connectivity data,” explains the report in part. “The apps have continuous access to location data, meaning that they track borrowers’ movements. Coupled with the fact that the apps run at start-up and prevent the phone from sleeping, this raises issues from a data protection perspective, for example, transparency and data minimisation.”

The report looked at the data policies of six digital loan providers, including Tala, Branch, Okash and Lioncash as well as services from commercial lenders, such as KCB, Absa’s Timiza and Finserv’e Eazzy Banking app.

Researchers analysed the apps’ privacy and data sharing policies, using a proxy tool to determine the data collected by the apps at start-up and what they revealed is alarming.

What is more shocking is the fact that all of the apps in the study apart from Absa’s Timiza are able to read the contents of users’ USB storage, modify or delete them.

Branch requires users to give it permission to record audio, while Tala has the authority to create accounts on its users’ permission, set passwords and use these accounts. All of the apps can prevent the phone from sleeping and some can retrieve running apps.

“Other permissions that raise data protection concerns include Branch’s requirement to access the borrower’s phone microphone as well as Okash’s access to the calendar, which includes the permission to add or modify calendar events and email guests without the borrower’s knowledge,” explains the report.

At the same time, three of the apps, Branch, Okash and Lioncash, use referrer APIs (Application Programming Interfaces).

This is described as an identifier unique to Android devices that enables marketers to attribute ad activity to media sources for Google Play Store apps. The report further details how digital lenders use tracking software to collect data on the usage of users, including their activity across platforms.

“The data is evidence of the apps connecting to different types of trackers such as the app companies’ servers, crash reporters, analytics and location data,” says the report.

Tala, KCB and Equity all connect to location data through the Google user location API.

“Evidence indicates linkages to third-party APIs include the Facebook graph API, which is the primary means of getting data in and out of Facebook,” explains the report.

“Four of the apps - Branch, Equity, Timiza and Lioncash - connected to the API at start-up.”

The study also found that some apps, particularly Tala and Branch, connected to bespoke data analytics companies that study user behaviour to sell micro-targeted ads.

This has raised concern that Kenyan regulators are ill-equipped in regulating the data harvesting practices done by fintechs, despite some of them contravening the Data Protection Act 2020.

For example, researchers questioned the purpose of lending apps connecting to data analytic companies like Adjust, Amplitude and Braze and how that data is used to assess creditworthiness.

“Some banks send prospecting messages to would-be customers stating loan amounts they qualify for without disclosing how the loan limits were arrived at,” says the report.

“This means that the banks use information collected or analysed from other sources.”

The potential for data analytics has also been suggested as a big part of the reason for fintech’s massive valuations. In 2019, Tala, headquartered in California, announced raising Sh11 billion in a new round of funding, pushing the seven-year total fundraising to Sh21 billion and valuing the company at over Sh75 billion, according to media reports.

Data Commissioner Immaculate Kassait said the regulator, established in November last year, is currently working on legislation meant to bolster the Data Protection Act 2020.

“We currently have a task force that was looking at the Data Protection Act, 2020 and the supporting legislation that will be required for implementation,” she said in an interview with The Standard on Sunday earlier this month. Kassait, however, said no fintech or digital lender had as yet approached her office for an assessment of its compliance with the Data Protection Act, 2020.