Kenya’s security agencies have for years had virtually unfettered access to mobile phone customers’ sensitive call data records, along with location data, helping them to track and capture suspected criminals but also violating innocent users’ right to privacy, a months-long investigation has revealed.
The findings raise concerns about possible usage of customers’ mobile phone records to aid rampant abductions and extrajudicial killings reported in the country, especially in wake of and even prior to the June Gen Z protests.
Irregularities in call data records (CDRs) presented to court by telecoms companies, in response to investigations into missing persons where state security agents are suspected to have forcibly disappeared or extra-judicially killed suspects, also raise concerns that the companies have impeded the pursuit of justice.
Unfettered access to call data
The investigation also established that a little-known British software company, Neural Technologies, embedded in Safaricom’s internal systems a data management system that allows Kenya’s security services virtually unrestricted real-time access to Kenyans’ call data.
Neural Technologies did not respond to our queries on their role in developing a system that helps police to track and capture persons of interest using their mobile phone data and signals. The Kenya National Police Service spokesperson Resila Onyango did not also respond to our detailed queries on the matter, with email queries sent in late September and subsequent WhatsApp messages and phone calls going unanswered.
Safaricom, in a terse email response, denied breaching its customers’ right to privacy even after being presented with evidence of the contraventions.
“Safaricom has always taken our responsibility to protect customer data very seriously. We prioritise the privacy of our customers and are dedicated to upholding our customers’ trust through protecting their privacy,” said a Safaricom spokesperson in a statement.
“We safeguard all data in line with our obligations and the law, and we only release call data records to verified law enforcement authorities while required via a court order. While we cannot discuss individual cases, we have always been transparent and honest in how we engage with our stakeholders, and we will continue doing so in order to maintain the trust that we have built over the years,” the company added.
When someone goes missing in Kenya, telecoms companies often hold the key to help solve the mystery. Critical information – like the time, caller ID and their location – of every call and text sent or received by subscribers is logged as a call data record (CDR). Millions of these records are generated every hour.
Used as evidence
Globally, CDRs are used as evidence, including in murder and enforced disappearances cases. In Kenya, where extrajudicial killings and disappearances are again on the rise, telecoms companies therefore hold vital criminal evidence in their extensive data servers.
While our investigation indicated that all Kenyan telecommunication companies routinely hand over CDRs to the police, all the specific cases we investigated involved Safaricom mobile phone numbers.
Despite the Safaricom denial, however, our investigations further revealed that Kenya’s largest telco by subscriber base and the country’s most profitable company also habitually declines to provide full CDRs -– which contain vital evidence for criminal investigations and locating missing persons.
By contrast, when it comes to aiding the Kenyan state, Safaricom promptly turns over data on its subscribers. CDRs provided by Safaricom have played a key role in “pinning” terrorism convictions.
By law, Kenyan police require a court order to extract CDRs from mobile companies’ systems, whether to investigate or prosecute a suspect. Police procedure also stipulates the need for a written, internally approved request citing an “occurrence book number”. In reality, it can be readily obtained by Kenyan police without a formal process, according to civilian Safaricom employees and police officers interviewed.
The investigations also revealed instances where Safaricom impedes the pursuit of justice by claiming, for example, that it does not hold ‘old’ data, which it in fact holds.
This misleads lawyers and the courts. Moreover, in four separate legal cases reviewed by the Nation, Safaricom has released records to court apparently bearing signs of falsification, according to forensic experts interviewed, including in cases where police are accused of enforced disappearance or murder.
Police and court requests for data go through a team of police officers at the Law Enforcement Liaison Office, attached to Safaricom headquarters. The team is managed by a senior Safaricom employee.
But when Kenyan police are accused of a disappearance or murder, it is their own colleagues who generate the call data record evidence that can implicate or exonerate them. This poses a major conflict of interest.
Used location data in sinister ways
This investigation also found instances in which police and intelligence have used customer data and location records in more sinister ways, for kill or capture operations. Suspects located using their mobile phone signals can be abducted and killed without due judicial process.
The disappearance of Trevor Ndwiga and subsequent court proceedings (Diana Ndinda Mutia and Trevor Ndwiga Nyaga vs. ODPP and Safaricom Limited and 5 Others) is one such example.
Trevor Ndwiga Nyaga had previously been charged with terrorism-related offences and was released on bond in July 2020. But on September 4, 2021, he disappeared. His mother filed a missing person alert at a police station. She had become concerned that he had been abducted by anti-terror police. Ndwiga's defence counsel in his terrorism case filed a habeas corpus petition to establish his whereabouts.
Investigating police officers submitted a request for Call Data Records (CDRs) to Safaricom Law Enforcement Liaison Office for the mobile phone line used by Ndwiga and submitted them to court bearing a Safaricom stamp dated 3 February 2022.
Later on February 8, 2022, the court ordered Safaricom to disclose “the phone call data records and Base Transmitting Station (BTS) records and logs covering the period from 9:00 a.m. on 1st September 2021 to midnight on 30th September 2021.”
Both exhibits submitted in court and certified by Safaricom covered the same time period and mobile phone line, yet there were significant inconsistencies between them. The location information in one dataset places him en route to the Somali border. But the other dataset produced for the court – for the same phone line and period – places him firmly in Nairobi.
The case of Samuel and Idri
The case of disappearance of Samuel Dong Luk and Idri Aggrey (HCCR Misc. Appl. 28/2017, Samuel Dong Luk & another vs. Republic) is another example of Safaricom releasing evidence to court bearing unexplained irregularities.
Dong and Aggrey were South Sudanese activists and vocal critics of the South Sudanese government. Both lived in Nairobi due to threats on their lives.
On 23 and 24 January 2017, Dong and Aggrey respectively were abducted by unknown persons. A UN Panel of Experts concluded that South Sudanese intelligence abducted the two men in Nairobi, likely with Kenyan intelligence’s assistance, rendering them to Juba. There, they were “highly probably” executed, according to the UN experts’ analysis.
Again, call records presented in court contain irregularities. The CDRs obtained by the court for Dong’s Safaricom line and for the then-main suspect in their disappearance show that large numbers of calls and SMS sent and received around the time of Dong’s disappearance are missing crucial information, such as the base station number, which would reveal the location of the handset. This makes it impossible to identify where either the victim or suspect were when Dong disappeared.
Safaricom also released to the court and certified as authentic, apparently false data, our research has found. Examining Safaricom’s disclosure to the courts, we identified eight call events spanning from 7pm on the evening Dong disappeared through to about 10am where the base station unique ID numbers appear fabricated. The Nation confirmed this through two global open-source base station databases, and also within Safaricom’s live system, through an engineer with real-time access.
We showed Safaricom CDRs in the Dong case to two independent British cell site forensic experts who regularly work with such legal evidence.
“You don’t see records like this where you've got sections that are just blank like that,” opined the first, after considering possible technical explanations.
It cannot logically be due to the malfunction of a system somewhere…It raises the suspicion these have been edited.
“It looks suspicious that there’s quite a big swathe of them missing,” the second expert stated.
“We would severely question it if we got [evidence] like that… The worst possible case is it’s been redacted”.
Safaricom did not respond to our queries on the inconsistencies in the exhibits submitted in court.
Mobile phone call records ordinarily detail the location and connections of each subscriber. Police and intelligence agencies the world over use them to locate and investigate suspects, but only within certain strictures of the law.
How spying software was developed
In 2012, Safaricom approached Neural Technologies to develop software for law enforcement officers to automate Kenyan police and intelligence access to the telecommunication company’s CDRs. Together, the two companies re-wired existing Safaricom databases to provide free access and almost instantaneous search results.
Jeff Cheatham, at the time a project manager at Neural Technologies, in an interview, explained how the spying system was developed: “Safaricom’s concept was, ‘hey, the fraud system has all the call record details anyway... every little data element is stored and goes through our system for analysis. And so, since all that information is already there,’ they thought, ‘can we somehow hook it up to where the law enforcement or anybody else can remotely access this automatically?’”.
Safaricom insiders say the project was driven by the telco’s desire to provide an easier, seamless service to law enforcement seeking to access customers’ data, and so there were not enough safeguards to ensure Safaricom staff’s access approval was not more than mere rubber-stamping of the security agencies’ requests.
Also Read: State using abductions to stifle protests
Neural Technologies was also at the time developing a browser-based portal for officers in the field to access Safaricom CDRs, an idea Mr Cheatham said would “never fly” in the US or UK because of privacy laws.
The field access means security agencies have the ability to track suspects anywhere around the country by following their mobile phones in real time.
British telecommunications multinational, Vodafone Group, is the single-biggest Safaricom shareholder controlling just under 40 per cent of the telco’s stock, while the Kenyan government has a 35 per cent stake. A 25 per cent free float of the shares is traded on the Nairobi Securities Exchange (NSE).
Outrage over the revelation that UK intelligence agency GCHQ had direct access to citizens’ phone and internet communications prompted a lawsuit at the European Court of Human Rights, which in 2020 ruled that bulk interception of communications was unlawful.
Vodafone did not respond to numerous requests for comment on the practices at Safaricom and the apparent irregularities.
Finding 'friends'.
Solutions to 'help Kenyan police'
In 2016, Neural Technologies said it was ‘considering solutions’ to help Kenyan police who were “looking to use the telco information” to map criminal networks “and close them down.”
Safaricom and Neural Technologies’ partnership worked so well that in February 2018, the British company was preparing to go much further to facilitate Kenyan law enforcement’s access to Safaricom data.
“We call it ‘Find my Friends,’” joked Adrian Harris, former director of new products at Neural Technologies. ‘Find My Friends’ was a prototype visualisation function that allowed law enforcement officers to predictively profile Kenyans and flag them for further investigation based on their patterns of movement and association.
This is how it works: A Kenyan officer wants to investigate a particular individual. They look up the person’s phone number and, using the tool’s map search function, maps the target’s movements by triangulating the mobile masts to which their phone connects, as they move across Kenya.
The tool also analyses Safaricom’s dataset to identify other individuals who may be moving in the same way as the target, to whom they might be associated, proactively identifying new ‘suspects’ by mapping how they use their phones.
Multiple former and current police officers interviewed confirmed that live-tracking of an individual mobile phone’s location can be performed within Safaricom using base station data, on request of security agencies.
“[T]here’s always Safaricom, where you can track somebody”, a current Recce Company paramilitary officer said.
“It will tell you he’s within a radius…as you approach there is what we call a sensor that [says] we are close, depending on the signal, they can tell we are like 10m from the guy. So that is the time now the guys can disembark… and manually cordon the area.”
Predictive profiling
Tools similar to ‘Find My Friends’ that automate law enforcement intelligence tasks have raised concerns in other jurisdictions, including over racial bias. At least 14 UK police forces have used predictive analytics to identify crime hotspots, which British human rights organisation Liberty decried as “entrenching pre-existing inequalities while being disguised as cost-effective innovation”.
The UK does not currently regulate the export of machine learning and artificial intelligence solutions for telecoms operators, even if they are ultimately for law enforcement purposes.
Given the Kenyan authorities’ record of disappearing and murdering suspects, such a predictive policing and profiling system raises serious human rights concerns.
“It’s for the purpose of targeting specific individuals, singling them out as terrorists. So we would argue that it should be included (under UK export control regulations)”, argues Natalia Krapiva, tech-legal counsel at Access Now – a digital rights organisation – responding to a description of the ‘Find My Friends’ solution’s capabilities.
“We're not actively looking for you,” explained Harris. “All we're doing is we're looking at that information that we've been capturing and continue to capture as you go along.” Neural Technologies demonstrated its prototype tool to us by connecting to Safaricom’s database.
“You cannot treat all of us as suspects”, comments Haron Ndubi, a Kenyan constitutional human rights lawyer. “To have some random mechanism where you want to check on everyone and see who they're talking to…it’s already criminal in itself”.
For the police to access sensitive customer data without a court order, is “unconstitutional”, says Khelef Khalifa, chair of Muslims for Human Rights (MUHURI). “For us it's a shock because the law does not allow Safaricom or any other company [to do this] because: before you obtain to somebody's data, the law says you have to obtain a court order.”
Neural Technologies did not respond to a request to clarify what due diligence it conducts on end-users of its technologies to safeguard against human rights abuses.
Live data, dead bodies
In 2021, the UK announced it would enhance its military presence in Kenya, as its main strategic partner in East Africa. More quietly, Britain’s MI6 has played a key role in identifying, tracking and fixing the location of targets in Kenya, as well in decisions determining their fate, a previous Declassified UK investigation found.
We do not suggest that Vodafone, Safaricom or Neural Technologies are actively complicit in or otherwise responsible for the alleged extra-judicial killings, state illegalities or other human rights violations depicted in this article.