Outrage greeted the exclusive Nation investigative story that revealed how police have been colluding with telecommunication firms to irregularly access call data and location records that are used to track and capture suspects.
United States Ambassador to Kenya Meg Whitman denounced the abuse of mobile phone users’ right to privacy, while the Kenya Human Rights Commission (KHRC) said the exposé revealed the telcos’’ complicity in aiding and covering up abductions and killings by rogue security agencies.
“The laws on privacy and rule of law around rights of a private citizen need to be respected in democracies,” said Ms Whitman in a media interview in Kitale on Tuesday. During a meeting with local civil society groups, she affirmed the US government’s commitment to working with both the Kenyan government and civil society to uphold the rights of all individuals.
The US envoy called for action against perpetrators of human rights violations, especially during peaceful protests.
A KHRC spokesperson said the unauthorised access to mobile phone companies’ customers’ records “is not something that has started today”.
A months-long investigation uncovered how, for years, Kenya’s security agencies have had nearly unrestricted access to sensitive records of mobile phone users, including precise location data. These records have been used to track and apprehend individuals suspected of criminal activities. But they have also infringed on the privacy of innocent users.
The investigation’s findings raised concerns on the potential misuse of customers’ mobile data in facilitating abductions and extrajudicial killings that have increasingly been reported across the country, especially during and prior to the June and July Gen Z-led protests.
Call data records
In several cases, the investigation revealed discrepancies in call data records (CDRs) submitted by telecoms companies to the courts in cases involving missing persons. In situations where security agents are implicated in enforced disappearances or extrajudicial killings, these irregularities suggest that telecom providers may be obstructing the quest for justice.
National Intelligence Service (NIS) head Noordin Haji and the Directorate of Criminal Investigations (DCI) boss Mohamed Amin, did not respond to our calls and text messages seeking their responses on the privacy breaches, abductions and apparent manipulation of call data records to defeat justice.
Telecommunications firm Airtel did not respond to our questions on Tuesday, while industry giant Safaricom did not also address further queries following public outrage caused by the story. Safaricom, in an earlier response to our story, denied that it shared its customers’ call data records without adhering to legal process.
“Telkom adheres to prevailing laws when processing customer data. As a company, we will only proceed to share customer information with law enforcement agencies on the strength of a court order,” said Telkom Kenya in a statement.
Globally, CDRs are used as evidence, including in murder and enforced disappearances cases. In Kenya, where extrajudicial killings and disappearances are again on the rise, telecoms companies hold vital evidence.
“It has happened to terror suspects and we have seen situations where police have obtained real time location of suspects and these suspects have ended up being captured, disappeared and in some instances killed by the police,” said KHRC Communications Officer Ernest Cornel.
In cases involving crimes like kidnapping, families of victims who request CDR from the telcos are often denied access. According to Mr Ernest, the companies typically responds by stating that they cannot release the data of their customers.
In one instance, he said, a family, with support from the human rights lobby group MUHURI, submitted a request, but it was declined on the grounds that the lobby was not the registered owner of the mobile number for which they sought the records.
Customer privacy
“Essentially, they have been hiding behind the veil of customer privacy to deny crucial data that will help people to track their missing persons. But when police come asking for data, they issue it in many instances without even a court order,” Mr Ernest observed.
“The unconstitutional arrangement with the security agencies in which they are collaborating to track, capture, disappear and kill suspects must stop ... This relationship or whatever they are having needs to be cancelled so that due process can be followed,” he added.
The Office of the Data Commissioner (ODPC), which by law is mandated to promote and protect the right to privacy by ensuring data controllers and processors adhere to their obligations, asked aggrieved persons to report privacy violations via email.
“The Data Protection Act provides a robust framework for the protection of personal data, balancing individual privacy rights with lawful basis for processing. ODPC is actively working to ensure that all organisations, both public and private sector, comply with the Data Protection Act, 2019,” said ODPC in a statement.
Safaricom, in a statement released yesterday, said it was among the first mobile network operators (MNOs) in the region to be awarded the highest certification in privacy information system management.
“This serves as a validation of Safaricom’s dedication to safeguarding customer data across its GSM and M-PESA services. It confirms that the company adheres to globally accepted regulatory and technical standards,” the telco stated.
Further queries sent to the MNOs included details on the working relationship between the operators and law enforcement agencies such as NIS, but the questions were not responded to by the time of publication.
Telcos face financial penalties of up to Sh1 million while staff implicated in the violation of privacy risk a jail term of up to five years, according to the Kenya Information and Communications Act. The protection of privacy is among key conditionalities set for the licensing of telcos by the Communication Authority of Kenya (CA).
“The licensee is required to ensure necessary steps are taken to secure the integrity of personal data under their possession or control through the adoption of appropriate, reasonable, technical and organisational measures to prevent ... any unlawful access to or unauthorised processing of personal data,” reads part of the Act.
Also Read: State using abductions to stifle protests
CA Director-General David Mugonyi did not respond to phone calls and messages left on his known number seeking to establish the regulator’s assessment of privacy violations by telcos and measures taken.
Law enforcement agencies have latched onto limitations to the right to privacy, contained in the National Intelligence Service Act to go after suspects. The limitations on privacy and NIS special operations are however required to be accompanied by a warrant from the High Court and are valid for only 180 days.
Reporting by Daniel Ogetta, Kepha Muiruri and Evans Jaola.
