- CybAfrique Newsletter
- Posts
- Is (there any doubt that) Safaricom (is) giving the Kenyan police undue access to user data?
Is (there any doubt that) Safaricom (is) giving the Kenyan police undue access to user data?
also ft: Nigeria pushes for data sovereignty
CybAfriqué is a space for news and analysis on cyber, data, and information security on the African continent.
HIGHLIGHT
Is (there any doubt that) Safaricom (is) giving the Kenyan police undue access to user data?
Protests have begun in Kenya since June 2024, triggered by protests against a tax bill that did not sit well with the people. Since then, millions of Kenyans have mobilized, both physically and digitally, against austerity measures, corruption, and human rights abuses, which have been met with violence and state brutality. Amidst this, Safaricom, Kenya's largest telecommunications provider, has come under continued accusations of granting the Kenyan police undue access to user data, effectively enabling surveillance and persecution of protestors.
Safaricom, a subsidiary of Vodacom, is a significant data processor under Kenya’s Data Protection Act. The company collects extensive user data, including biometric information from SIM registrations, call detail records (CDRs), and mobile money activity. This vast trove of data makes it an alarmingly potent tool for surveillance. Reports indicate that authorities have been able to track down political dissidents, leading to abductions, arbitrary detentions, fines, and even deaths, with over 31 people reportedly killed and 107 wounded during the recent Saba Saba marches alone.
The allegations against Safaricom are not new, nor are they isolated incidents. Several key cases and investigations have brought these concerns to light:
Strategic litigation against public participation (SLAPP) Suit: Safaricom recently filed a SLAPP suit against a journalist, reportedly to block the disclosure of information concerning their data-sharing practices with the police between June and October 2024 – a period marked by heightened protest-related abductions and enforced disappearances. This move raises serious questions about transparency and accountability.
Privacy International investigations (2017 and onward): A 2017 report by Privacy International, titled "Track, Capture, Kill: Inside Communications Surveillance and Counterterrorism in Kenya," documented how unregulated state surveillance, potentially facilitated by telecom firms, was enabling human rights abuses. The report highlighted that police requests for data often lacked detailed justifications, merely stating the crime category. Furthermore, in cases deemed "urgent" or "national security" matters (an often overused justification), protocols for data access from Safaricom were reportedly bypassed.
Nation Africa investigations (October 2024): Investigations by Nation Africa revealed that Neural Technologies, a partner of Safaricom, developed software that allegedly automated security agencies' access to Safaricom's CDRs. Some of these tools reportedly included a browser portal for real-time tracking via CDRs and a "Find My Friends" visualization function, which could be used for predictive profiling based on movement and association patterns.
Access Now letter (July 2025): Access Now, alongside several human rights organizations, sent an open letter to Vodacom (Safaricom's parent company) in July 2025, urging an urgent, independent, and publicly accessible assessment of Safaricom's role in potential human rights violations during the ongoing protests. The letter specifically demanded transparency on Safaricom's data-sharing requests and practices with law enforcement.
Safaricom has consistently denied these allegations, stating that it only provides customer data when explicitly required by a court order. In October 2024, Safaricom CEO Peter Ndegwa denied allegations that the company is enabling surveillance. However, if the allegations hold, such practices would be in direct contravention of key sections of the Kenya Data Protection Act (2019). Specifically, they would likely violate:
Section 25 (Principles of data protection) outlines data collection, processing, storage, and use principles, emphasizing lawfulness, fairness, and transparency, and prohibiting intrusion on privacy.
Section 26 (Rights of a data subject): grants individuals rights, including the right to be informed about data collection, to access their data, and to object to processing.
Section 30 (Lawful processing of personal data) requires specific conditions for lawful processing, including consent or a clear legal basis.
Section 39 (Limitation to retention of personal data) limits the retention period of personal data.
Section 41 (Data protection by design or by default) mandates the implementation of appropriate technical and organizational measures to safeguard data.
This isn't the first time Safaricom's practices have come under scrutiny. While M-PESA, their mobile money service, has been lauded for financial inclusion, it has also faced criticism regarding high transaction fees and market dominance, with concerns raised by organizations like the Bill & Melinda Gates Foundation. In 2014, Safaricom was awarded a US$160 million contract for a national police surveillance system, which included capabilities like video surveillance with facial recognition and a centralized database.
Ghana takes another step towards its digital governance renaissance
Ghana is implementing a new SIM registration protocol. The cornerstone of this digital security push is a new SIM registration method designed to tighten up existing regulations and curb mobile money fraud. The country has gained a degree of notoriety for mobile money scams, where criminals often impersonate official agents to gain access to victims' accounts. The "momo scam" is a prevalent example of how fraudulent SIMs have enabled criminal activities.
The National Communications Authority (NCA) is proposing a three-phase plan to address vulnerabilities that have existed since the last major SIM registration implementation in 2010. Here's how it will manifest:
Phase 1: Biometric validation: This initial step focuses on a rigorous biometric validation to identify and clean up fraudulent or duplicate registrations. This will create a much more accurate and reliable database of SIM card holders.
Phase 2: Stricter control over new SIM activations: Once the existing database is cleaned, the focus shifts to robust controls for new SIM activations, ensuring that every new SIM is properly linked to a verified identity.
Phase 3: Verification of business SIMs and deactivation of non-compliant records: The final phase will involve verifying SIMs used by businesses and systematically deactivating any records that do not comply with the new, stricter regulations.
It’s a lot like Nigeria’s overhaul in 2023/2024, but perhaps better planned. Individuals and businesses who have previously registered their SIMs might need another round of verification, likely involving biometric data.
These initiatives are part of a broader "digital governance renaissance" in Ghana. In recent months, the government has been actively engaged in developing and implementing several other key digital policies, including:
Disinformation Bill: Earlier this year, Ghana drafted a Disinformation Bill. This legislation aims to establish a comprehensive legal framework to guide enforcement efforts and ensure accountability for the deliberate spread of misinformation and disinformation, particularly vital in the lead-up to elections.
Digital Economy Policy and Strategy (2024): Launched in November 2024, this policy aims to position Ghana as a digital hub in Africa, focusing on universal access and connectivity, digital skills and research, digital government, digital entrepreneurship, and data and emerging technologies.
Ethical AI Readiness Assessment Measurement (September 2024): This initiative was launched to evaluate Ghana's preparedness for implementing ethical AI systems, identifying regulatory gaps, and assessing data protection, transparency, and fairness in AI governance.
National Cybersecurity Policy (October 2024): This policy, unveiled during the 2024 National Cybersecurity Awareness Month, offers a clear focus and roadmap to steer the development of Ghana's cybersecurity over the next five years.
Nigeria pushes for data sovereignty
If you know anything about Data Sovereignty, then you’d also know it’s not something African countries are popular for. The inherent structure of global data flows, centered on Western companies, cloud companies, and even data policies, means that while many African countries strive to and have policies requiring to have their data to be processed within their borders, most of the continent's data is still processed outside its borders. Nigeria is taking a hard stand on that.
In April, In April, Nigeria asked Google, Microsoft, and Amazon to set deadlines for opening data centers in the country in order to comply with sovereignty regulations, ending years of waivers. The country also set up a working group to look into compliance with cloud sovereignty, writes Damilare Dosunmu, in Rest of World.
In one of the first, and perhaps most significant, enforcement actions aligning with this goal, Nigeria Data Protection Commission (NDPC) earlier this month slapped a hefty 766 million naira ($501,000) fine on MultiChoice Nigeria, the parent company of popular satellite television providers DStv and GOtv. The commission says Multichoice committed violations of the newly enacted Nigeria Data Protection Act (NDPA) 2023, specifically concerning the unlawful cross-border transfer and inadequate protection of Nigerian citizens' data.
According to Mr. Babatunde Bamigboye, Head of Legal, Enforcement, and Regulations at the NDPC, the fine was a result of an intensive investigation launched in the second quarter of 2024, triggered by widespread allegations of suspected breaches of subscribers' privacy rights and the unauthorized transfer of Nigerians' personal data across international borders.
NDPC says it uncovered several critical areas of non-compliance by MultiChoice, including:
Unlawful Cross-Border Transfer of Personal Data: This is the primary charge. The NDPC found that MultiChoice was engaging in the transfer of personal data belonging to Nigerian data subjects to foreign jurisdictions without adhering to the due process stipulated by the NDPA. The Act specifically outlines guidelines for cross-border data transfers, generally requiring that the recipient jurisdiction or entity offers an adequate level of protection for personal data, or that specific safeguards (like binding corporate rules or contractual clauses) are in place.
Intrusive, Unfair, Unnecessary, and Disproportionate Data Processing: The NDPC stated that "The depth of data processing by MultiChoice is patently intrusive, unfair, unnecessary and disproportionate." This implies that the company was collecting and processing more data than was reasonably required for its services, or doing so in a manner that infringed upon the fundamental right to privacy enshrined in Section 37 of the 1999 Constitution of the Federal Republic of Nigeria. This could include collecting data beyond what is necessary for providing pay-TV services, or using it for purposes not explicitly consented to by the users.
Violation of Privacy Rights of Subscribers and Non-Subscribers: Crucially, the NDPC found that MultiChoice not only violated the privacy rights of its direct subscribers but also those of individuals associated with them, even if those individuals were not MultiChoice customers themselves. This suggests that data belonging to friends, family, or contacts of subscribers may have been processed without their consent or a lawful basis.
MultiChoice Nigeria has not yet publicly responded to the fine.
Do you find value in the CybAfriqué newsletter? Share to support the work we do
FEATURES
In this interview with Omoniyi Faith, Franck Kié, organiser of the Cyber Africa Forum (CAF), highlights the growing urgency for African governments to prioritize cybersecurity as digital transformation accelerates across the continent.
For Rest of World, Damilare Dosumnu discusses how developing nations are increasingly challenging the long-standing dominance of Big Tech companies over global data.
This TechCabal article attempts an inside story of the eight-hour Distributed Denial of Service (DDoS) cyberattack launched against MTN Nigeria, the country's largest telecom operator, by Anonymous Sudan.
Here, Kunle Adebajo, editor-in-chief of the Africa Academy for Open-Source Investigations, highlights how Nairaland, a popular Nigerian internet forum, has become a fertile ground for foreign influence operations and geopolitical information warfare.
HEADLINES
Interpol identifies West Africa as a potential new hotspot for cybercrime compounds
Cameroon’s regulator fines MTN and Orange a combined $4.6m for poor service delivery
Cybercrime allegation: PRNigeria petitions Police against NIPSS Officials
Egypt completes 2 subsea cable landings, with 126 Terabits per second capacity
Reply