Shop like a billionaire, pay in data

CybAfriqué is a space for news and analysis on cyber, data, and information security on the African continent.

HIGHLIGHTS

Shop like a billionaire, pay in data

E-commerce is convenient. You click buttons on your phone and days later get your stuff delivered to your door, often for far less than the usual price. You can buy anything from a kitchen set to a house. To make that happen, the platform needs some data.

Logistics and payment details are essential data needed to make purchases, as required by the company. The platform needs your location to deliver your goods, and it must promise that it will use that data only to process your deliveries, not to track you. But that’s boring, and e-commerce giants are not built that way. E-commerce giants are, in practice, data-hungry. Amazon has done it before, so have Shopify, Shein, Alibaba, and even TikTok Shop. It’s a sort of rite of passage.

So it is unsurprising that Temu now faces allegations of data violations. Earlier this week, Nigeria’s data authority, NDPC, launched an investigation into Temu, the app that reportedly processes the data of over 12.7 million Nigerians. The regulator is looking to audit the platform's cross-border data transfers, allegations of spying on users, and the collection of way more data than necessary.

In recent weeks, Temu has also faced similar claims in the United States (specifically Texas), South Africa, and the European Union.

These allegations also come with the claim of spying. In the case against Temu in Texas, filed in February 2026, it says the app is "spyware disguised as a shopping app". The case by Arkansas Attorney General Tim Griffin also repeats this claim, labelling the platform a "data-theft business" that functions as malware.

Cybersecurity researchers at firms such as Grizzly Research have pointed to "dynamic code loading," a technique where the app can download and execute new code from its own servers after it's already been installed. This allows Temu to change its behaviour on the fly, bypassing the security reviews of the Apple and Google app stores. Experts have also noted that the app uses a proprietary layer of encryption on top of standard security protocols, which makes it nearly impossible for outside observers to see exactly what data is being sent back to the company's servers in China.

Much of the suspicion also stems from Temu’s sister app, Pinduoduo. In 2023, Google suspended Pinduoduo after malware was found exploiting specific Android vulnerabilities to monitor users. Many experts suggest Temu uses a "cleaned-up" version of that same architecture.

Even more than language academia, lawyers and journalists are perhaps the world’s most detailed observers of words. Most recently, both sides have been careful with their words following the news that spyware was discovered on phones belonging to filmmakers who were arrested by Kenyan authorities in relation to this BBC documentary on police brutality during the #EndBadGovernance protests.

During their controversial, mafia-styled arrests on May 2, MarkDenver Karubiu, Bryan Adagala, Nicholas Wambugu, and Christopher Wamae were arrested in Nairobi for publishing false information, and were released the following day without charge, while their electronic devices, a tablet, computers, and storage devices, were confiscated during the arrest, and withheld until July 10.

In September, Citizen Labs found the commercially available spyware Flexispy on their phones, installed while they were in police custody. It’s a slap on media rights and more evidence to an alarming rise in surveillance among African countries, but it’s also a bit disappointing. Flexispy is a powerful, commercially available spyware that can track calls, send photos, and intercept communications. Yet, it’s a commercially available spyware that’s easier to discover in comparison to more premium spyware software like Pegasus and Predator.

India’s DPI diplomacy gets deeper into Africa

Six African countries are seeking to join India’s DPI system, months after reports emerged that Nigeria would migrate its entire identity database to MOSIP, a modular open-source platform of India’s International Institute of Information Technology, Bangalore (IIIT-B). Kenya, specifically, will be adopting DigiLocker, another of India’s DPI layers that acts as a secure, cloud-based ecosystem for the storage and instant verification of digital documents like driving licenses and academic certificates. 

India’s DPI system, built from the "India Stack" framework and funding from the Bill & Melinda Gates Foundation and the World Bank, is fast rising as an alternative to vendor-based DPIs. It may offer additional advantages. It is an open-source system that is more interoperable than vendor-based systems. For example, Nigeria’s IDEMIA system could only be modified by IDEMIA, and in the end, still had to function in rigid systems. It reportedly struggled to connect to other systems, such as the National Health Insurance Scheme and the tax system, among others. The decision to move on to India’s MOSIP was motivated by the digital interoperability needs of the country’s tax reform, credit centralisation, data protection, and so on.

Countries like the Philippines, Morocco, and Ethiopia have adopted India’s DPI tech stack with success.

But this also comes with risks. The most obvious risk is that the tech stack is heavily dependent on India, which may draw adoption countries into its sphere of influence. And although politically discouraged from doing so, India would theoretically have the capability to insert backdoors. In late 2023, India suffered a breach of this system, which led to the personal information of over 815 million citizens, including names, phone numbers, and Aadhaar IDs, being put up for sale on the dark web. When everyone runs the same system, everyone can be targeted via the same vulnerabilities.

Israeli spyware in Angola and Kenya

This week, Amnesty International confirmed traces of Predator spyware on the phone of Teixeira Candido, a prominent Angolan journalist and former Secretary General of the Syndicate of Angolan Journalists (SJA). In Kenya, Citizen Lab confirmed traces of Cellebrite on the phone of activist Boniface Mwangi.

Predator and Cellebrite are Israeli-made surveillance technologies. Public observers also noted that Jeffrey Epstein and Ehud Barack pushed Israeli spy tech in Nigeria. The news writes itself. 

FEATURE

• Propaganda Machine: Secret documents reveal Russia’s foreign influence strategy across three continents

• Cyber fines are increasing financial and regulatory exposure for businesses

• El Rufai, NSA & 2027 elections: Welcome to the peak period for unlawful surveillance in Nigeria

HEADLINE

• Gabon pulls plug on Facebook and TikTok amid anti-government protests

• Land Bank declines to confirm R50m ransom claim as cyber investigation continues

• Google-Backed Resilio Africa launches to tackle rising cyber threats across major African economies

• Tanzania tops the region in cybersecurity standards

• Tanzania to begin data protection inspections in April

• DRC accuses MTN of operating without a licence near the eastern border

• Russian blogger faces 25 years after secretly filming women in Ghana, Kenya and sharing videos online for cash

• Data governance in Algeria: the head of government launches a national system

• Starlink orders Kenyan users to verify ID by April 30

• Djibouti unveils biometric mobile ID to enhance access to public services

• The national police of Senegal launches online platform for reporting cybercrimes

ACROSS THE WORLD

• Hackers target supporters of Iran protests in new espionage campaign

• China may be rehearsing a digital siege, Taiwan warns

• Russia blocks WhatsApp nationwide, promotes state-backed mAX messaging app

OPPORTUNITIES

• AU digital and innovation fellowship program

See you next week.