Lack of law securing private data online makes you vulnerable

More by this Author

More by this Author

You may consider it magic when you upload a photo on your social network and it automatically recognises all your friends for tagging, but that wizardry may spell danger if it lands in the wrong hands.

Recognising faces means the application has computed and stored details on how users look like through advanced technology.

Can’t an enemy use it to recognise you in a crowd, for example?

But that is just a drop in the ocean of details that technology firms have about us.

They can keep records of your movements if the location function of your phone is turned on, monitor the apps you use, construct your background and health status from the topics you have been searching, and an awful lot more.

It gets worse with loan lending apps that have registered resounding success in the Kenyan market.

Most demand access to a user’s personal details like texts, calls and areas visited.

What can happen if a rogue company shares such data to malicious people?

Are there laws Kenyans can use to seek recourse if the worst happens?

While users in other countries may have legislation that compels technology firms to be more accountable with private details, Kenya’s laws are hazy.

In Europe, social media companies, search engines and other technology firms are in a rush to comply with a set of strict rules governing users’ privacy, called the General Data Protection Regulation or GDPR.

When the rules come into effect on May 25, technology companies accessible in any of the 28 European Union countries will have to toe the line on which type of personal data they can collect and which they can store.

Users who want data about them stored by tech companies will have a legal backing in their push to have it deleted, in what has come to be known as the right to be forgotten.

Firms that do not comply will face fines of up to four per cent of their annual revenue.

In Kenya, however, technology companies are under no obligation to handle users’ information in any specific way.

In 2012, the Data Protection Bill was introduced to Parliament.

Had it been passed as drafted, it would protect personal information, bestowing the constitutional right of a person not to have information relating to their family or private affairs unnecessarily revealed or shared. The status of the bill in not clear.

According to the bill, it would be an offence to send electronic message with the intention of coercing the recipient to disclose personal information for unlawful purposes or to gain unauthorised access to a computer system.

The offender, according to the bill, is liable upon conviction to a Sh300,000 fine or a three-year jail sentence or both.

The bill also requires anyone operating a computer to immediately report an intrusion, disruption or attack on their system to the authorities within seven days.

As the bill gathers dust, in June last year the government introduced the Computer and Cybercrimes Bill 2017 that is still in the National Assembly.

In his memorandum of objects and reasons, Majority Leader Aden Duale said it outlines offences like cyber espionage, cyber stalking, unauthorised disclosure of passwords, among others. Rwanda has made strides towards data protection.

Last year, it adopted the Data Revolution Policy, with the objectives of establishing standards and principles for data management, a framework to develop human capital in data science and define a framework for data creation.

Mr Tim Oriedo, a data scientist and a lecturer at Strathmore Business School, says the absence of a data protection policy puts Kenyans in an awkward position.

“We are left with various interpretations of court orders and this poses a grave risk to corporates and businesses who have valuable data sitting with technology vendors and domiciled in servers abroad,” he told the Sunday Nation.

In light of recent claims of collection and questionable use of Facebook data by Cambridge Analytica, a UK organisation that has been aiding presidential campaigns in different countries, Mr Oriedo said there is a possibility that residents of Europe will sue the social network.

There is no framework for that in Kenya. “We stand to be exploited by such breaches,” he said.

Since the Cambridge Analytica’s manipulation of more than 50 million accounts became public, studies on the amounts of personal data held by firms like Google and Facebook have been launched and the results are shocking.

Writing inThe Guardian last month, UK-based data consultant Dylan Curran disclosed that Google had stored every area he visited in the last 12 months.

“You can see the time of day that I was in the location and how long it took me to get to there from my previous one,” he said.

Any Google user can access the information through a platform the tech company provides.

Mr Dylan also found out that Google even keeps data a person has deleted, as he found his CV, monthly budget and other private information he trashed available for download.

Facebook also has a platform that allows a user to see which information it has, and going through it can be toe-curling — from details of all ads you clicked on to having a copy of all you have posted since you joined.

“I’m not too shocked Facebook has all of this information. Since it’s a history of data, either I or my friends provided to the site piece by piece.

“Yet, taken as a whole big picture, it’s a scary and very accurate mirror of my life,” CNBC technology product editor Todd Haselton wrote in a blog in March.

Some observers have been wondering how much information these firms never make public beyond the one they offer for access and download.

Mr George Njoroge, a forensics data expert and the chief executive of East Africa Data Handlers, warns that it is the little things that people do online that give them away.

“This is massive data about you that is in the hands of other entities and which you have no control over, exposing it to manipulation in the event it falls in the wrong hands. Data today is more valuable than even gold,” he notes.

“The information you share can be manipulated and used to target you using digital online ads, which can sway your opinion about certain important societal issues such as politics and other social causes,” Mr Njoroge adds.

The tech companies’ behaviour justifies the truism: “If you are not paying for the product, then you are the product.”

Mr Emmanuel Chebukati, the director at Nairobi-based Hepta Analytics, has been involved in analysing users’ online data and he knows just how vast the information tech companies have. And he wants a change.

“For me, it is time social media giants stopped telling us what data is being requested by an app and started telling us what the app wants to do with the data.

“This is because users are not aware of the possibilities when they voluntarily give out their data,” he told the Sunday Nation.

Mr Chebukati is also cautious about data available in documents such as M-Pesa transaction books.

“As for Cambridge Analytica, without condoning their behaviour — especially on lying about the use-cases of the data — I pose the question: Where do we draw the line between political persuasion and manipulation of voters?

“Politicians are allowed to persuade voters to their side but when does it become wrong, especially on digital platforms?” Mr Chebukati, whose team was collecting tweets during the 2017 campaigns to find out topics essential to Kenyans allied to various candidates, posed.

Such data, he warns, can be harvested by a politician who wants to know people’s ages, their nearest polling station and establish if they can be receptive to bribes.

– Additional reporting by Thomas Rajula