Documente Academic
Documente Profesional
Documente Cultură
Table of contents
Introduction
Right to Privacy
Communication Surveillance
Data Protection
Identification Schemes
Policies and Sectoral Initiatives
Introduction
Acknowledgement
2. Data protection law: Kenya does not currently have specific data protection legislation.
However, a Data Protection bill was tabled in Parliament in 2015.
3. Data protection agency: Kenya does not have a specific data protection authority.
4. Recent scandals: Kenyan and international civil society groups report high levels of
extrajudicial surveillance.
5. ID regime: The Integrated Population Registration System (IPRS) collects data from a dozen
databases held by various government agencies.
Right to Privacy
The constitution
Article 31 of the Constitution specifically protects the right to privacy. It states:
"Every person has the right to privacy, which includes the right not to have—
"(5) The general rules of international law shall form part of the law of Kenya.
(6) Any treaty or convention ratified by Kenya shall form part of the law of Kenya under this
Constitution."
Introduction
The Communications Authority of Kenya (CA) regulates the telecommunications industry and
collects statistics on the sector. Mobile penetration was recorded at 86.2 % in March 2017, with
39.1 million mobile subscriptions. There were an estimated 40.59 million internet users in Kenya
in March 2017, representing an internet penetration rate of 89.4% according to the CA.
Social media is widely used in Kenya. Kenya is reported to have over 5 million active daily
Facebook users, and 693,000 confirmed active users on Twitter, according to a study by Ogilvy,
an advertising and public relations firm.
Surveillance laws
The Kenya Information and Communications Act (2009), penalises the unlawful interception
of communications by service providers. Article 31 states:
"A licensed telecommunication operator who otherwise than in the course of his business—
(b) discloses to any person the contents of a message intercepted under paragraph ; or
(c) discloses to any person the contents of any statement or account specifying the
telecommunication services provided by means of that statement or account, commits an offence
and shall be liable on conviction to a fine not exceeding three hundred thousand shillings or, to
imprisonment for a term not exceeding three years, or to both."
Article 83 states:
"(1) Subject to subsection (3), any person who by any means knowingly:—
(a) secures access to any computer system for the purpose of obtaining, directly or indirectly, any
computer service;
(b) intercepts or causes to be intercepted, directly or indirectly, any function of, or any data
within a computer system, shall commit an offence."
(a) has been obtained under or by virtue of the provisions of this Act; and
(b) relates to the private affairs of any individual or to any particular business,
shall, during the lifetime of that individual or so long as that business continues to be carried on
be disclosed by the Commission or by any other person without the consent of that individual or
the person for the time being carrying on that business."
"Subject to the provisions of the Act or any other written law, a licensee shall not monitor,
disclose or allow any person to monitor or disclose, the content of any information of any
subscriber transmitted through the licensed systems by listening, tapping, storage, or other kinds
of interception or surveillance of communications and related data."
However, several recent legal developments have eroded protections against surveillance and
expanded the intelligence and law enforcement agencies' interception powers.
These include the National Intelligence Service (NIS) Act (2012), article 36 of which reads:
"(1) The right to privacy set out in Article 31 of the Constitution, may be limited in respect of a
person suspected to have committed an offence to the extent that subject to section 42, the
privacy of a person's communications may be investigated, monitored or otherwise interfered
with.
(2) The Service shall, prior to taking any action under this section, obtain a warrant under Part
V."
Article 45 states:
"....an officer of the Service the power to obtain any information, material, record, document or
thing and for that purpose — (a) to enter any place, or obtain access to anything; (b) to search for
or remove or return, examine, take extracts from, make copies of or record in any other manner
the information, material, record, document or thing; (c) to monitor communication; or (d)
install, maintain or remove anything."
The Prevention of Terrorism Act (2012) grants extensive powers to state authorities to limit
fundamental freedoms and encroach on the right to privacy through surveillance. Article 35
states:
"(1) Subject to Article 24 of the Constitution, the rights and fundamental freedoms of a person or
entity to whom this Act applies may be limited for the purposes, in the manner and to the extent
set out in this section.
(2) limitation of a right or fundamental freedom under subsection (1) shall apply only for the
purposes of ensuring —
(c) 'that the enjoyment of the rights and fundamental freedoms by an individual does not
prejudice the rights and fundamental freedom of others.
(3)The limitation of a fundamental right and freedom under this section shall relate to
The Security Laws (Amendment) Act (2014) states in article 69, which is an amendment of the
Prevention of Terrorism Act, that:
"(1) The National Security Organs may intercept communication for the purposes of detecting,
deterring and disrupting terrorism in accordance with procedures to be prescribed by the Cabinet
Secretary.
(2) The Cabinet Secretary shall make regulations to give effect to subsection (1), and such
regulations shall only take effect upon approval by the National Assembly.
(3) The right to privacy under Article 31 of the Constitution shall be limited under this section
for the purpose of intercepting communication directly relevant in the detecting, deterring and
disrupting terrorism."
These acts have been presented as a positive tool for tackling threats to national security in light
of the 2013 terrorist attack on the Westgate shopping mall, and attacks by Al Shabaab in
Mandera in 2014 and Garissa in 2015.
Data retention
The Kenya Information and Communications Act (2009) regulates the retention of electronic
records and of "information in original form". Section 83 states:
"Where any law provides that documents, records or information shall be retained for any
specific period, then that requirement shall be deemed to have been satisfied where such
documents, records or information are retained in electronic form if:
(a) the information contained therein remains accessible so as to be usable for subsequent
reference;
(b) the electronic record is retained in the format in which it was originally generated, sent or
received or in a format which can be demonstrated to represent accurately the information
originally generated, sent or received; and
(c) the details which will facilitate the identification of the original destination, date and time of
dispatch or receipt of such electronic record are available in the electronic record..."
Surveillance actors
The principal intelligence agency of Kenya is currently the National Intelligence Agency (NIS).
The NIS was established by the 2012 National Intelligence Service (NIS) Act; it is both the
domestic and foreign intelligence agency of Kenya. Its precursor, the National Security
Intelligence Service (NSIS), was created in 1998 as a successor of the Special Branch, which
dated to the late colonial period. Until 1999, the NSIS had been joined to the police.
The NIS has a wide-ranging mandate. Its primary function is to gather, collect, analyse and
transmit or share with the relevant state agencies any security intelligence and counter
intelligence with an aim of detecting and identifying threats or potential threats to national
security. It also advises the President and government of these threats, and transmits
intelligence information to other agencies.
A National Security Council oversees intelligence operations in Kenya. The council is
comprised of the President, Cabinet Secretaries including the Secretaries responsible for defence,
foreign affairs, and internal security; the Attorney-General; the Chief of Kenya Defence Forces;
the Director-General of the National Intelligence Service; and the Inspector-General of the
National Police Service.
The Kenyan Police Service also has surveillance powers, established in the National Police
Service Act (2011) and the National Police Service Commission Act 2011. The current
Kenyan police force reports to the Inspector General of Police and is a department of Ministry
of Interior and Coordination of National Government. The Directorate of Criminal
Investigations of the Police Force was created in the 1920s. It has authority to "collect and
provide criminal intelligence; undertake investigations on serious crimes including ...cyber
crime".
Surveillance capabilities
Direct access
A March 2017 investigation by Privacy International revealed that the NIS has direct access to
Kenya's telecommunications networks, which allows for the interception of both
communications data and content. Direct access describes situations where state agencies have a
direct connection to telecommunications networks which allows them to obtain digital
communications content and data (mobile and/or internet) without prior notice or judicial
authorisation and without the involvement of the telecommunications provider or internet service
provider that owns or runs the network.
In January 2017, the Communications Authority (CA) announced a further three measures
costing an estimated 2 billion KSh (15.2 million GBP) to monitor Kenyans' communications and
communications devices. Among these was a "device management system" to detect
fraudulent devices and a social media monitoring project. According to an investigation
published in March 2017 by Privacy International, in late 2016, the CA finalized a
contract with Israeli 'web intelligence' firm webintPro, according to CA sources.
Packet inspection
In January 2013, The Citizen Lab of the University of Toronto published a research brief in
which it reported that researchers had discovered Blue Coat PacketShaper installations in
countries including Kenya. Technologies from US-based Blue Coat allow for the the surveillance
and monitoring of interactions on applications including Facebook, Gmail, Skype and Twitter,
among others. It is unclear whether Blue Coat PacketShaper installations were in place in Kenya.
Technical research published in March 2017 by the Centre for Intellectual Property and
Information Technology Law (CIPIT) at Kenya's Strathmore University indicated the presence
of a middle-box on Safaricom's cellular network. According to CIPIT, middle-boxes assume
dual-use character in that they can be used for legitimate functions (e.g., network optimisation)
and can simultaneously be used for traffic manipulation, surveillance and aiding censorship.
Units of the NIS, the Directorate of Military Intelligence and Police Directorate of Criminal
Investigations all have (or had) mobile devices used to track targets, collect communications data
and listen into live communications for operational purposes, according to a March 2017
investigation by Privacy International.
Examples of surveillance
According to the few civil society groups in Kenya who work on the issues, it is difficult to work
on privacy and surveillance in the country as the issue is not widely deemed important. This is in
part because an increased number of security threats has enabled a strong national security
discourse to overshadow concerns about individuals' privacy. Privacy is often considered
subsumed to other human rights issues.
There are nevertheless serious concerns over disproportionate and unlawful surveillance in
Kenya. In 2012, Peace Brigades International stated in relation to human rights defenders
(HRDs) in Kenya that "incidences of surveillance by state and non-state actors have been
reported. Offices have been raided or burgled and computers hacked, and several organisations
suspected that their phones were being tapped." In October 2013, Human Rights Watch warned
of the rising attacks on HRDs. Regular reports by the East and Horn of Africa Human
Rights Defenders Project (EHAHRDP) and Front Line Defenders of HRDs and journalists
being intimidated, attacked, arrested, tortured, killed, and kidnapped in Kenya demonstrate the
significance of the issue.
During and in the aftermath of the March 2013 elections, the Kenyan government requested
that mobile phone providers block text messages that were deemed to incite violence using a
firewall that would detect messages containing key words, identified beforehand, to be further
analysed. The National Steering Committee on Media Monitoring of the Ministry of ICT
reportedly intercepted 300,000 texts messages daily during the 2013 elections.
In July 2015, it was revealed that agents of the Kenyan intelligence services had
contacted intrusion malware company Hacking Team to ask them to shut down a critical blog
as a 'proof of concept' for their surveillance tools. The Kenyan government appeared to be
attempting to procure the Remote Control System tool that allows for remote hacking and control
of target devices.
The combination of these trends raises serious concerns about the government's potential use of
surveillance tools to further repress civil society and human rights defenders, especially in the
context of the 'war on terror,' which the government has used as a legitimizing narrative to justify
serious human rights violations.
US government surveillance
In May 2014, The Intercept reported that a programme of the US National Security Agency
(NSA) called MYSTIC secretly monitored the telecommunications systems of several countries
including Kenya, where the system was known as DUSKPALLET. The programme was
described in internal documents as a "program for embedded collection systems overtly installed
on target networks, predominantly for the collection and processing of wireless/mobile
communications networks." Evidence provided to The Intercept shows that the programme dates
back to 2013, and that data gathered through it has been used to generate intelligence reports.
The Intercept states that "the operation in Kenya is 'sponsored' by the CIA, according to the
documents, and collects 'GSM metadata with the potential for content at a later date'." In
some of the other countries where MYSTIC is implemented (The Bahamas, Mexico and the
Philippines), MYSTIC required "contracted services for its 'operational sustainment'"; this is not
the case for Kenya however. It is unclear what - if any - role the government of Kenya, as well as
telecommunication and communication providers, played in the deployment of MYSTIC.
Data Protection
In 2016, a draft Cyber Security and Protection Bill originating in the Senate was tabled and
read. It was withdrawn in December.
In this vein, Section 15(1) of the Kenya Information and Communications (Consumer
Protection) Regulations (2010), states that a licensee "shall not monitor, disclose or allow any
person to monitor or disclose, the content of any information of any subscriber transmitted
through the licensed systems by listening, tapping, storage, or other kinds of interception or
surveillance of communications and related data".
"A licensee shall grant the Commission's officers access to its systems, premises, facilities, files,
records and other data to enable the Commission inspect such systems, premises, facilities, files,
records and other data for compliance with the Act and these Regulations."
The CCK/Communications Authority has argued that their request to access personal
information is in line with Article 35 of the Constitution that permits citizens the right to access
information held by the State or by another person and is required for the exercise and protection
of any rights or fundamental freedom. However, the Kenya High Court ruled that a company or
agency is not a "natural person" and so could not enjoy the rights upheld by Article 35.
Accountability mechanisms
Privacy International is not aware of any specific accountability mechanisms related to
communications surveillance in Kenya. Please send any tips or information
to: research@privacyinternational.org
Reports from April 2016 indicate that hacker collective Anonymous breached the Kenyan
Ministry of Foreign Affairs' servers and published 1 terabyte of files online. The Ministry
later confirmed the hack as genuine and the result of junior staff members unknowingly giving
access to the hackers by changing their passwords.
Identification Schemes
Biometric registration
In April 2014, the Kenyan government announced that it would be registering all Kenyans in a
new national digital database that would include biometric details as well as information on land
ownership, establishments and assets. The aim of the programme is to facilitate the identification
of people holding forged or false identification documents. Under the Umoja Kenya Initiative,
the government would collect all data pertaining to an individual including name, age, identities
of relatives, property owned and residence.
In September 2015, it was announced that Pakistan's government database and registration
authority, the National Database and Registration Authority (Nadra), had won a contract to
provide e-passport software for Kenya. NADRA's databases in Pakistan are among the world's
biggest population registers.
Voter registration
The right to vote is guaranteed to all Kenyan citizens over the age of 18. The Independent
Electoral and Boundaries Commission requires registrants to provideeither a national Identity
Card (ID) or a valid passport as a proof of identity.
The government conducted an exercise to biometrically verify voters for the August 2017
presidential elections. In March 2017, the government announced that it had awarded a 3.8
billion KSh contract for an elections management system to the French multinational defense
and security company OT-Morpho. In September, the Supreme Court of Kenya annulled the
August 2017 results, which saw President Uhuru Kenyatta reelected, over irregularities in the
electronic transmission of the results from polling stations across the country. Kenyatta was re-
elected in a fresh round of elections held on 26 October 2017.
In other election-related news, President Kenyatta's Jubilee party reportedly hiredUK big data
consulting firm, Cambridge Analytica, to assist in President Kenyatta's re-election campaign.
The Kenya Information and Communications (Amendment) Act (2013) integrated some
requirements already included in the Kenya Information and Communications (Registration
of Subscribers of Telecommunication Services) Regulations (2012).
In January 2017, the Communications Authority announced three projects — one each to
monitor radio frequencies, monitor social media platforms, and 'manage devices' — to prevent a
repeat of the post-election violence of the 2007 election period. The telecommunications
industry reacted strongly against the measures. CA authorities rushed to assure Kenyans that
the projects would only be used to enforce regulatory compliance. Details of the Device
Management System leaked to the press in March 2017, prompting a successful High Court
challenge to the system which suspended its progress until May.
Cybersecurity policy
Kenya's cybersecurity initiatives rely heavily on foreign government assistance. The National
Cybersecurity Strategy, also referred to as the National Cybersecurity Strategy and Master Plan,
was first developed for the Ministry of Information and Communication (MOIC) over four
months from July 2012 with a grant from the US Trade and Development Agency for Technical
Assistance. Booz Allen Hamilton, a prominent American management firm with significant
national security contracts, was contracted to help develop the plan. The resulting National
Cybersecurity Strategy was unveiled in May 2014. The four goals of the strategy are to:
Enhance the nation's cybersecurity to facilitate the country's growth, safety, and prosperity;
Raise cybersecurity awareness and develop Kenya's workforce to address cybersecurity needs;
Foster information sharing and collaboration among stakeholders to facilitate an information
sharing environment; and
Provide national leadership by defining the national cybersecurity vision, goals, and objectives
and coordinating cybersecurity initiatives at the national level.
The National Computer Incident Response Team (KE-CIRT) was created in consultation
with International Telecommunications Union. The CIRT is responsible for the implementation
of the national Cybersecurity Strategy, among other tasks. It derives its mandate from the Kenya
Information and Communications Act 1998. It has been operational since 2012.
Cybercrime
Kenya does not yet have a law dealing specifically with cybercrime, though public officials
claim that rates of cybercrime are on the rise.
An early 2014 draft Cybercrime and Computer Related Crimes Bill sought to equip law
enforcement agencies with the legal and forensic tools to tackle cybercrime. Free speech
advocacy group Article 19 warned that if enacted, the Bill would be devastating for freedom of
expression online in Kenya because of its broad definition of speech offences, offences against
computers and other computer-related offences.
The 2016 Computer and Cyber Crimes Bill, which replaces the 2014 draft, was approved by
the Kenyan cabinet in April 2017. The bill has been criticised for having overly broad
categories of offenses, which could potentially be used to prosecute free speech. Another draft
2016 Cybersecurity and Protection Bill was withdrawn in December 2016.
Encryption
There are no specific regulations concerning citizens' use of encrypted communication methods.
Licensing of industry
Kenya has a diverse market of telecommunications and internet service providers. In June 2017,
Safaricom dominated the market with 72.6% of mobile subscribersfollowed by Airtel, Telkom
Kenya, Finserve and others. The Kenyan government owns 35% of Safaricom shares, while
40% are owned by Vodafone and 25% are freely floated.
The top data providers in June 2017 are Safaricom (77.1%), Airtel (15.6%), and Telkom Kenya
(6.2%). Kenya also has a broadband (fixed) internet penetration rateof 15.4%, corresponding
to 34.2 million subscriptions.
Safaricom, which controls a large share of both the mobile telephony and internet market, is a
stated partner of the Kenyan police service and has recently won a number of high-value state
security contracts, including for a nationwide CCTV and emergency response monitoring
centre.
E-governance/digital agenda
A variety of government services including business, marriage and land documentation are
provided online through the eCitizen portal. The eCitizen services terms of use state that "No
personally identifiable information is automatically collected about visitors who simply browse
this site or who download information from it. eCitizen does not release any information about
the collection of IP addresses to any third party, except under court order or as required by law."
Safeguarding privacy and security is one principle of the strategy, which states that the
government will aim to "[a]dhere to/put in place applicable legislation to protect consumer
confidentiality as a mandatory part of the regulatory environment governing procedural or
systems development processes to support e-Health. In addition, to providing basic system
security and protect against unlawful access or malicious damage to information, every effort
must be made to ensure that access is absolutely restricted to authorized persons in accordance
with their rights and permissions profile."
In 2017, it was announced that Kenyan company BioSIM was launching two new biometric
verification products designed to track pupil enrolment and attendance in schools (BioSIM for
Education) and make healthcare service delivery more efficient (BioSIM for Health). The
technology involves collecting clients' iris scans and using these to verify identity for access to
services. BioSIM for Education has been reportedly taken up by a number of schools across
Kenya.
Smart policing
In May 2014, the government announced that the partially state-owned Kenyan communications
provider Safaricom had been awarded a government tender to set up a new surveillance system,
known as the Integrated Public Safety Communication and Surveillance System, for the Kenyan
Police.
When the surveillance system was made public, it was announced that the system would cost
KES 12.3 billion (approximately US$ 140 million). There are two elements to the project. First,
the system would link all security agencies in order to facilitate information sharing and public
safety activities. Secondly, it would establish a surveillance camera system consisting of 1,800
CCTV cameras nationwide. These would be installed in Nairobi, the capital, and the coastal city
of Mombasa and connected to 195 police stations through a secure 4G network. The system
would have facial and movement recognition capacities in real time. The main organising hub
for the system would be a monitoring centre in Nairobi where data collected would be retained
and analysed. The system is now functional in Nairobi and Mombasa.
In June 2014, the Kenyan National Assembly's Committee on National Security had decided to
suspend the contracting process for the new system on the basis that the procurement process had
failed to meet necessary standards, following complaints from unsuccessful companies who bid
for the contract. The final decision in May 2015 has been to award Safaricom the contract for the
system.
The tender has since become the focus on a corruption scandal following the publication in
Nairobi Law Monthly of details alleging improper procurement procedures and bribery by
Safaricom and Huawei.
Transport
Kenya's National Transport and Safety Authority (NTSA) announced in July 2017 that it
would begin issuing digital driving licenses. The ID, which bears a microchip, would
reportedly contain driving histories and allow for direct payments to judicial services in the event
of fines. It is unclear which authorities would have access to information held on the card.