Safaricom Denies Allegations in Explosive Daily Nation Report on Police Surveillance

In a world where digital privacy is increasingly vulnerable, a recent exposé by Kenya’s Daily Nation, in an article published on 29th October 2024, has brought to light unsettling allegations of unchecked surveillance, implicating the country’s largest telecom provider, Safaricom, in potential breaches of customer privacy.

The investigation claims that Kenyan security agencies are accessing sensitive customer data, including call records and location information, without the legal safeguards mandated by law. This alleged misuse of telecom data has not only raised alarm over privacy rights but has also led to accusations of complicity in cases involving disappearances and extrajudicial actions.

The Daily Nation report, citing months of research and testimonies from insiders, argues that Safaricom’s internal systems allow Kenyan authorities to bypass court orders and monitor citizens in real time. In contrast, Safaricom, two days later, on October 31, 2024, strongly refuted these claims, issuing a statement that reaffirms its strict compliance with Kenyan data protection laws and its commitment to customer privacy.

Daily Nation’s Allegations Against Safaricom and Kenyan Security Agencies

The Daily Nation exposé alleges that Kenya’s security agencies, with the assistance of a system embedded in Safaricom’s internal infrastructure, have access to customer data without judicial oversight. The report claims that these agencies exploit call data records (CDRs) and location data to track and, in some cases, target individuals without due legal process. The investigation uncovered several instances where CDRs presented to the court showed irregularities and inconsistencies, raising concerns over data manipulation.

According to Daily Nation, “Kenya’s security agencies have gained access to mobile phone customers’ sensitive call data records, along with location data, helping them to track and capture suspects but also violating innocent users’ right to privacy.” The report underscores that this access could implicate Safaricom and other telecoms in potential human rights violations, particularly in cases involving disappearances and extrajudicial actions. In one striking example, the article describes how CDRs for a suspected terrorism case involving Trevor Ndwiga Nyaga showed conflicting locations, with data placing him en route to the Somalia border in one dataset while showing him in Nairobi in another.

The exposé also highlighted Safaricom’s alleged inconsistencies in providing CDRs. “In reality, [CDRs] can be readily obtained by Kenyan police without a formal process,” the article claimed, citing unnamed Safaricom employees and police officers who spoke on the condition of anonymity. These claims suggest that Safaricom and other telecom companies might be sidestepping required protocols when handling sensitive data requests from security agencies.

Safaricom’s Official Response to the Allegations

In response to these serious accusations, Safaricom issued a position statement on data privacy, reiterating its commitment to upholding customer privacy and adhering strictly to Kenyan data protection laws. Safaricom’s statement stresses that the company only releases customer data to security agencies when explicitly required by a court order, pushing back against allegations that it has provided unrestricted access to Kenyan authorities.

“We respect our customers’ privacy and adhere strictly by the country’s data protection laws. As such we do not share any customer data unless explicitly required of us via a court order,” Safaricom said in its statement.

The telecom giant also clarified the purpose and scope of CDRs, stating that they are not real-time tracking tools but rather logs generated after a call ends. This clarification appears to address the Daily Nation’s allegations that security agencies were using CDRs for real-time tracking.

“For information purposes, a customer’s Call Data Record (CDR) does not show any live location and movements of customers but are generated after a call is terminated and for text messages once they are sent or received and this is for purposes of billing only,” Safaricom added.

Furthermore, Safaricom’s response includes details about its relationship with Neural Technologies, a British company involved in creating a fraud management system for the company’s mobile money service. According to Safaricom, Neural Technologies’ system was implemented to detect and prevent fraud, with “no third-party access,” countering Daily Nation’s implication that Neural Technologies’ technology was designed to assist in surveillance.

Contradictions and Key Points of Contention

1. Alleged Unrestricted Access vs. Court Order Compliance

The Daily Nation article accuses Safaricom of giving Kenyan security agencies unrestricted access to CDRs and location data without following proper legal procedures. Safaricom, however, maintains that it only shares customer data in response to verified court orders. This divergence lies at the heart of the controversy, as Safaricom’s stance, if accurate, would mean that any breaches of privacy are not attributable to the telecom provider but to rogue elements within law enforcement. Daily Nation cited anonymous sources who claimed that access to CDRs could be obtained “without a formal process,” suggesting that data privacy protocols are being circumvented. The article implied that the procedural safeguards required by law are often ignored in practice, especially when cases involve security-sensitive topics such as terrorism.

2. Conflicting Data and Potential Data Manipulation

One of the most serious allegations in the Daily Nation article is that Safaricom has, on several occasions, provided inconsistent or potentially manipulated data to the courts in cases involving disappearances and suspected extrajudicial actions. The article details discrepancies in location data, with forensic experts indicating that missing information from base stations and call logs suggested tampering. Safaricom’s statement, however, does not directly address these allegations of data inconsistencies. While the company reaffirms its commitment to transparency and compliance, it does not explain why certain datasets provided to the court might lack crucial location information or contain apparent inaccuracies.

3. Neural Technologies and Data Surveillance Concerns

The Daily Nation article alleged that Safaricom’s collaboration with Neural Technologies facilitated a system that enables real-time tracking and predictive analysis of users, allowing law enforcement to follow suspects’ movements without formal approval. The article cited Neural Technologies’ predictive tool, called Find My Friends, which reportedly allowed law enforcement to track suspects and identify “new suspects” through data patterns. In its response, Safaricom clarified that Neural Technologies’ system is solely a Fraud Management System (FMS) used to detect fraud, with “no third-party access.” This assertion seems aimed at distancing Neural Technologies from any involvement in tracking or surveillance of individuals by law enforcement agencies. However, Safaricom did not specifically mention Find My Friends, leaving open questions about the extent and nature of Neural Technologies’ involvement in law enforcement data requests.

4. ISO 27701 Certification as Evidence of Compliance

To bolster its credibility, Safaricom’s response highlights its recent ISO 27701 Privacy Information Management System (PIMS) certification by the British Standards Institute (BSI). This certification is presented as proof of Safaricom’s commitment to upholding data privacy laws. Safaricom implies that this certification demonstrates its adherence to privacy standards that ensure customer information is protected against unauthorized access. By contrast, the Daily Nation article questions whether Safaricom’s privacy measures are sufficient to prevent unauthorized access by Kenyan security agencies, particularly given the company’s alleged “rubber-stamping” of data requests. For those who support stricter data privacy, Safaricom’s certification may not entirely address concerns about potential abuses of customer data.

5. Broader Implications for Privacy and Security in Kenya

The Daily Nation investigation suggests that the Kenyan government’s access to personal data may be part of a larger issue of unchecked state surveillance, with potential support from international partners. British telecommunications giant Vodafone, which holds a significant stake in Safaricom, and British intelligence agencies have both been linked to data surveillance scandals in other regions. This raises questions about the role of international telecom stakeholders in ensuring that local privacy standards are enforced. Safaricom’s statement, however, does not address any potential international concerns, focusing solely on compliance with Kenyan laws. While it claims adherence to privacy protections, the Daily Nation exposé has fueled calls for greater accountability and transparency in how Safaricom and similar telecoms manage sensitive data.

Conclusion: Lingering Questions and Public Trust

Safaricom’s response to the Daily Nation exposé presents a narrative of a company committed to customer privacy, following all legal requirements and providing data to authorities only under court orders. However, Daily Nation’s allegations paint a different picture, one of an industry that may be complicit in bypassing privacy safeguards, with potential consequences for human rights.

The contrasting perspectives between Safaricom and Daily Nation raise critical questions:

• Is Safaricom truly able to control and monitor how its data management systems are used by security agencies?
• Are the safeguards mentioned by Safaricom, such as court orders, genuinely upheld in every case, or are there backdoor arrangements that allow security agencies to sidestep formal procedures?
• If data inconsistencies and potential tampering exist in court-submitted records, how can these be explained, and what measures will be implemented to address such discrepancies?

For many Kenyans, this issue extends beyond Safaricom; it is a matter of how data privacy is protected in a world where surveillance technology is becoming more advanced and accessible. As concerns grow around data protection, Safaricom’s challenge will be to reassure its customers that their privacy remains intact, even as it faces mounting scrutiny over its relationship with law enforcement agencies.

This debate underscores the urgent need for a regulatory overhaul to safeguard Kenyans’ digital privacy and address the possible misuse of telecom data in cases with high stakes for human rights.