Every year, the pan-African non-profit Paradigm Initiative grades African governments on how well they respect digital rights. Its latest assessment, the Londa 2025 report, is out, and on paper Kenya had a decent year. The country’s score on the report’s compliance index rose from 34 out of 60 in 2024 to 37 out of 60 in 2025. On the continental ranking, Kenya climbed from 10th place to 7th, sitting behind South Africa, Ghana, Namibia, Senegal, Egypt and Zambia, and ahead of Rwanda, Malawi and Nigeria.
That sounds like progress, and in a narrow sense it is. But the same report that hands Kenya the higher score also documents a blogger who died in police custody, internet throttling during protests, spyware planted on an activist’s phone, and two of the largest exposures of citizen and company data the country has seen. Both things are true at once. The job here is to explain how a rising score and a rough year can sit side by side, and what each one is actually measuring.
What Londa is, and what the score means
Londa, a Zulu word meaning to protect or defend, is Paradigm Initiative’s annual audit of digital rights across Africa. The 2025 edition covers 29 countries and was launched in late April 2026 at the Digital Rights and Inclusion Forum in Abidjan, CΓ΄te d’Ivoire.
The scoring works through a tool the report calls The Score Index. Researchers rate each country against 12 indicators, including internet shutdowns, false-news criminalisation, arbitrary arrests, data protection, surveillance, child online safety and digital inclusion. Each indicator is scored out of five, for a maximum of 60. The benchmark is not the government’s own targets but the African Commission on Human and Peoples’ Rights Declaration of Principles on Freedom of Expression and Access to Information, a regional human-rights standard Kenya has signed up to. A score of 37 still lands Kenya in the “moderately compliant” band, not the top tier. We covered last year’s edition of the same report when it flagged Kenya for regression on internet access.
Where the extra points came from
The gains are easiest to understand if you remember what an index like this rewards. It rewards frameworks being put in place, laws passed, strategies published, court precedents set. On that front, 2025 was genuinely busy.
Make tech-ish your favourite news source
Star tech-ish.com on Google. We move up your daily feed.
Kenya launched a National Artificial Intelligence Strategy 2025 to 2030, aimed at building AI governance and growing a local AI industry across agriculture, health, education and public services. It also issued its first industry guidelines for child online protection, alongside new data-protection guidance for handling children’s information. Two court rulings went the way of digital rights too. In Katiba Institute v Communications Authority of Kenya, the High Court quashed government notices that would have forced Kenyans to hand over their phone IMEI numbers for a central device database tied to tax checks, finding the plan unconstitutional. And in a separate case, the High Court accepted that Meta can be sued in Kenya over its alleged role in spreading content that fuelled ethnic violence, rejecting the company’s argument that local courts had no jurisdiction over it.
The data-protection regulator was also active. The Office of the Data Protection Commissioner launched a five-year plan and went after digital lenders accused of harassing borrowers. Put together, these are the kinds of moves that lift a compliance score, because the index is partly a measure of whether the legal scaffolding exists.
What the score does not capture
Here is the harder half. The frameworks improved, but how the state actually behaved often did not.
The most serious case is the death of blogger Albert Ojwang, who was arrested in June 2025 over a social media post said to have defamed a senior police officer, and who died in police custody. An autopsy contradicted the initial police account of self-inflicted injury, and the case triggered nationwide protests and murder charges against police officers, as the BBC reported. It became the year’s clearest example of how an online post can end in a cell.
It was not isolated. Software developer Rose Njeri was charged under the Computer Misuse and Cybercrimes Act after building a simple tool that let citizens email their objections to the Finance Bill straight to Parliament, an act of civic participation that prosecutors treated as a cybercrime. The activist Jackson Kuria, known online as Cop Shakur, was charged with publishing false information. A 22-year-old, Titus Sifuna, was taken to court for impersonating President Ruto online. The report says more than 70 people, mostly young digital activists, were charged under anti-terrorism laws in connection with protests. During the June 2025 demonstrations, the Communications Authority of Kenya ordered broadcasters to stop live coverage, and internet monitors recorded Telegram being throttled across Safaricom, JTL and Liquid networks. We documented that blackout and broadcast ban as it happened.
The common thread is the cybercrime law’s vague provisions on “false information” and impersonation, which the report argues are broad enough to sweep up ordinary criticism and satire. The charges against Njeri and Kuria were brought under the original 2018 Act, which remains the main tool used against online speech. Njeri, for her part, has not gone quiet. She is back with a citizen-journalism app called Tuma Report.
Your data, and who keeps reaching for it
If speech was one pressure point in 2025, personal data was the other.
A forensic analysis by Citizen Lab, a research group at the University of Toronto, found spyware planted on the phone of Bryan Adagala, one of the people behind the Blood Parliament documentary, before he was arrested. We have looked at how foreign surveillance tools are feeding the crackdown on dissent, and separately at the government’s move to buy internet-monitoring tools that worried privacy advocates.
The state’s own systems did not fare much better. The Business Registration Service, which holds records on every registered company in Kenya, suffered a breach exposing the details of millions of businesses, including directors and shareholders. The official accounts of the Directorate of Criminal Investigations were hijacked on X and Facebook and used to push cryptocurrency scams, netting the attackers roughly 64.7 Solana tokens, worth several thousand dollars, before control was regained. And at Safaricom, two former managers are accused of pulling the data of about 11.5 million subscribers, including betting histories and location records, and trying to sell it to a sports-betting firm, a breach the report ties to the Data Protection Act.
Two policy moves added to the privacy unease. The Kenya Revenue Authority rolled out a Significant Economic Presence Tax on digital services, and a proposed Kenya Information and Communications (Amendment) Bill would require internet providers to hand the regulator detailed personal data, including ID numbers and usage patterns. Both have valid stated aims. Both also widen the state’s view into what Kenyans do online.
The divide that did not budge
Underneath the rights story sits an access story that barely moved. Only about 53.7% of Kenyans aged three and above own a mobile phone, and the gap between town and country is stark, at 64.6% ownership in urban areas against 48.6% in rural ones. The number of Kenyans relying on basic feature phones, which cannot reach most government digital services, actually rose to more than 32.5 million. Only 22% of teachers had received formal ICT training, which undercuts the schools meant to produce a digitally literate generation. In Vihiga County, stakeholders reported that more than 29,000 registered persons with disabilities still lack access to essential digital tools.
There was real investment too. The Universal Service Fund kept extending coverage, with about KES 6.43 billion committed to its voice-infrastructure project and 2,193 kilometres of fibre laid under the Digital Superhighway programme. But the report repeats a complaint it has made before: there is still no public tracker showing how that money is spent.
What to actually watch next
The cleanest way to read Londa 2025 is this. Kenya’s score rose because the country wrote more of the right rules in 2025, on AI, on child safety, and through courts that pushed back on overreach. The score stayed modest, and the year still felt grim, because writing rules is not the same as following them, and an index struggles to capture a death in custody or a throttled network.
For anyone tracking where this goes, three things are worth following. The first is whether the court challenges to the cybercrime law’s speech provisions succeed, because that is what decides if cases like Rose Njeri’s keep happening. The second is whether the data regulator’s action against errant lenders gains real teeth, given the Central Bank has yet to pull a single licence. The third is the simplest: whether the promised Universal Service Fund transparency tracker ever appears, because that is the difference between spending Kenyans can check and spending they just have to trust. A higher score is a fair description of the paperwork. Whether 2026 feels different on the ground depends on those three.
