You are here

State of Privacy Kenya

Last modified: 
Tuesday, March 14, 2017 - 14:20

Introduction

Acknowledgement 

The State of Surveillance in Kenya is the result of an ongoing collaboration by Privacy International and National Coalition of Human Rights Defenders - Kenya.

 

Right to Privacy

The constitution

Article 31 of the Constitution specifically protects the right to privacy. It states:

"Every person has the right to privacy, which includes the right not to have—

(a) their person, home or property searched;
(b) their possessions seized;
(c) information relating to their family or private affairs unnecessarily required or revealed; or
(d) the privacy of their communications infringed."

Furthermore, Article 2 of Kenya’s Constitution states that Kenya's international obligations, such as its commitment to the Universal Declaration of Human Rights and International Covenant on Civil and Political Rights, which include privacy rights, are part of Kenyan domestic law. It states:

“(5) The general rules of international law shall form part of the law of Kenya.

(6) Any treaty or convention ratified by Kenya shall form part of the law of Kenya under this Constitution.”

Regional and international conventions

Kenya is a signatory to or has ratified a number of international conventions with privacy implications, including:

Communication Surveillance

Introduction

The Communications Authority of Kenya (CA) collects statistics on the communications sector. Mobile penetration was recorded at 83.9% in June 2015, with 36.1 million mobile subscriptions. There were an estimated 29.6 million internet users in Kenya in June 2015, with 69% of the population having access to the internet, according to the CA.

Social media is widely used in Kenya. According to a June 2015 report by the Bloggers Association of Kenya (BAKE), social media platforms such as blogs, Twitter and Facebook have “become an effective tool through which Kenyans can write on topics of interest to them as well as exercise their freedom to free speech.” Popular platforms include Twitter and Facebook. Facebook had 4 million Kenyan users in June 2015. Kenya had over 700,000 confirmed monthly active users on Twitter, the majority of which accessed Twitter on a daily basis.

Surveillance laws

The Kenya Information and Communications Act (2009), penalises the unlawful interception of communications by service providers. Article 31 states:

“A licensed telecommunication operator who otherwise than in the course of his business—

(a) intercepts a message sent through a licensed telecommunication system; or

(b) discloses to any person the contents of a message intercepted under paragraph ; or

(c) discloses to any person the contents of any statement or account specifying the telecommunication services provided by means of that statement or account, commits an offence and shall be liable on conviction to a fine not exceeding three hundred thousand shillings or, to imprisonment for a term not exceeding three years, or to both.”

Article 83 states:

"(1) Subject to subsection (3), any person who by any means knowingly:—

(a) secures access to any computer system for the purpose of obtaining, directly or indirectly, any computer service;

(b) intercepts or causes to be intercepted, directly or indirectly, any function of, or any data within a computer system, shall commit an offence."

Article 93 (1) states:

"No information with respect to any particular business which—

(a) has been obtained under or by virtue of the provisions of this Act; and

(b) relates to the private affairs of any individual or to any particular business,

shall, during the lifetime of that individual or so long as that business continues to be carried on be disclosed by the Commission or by any other person without the consent of that individual or the person for the time being carrying on that business."

Section 15 (1) of the Kenya Information And Communications (Consumer Protection) Regulations (2010), states that:

“Subject to the provisions of the Act or any other written law, a licensee shall not monitor, disclose or allow any person to monitor or disclose, the content of any information of any subscriber transmitted through the licensed systems by listening, tapping, storage, or other kinds of interception or surveillance of communications and related data.”

However, several recent legal developments have eroded protections against surveillance and expanded the intelligence and law enforcement agencies' interception powers.

These include the National Intelligence Service (NIS) Act (2012), article 36 of which reads:

“(1) The right to privacy set out in Article 31 of the Constitution, may be limited in respect of a person suspected to have committed an offence to the extent that subject to section 42, the privacy of a person's communications may be investigated, monitored or otherwise interfered with.

(2) The Service shall, prior to taking any action under this section, obtain a warrant under Part V.”

Article 45 states:

“....an officer of the Service the power to obtain any information, material, record, document or thing and for that purpose – (a) to enter any place, or obtain access to anything; (b) to search for or remove or return, examine, take extracts from, make copies of or record in any other manner the information, material, record, document or thing; (c) to monitor communication; or (d) install, maintain or remove anything.”

The Prevention of Terrorism Act (2012) grants extensive powers to state authorities to limit fundamental freedoms and encroach on the right to privacy through surveillance. Article 35 states:

“(1) Subject to Article 24 of the Constitution, the rights and fundamental freedoms of a person or entity to whom this Act applies may be limited for the purposes, in the manner and to the extent set out in this section.

(2) limitation of a right or fundamental freedom under subsection (1) shall apply only for the purposes of ensuring —

(a) the investigations of a terrorist act;

(b) the detection and prevention of a terrorist act; or

(c) 'that the enjoyment of the rights and fundamental freedoms by an individual does not prejudice the rights and fundamental freedom of others.

(3)The limitation of a fundamental right and freedom under this section shall relate to 

(a) the right to privacy to the extent of allowing ...

(iii) the privacy of a person's communication to be investigated, intercepted or otherwise interfered with.”

The Security Laws (Amendment) Act (2014) states in article 69, which is an amendment of the Prevention of Terrorism Act, that:

“(1) The National Security Organs may intercept communication for the purposes of detecting, deterring and disrupting terrorism in accordance with procedures to be prescribed by the Cabinet Secretary.

(2) The Cabinet Secretary shall make regulations to give effect to subsection (1), and such regulations shall only take effect upon approval by the National Assembly.

(3) The right to privacy under Article 31 of the Constitution shall be limited under this section for the purpose of intercepting communication directly relevant in the detecting, deterring and disrupting terrorism.”

These acts have been presented as a positive tool to tackle threats to national security in view of the 2013 terrorist attack on the Westgate shopping mall, and Al Shabaab attacks in Mandera in 2014 and Garissa University in 2015.

Data retention

The Kenya Information And Communications Act (2009) regulates the retention of electronic records and of “information in original form”. Section 83 states:

“Where any law provides that documents, records or information shall be retained for any specific period, then that requirement shall be deemed to have been satisfied where such documents, records or information are retained in electronic form if:

(a) the information contained therein remains accessible so as to be usable for subsequent reference;

(b) the electronic record is retained in the format in which it was originally generated, sent or received or in a format which can be demonstrated to represent accurately the information originally generated, sent or received; and

(c) the details which will facilitate the identification of the original destination, date and time of dispatch or receipt of such electronic record are available in the electronic record...”

Surveillance actors

The main intelligence agency in Kenya currently is the National Intelligence Agency (NIS). The NIS was established by the 2012 National Intelligence Service (NIS) Act; it is both the domestic and foreign intelligence agency of Kenya. Its precursor, the National Security Intelligence Service (NSIS), was created in 1998 as a successor of the Special Branch, which dated back to the late colonial period. Until 1999, the NSIS had been joined to the police. The NSIS had been implicated in a number of surveillance scandals, allegedly spying on Kenyan activists abroad.

The NIS has a wide-ranging mandate. Its primary function is to gather, collect, analyse and transmit or share with the relevant state agencies, security intelligence and counter intelligence with an aim of detecting and identifying threats or potential threats to national security. It also advises the President and government of these threats, and transmits intelligence information to other agencies.

A National Security Council oversees intelligence operations in Kenya. The council is comprised of the President, Cabinet Secretaries including the Secretaries responsible for defence, foreign affairs, and internal security; the Attorney-General; the Chief of Kenya Defence Forces; the Director-General of the National Intelligence Service; and the Inspector-General of the National Police Service.

The Kenyan police also have surveillance powers, established in the the National Police Service Act (2011) and the National Police Service Commission Act 2011. The current Kenyan police force reports to the Inspector General of Police, and is a department of Ministry of Interior and Coordination of National Government. The Criminal Investigations Department of the Police Force was created in the 1920s. It has authority to “collect and provide criminal intelligence; undertake investigations on serious crimes including ...cyber crime”.

Surveillance capabilities

Internet monitoring

In March 2012, the telecommunications industry regulator, the Communications Commission of Kenya (CCK, the precursor to the Communciations Authority), announced that it was setting up a system to allow the authorities to monitor incoming and outgoing digital communications. CCK requested that all telecommunication service providers cooperate in the installation of internet traffic monitoring equipment; known as the Network Early Warning System (NEWS). The CCK cited a rise in cyber security threats as a justification for this move. NEWS is an initiative of the UN's International Telecommunication Union (ITU) to aggregate data on cybersecurity threats and disseminate it worldwide.

Packet inspection

In January 2013, The Citizen Lab of the University of Toronto published a research brief in which it reported that researchers had discovered Blue Coat PacketShaper installations in countries including Kenya. Technologies from US-based Blue Coat allow for the the surveillance and monitoring of interactions on applications including Facebook, Gmail, Skype and Twitter, among others. It is unclear whether Blue Coat PacketShaper installations were in place in Kenya.

Surveillance oversight, checks and balances

The telecommunications industry is regulated by the Communications Authority (CA), formerly known as the Communications Commission of Kenya (CCK). The CA was established in 1999 and is responsible for facilitating the development of the ICT sector including broadcasting, multimedia, telecommunications, electronic commerce, postal and courier services.

 

Surveillance case law

Privacy International is not aware of any court cases challenging or touching upon communications surveillance powers in Kenya.

Examples of surveillance

According to the few civil society groups in Kenya who work on the issues, it is difficult to work on privacy and surveillance in the country as the issue is not widely deemed important by society in general. This is in part because the increased number of security threats has enabled a strong national security discourse to overshadow concerns about individuals' privacy. Privacy is often considered subsumed to other human rights issues.

There are nevertheless serious concerns over disproportionate and unlawful surveillance in Kenya. In 2012, Peace Brigades International stated in relation to human rights defenders (HRDs) in Kenya that “incidences of surveillance by state and non-state actors have been reported. Offices have been raided or burgled and computers hacked, and several organisations suspected that their phones were being tapped.” In October 2013, Human Rights Watch warned of the rising attacks on HRDs. Regular reports by the East and Horn of Africa Human Rights Defenders Project (EHAHRDP) and Front Line Defenders of HRDs and journalists being intimidated, attached, arrested, tortured, killed, and kidnapped in Kenya demonstrate the significance of the issue.

During and in the aftermath of the March 2013 elections, the Kenyan government requested that mobile phone providers block text messages that were deemed to incite violence using a firewall that would detect messages containing key words, identified beforehand, to be further analysed. The National Steering Committee on Media Monitoring of the Ministry of ICT reportedly intercepted 300,000 texts messages during the 2013 elections.

In July 2015, it was revealed that agents of the Kenyan intelligence services had contacted intrusion malware company Hacking Team to ask them to shut down a critical blog 'Kahawa Tungu' as a 'proof of concept' for their surveillance tools. The Kenyan government appeared to be attempting to procure the Remote Control System tool that allows for remote hacking and control of target devices.

The combination of these trends raises serious concerns about the government's potential use of surveillance tools to further repress on civil society and HRDs, especially in the context of the 'war on terror,' which the government has used as a legitimizing narrative to justify serious human rights violations.

US government surveillance

In May 2014, The Intercept reported that a programme of the US National Security Agency (NSA) called MYSTIC secretly monitored the telecommunications systems of several countries including Kenya, where the system was known as DUSKPALLET. The programme was described in internal documents as a “program for embedded collection systems overtly installed on target networks, predominantly for the collection and processing of wireless/mobile communications networks.” Evidence provided to The Intercept shows that the programme dates back to 2013, and that data gathered through it has been used to generate intelligence reports. The Intercept states that “the operation in Kenya is ‘sponsored’ by the CIA, according to the documents, and collects ‘GSM metadata with the potential for content at a later date’." In some of the other countries where MYSTIC is implemented (The Bahamas, Mexico and the Philippines), MYSTIC required “contracted services for its ‘operational sustainment’”; this is not the case for Kenya however. It is unclear what - if any - role the government of Kenya, as well as telecommunication and communication providers, played in the deployment of MYSTIC.

Data Protection

Data protection laws

Kenya does not currently have specific data protection legislation. However, a Data Protection Bill 2013 has been forwarded to the Attorney General for publication, and the Cabinet Secretary for Information Communication and Technology announced the Bill was expected to be presented in Parliament by the end of May 2014. The Bill was still being debated as of February 2016 and has not yet passed.

Once law, the Bill will give effect to Article 31(c) of the Constitution, which outlines the right of every person not to have “information relating to their family or private affairs unnecessarily required or revealed” and Article 31(d), the right not to have “the privacy of their communications infringed”. It will also regulate the collection, retrieval, processing, storing, use and disclosure of personal data. Yet the proposed legislation does not explicitly address the protection of data stored in the “cloud” (synchronised storage centres for digital data). Many cloud repository servers are based outside Kenya, which further troubles the proposed legislation.

Law enforcement access to stored data

Under section 31 of the Kenya Information and Communication Act (2010), telecommunications providers are liable for prosecution if "otherwise than in the course of [their] business -- (a) intercepts a message sent through a licensed telecommunication system; or (b) discloses to any person the contents of a message intercepted under paragraph (a); or (c) discloses to any person the contents of any statement or account specifying the telecommunication services provided by means of that statement or account".

In this vein, Section 15(1) of the Kenya Information and Communications (Consumer Protection) Regulations (2010), states that a licensee “shall not monitor, disclose or allow any person to monitor or disclose, the content of any information of any subscriber transmitted through the licensed systems by listening, tapping, storage, or other kinds of interception or surveillance of communications and related data”.

However, the recently adopted Kenya Information and Communications (Registration of Subscribers of Telecommunication Services) Regulations (2014) permit access to private or confidential information on consumers without a court order. Section 13, 'Access to sites and records' reads:

“A licensee shall grant the Commission's officers access to its systems, premises, facilities, files, records and other data to enable the Commission inspect such systems, premises, facilities, files, records and other data for compliance with the Act and these Regulations.”

Vodafone’s transparency report, Law Enforcement Disclosure Report, published in June 2014, noted that "local operators are legally prohibited… from implementing the technical requirements necessary to enable lawful interception" and it had “not received any agency or authority demands for lawful interception assistance" in Kenya. Vodafone also noted that "the legal position is unclear regarding whether or not it would be lawful for Safaricom (Vodafone's local associate operator) or Vodafone to disclose statistics related to agency and authority communications data demands". 

On 7 February 2014, the Kenya Information and Communications (Registration of Subscribers of Telecommunication Services) Regulations (2014) were published. Section 13 states:

“A licensee shall grant the Commission's officers access to its systems, premises, facilities, files, records and other data to enable the Commission inspect such systems, premises, facilities, files, records and other data for compliance with the Act and these Regulations.”

The CCK/Communications Authority has argued that their request to access personal information is in line with Article 35 of the Constitution that permits citizens the right to access information held by the State or by another person and is required for the exercise and protection of any rights or fundamental freedom. However, the Kenya High Court ruled that a company or agency is not a “natural person” and so could not enjoy the rights upheld by Article 35.

Accountability mechanisms

Privacy International is not aware of any specific accountability mechanisms related to communications surveillance in Kenya.

Data breaches: case law

Privacy International is not aware of any specific accountability mechanisms related to communications surveillance in Kenya. Please send any tips or information to: research@privacyinternational.org

Examples of data breaches

In December 2014, the Kenyan government arrested and expelled 77 Chinese on suspicion of "preparing to raid the country's communication systems", according to the Police. Kenyan media reported that police raids had uncovered equipment capable of infiltrating bank accounts and government servers, as well as a popular banking system and ATM machines.

Reports from April 2016 indicate that Anonymous breached the Kenyan Ministry of Foreign Affairs' servers and published 1 terabyte of files online. The Ministry later confirmed the hack as genuine and the result of junior staff members unknowingly giving access to the hackers by changing their passwords.

Identification Schemes

ID cards and databases

Population registration

In December 2012, a Ukrainian company, EDAPS, completed the creation of an Integrated Population Registration System (IPRS) for the Kenyan government. The IPRS collects data from a dozen databases held by various government agencies. It combines data from birth and death registers, the citizenship register, ID card register, aliens register, passport register and the marriage and divorce register as well as elections register, tax register, drivers register, National Social Security Fund (NSSF) register, National Hospital Insurance Fund (NHIF) register and the Kenya National Bureau of Statistics (KNBS) register. When it was deployed, Kenya had yet to adopt data protection legislation and the collection, centralisation and sharing of this type of data.

Biometric registration

In April 2014, the Kenyan government announced that it would be registering all Kenyans in a new national digital database that would include biometric details as well as information on land ownership, establishments and assets. The aim of the programme is to facilitate the identification of people holding forged or false identification documents. Under the Umoja Kenya Initiative, the government would collect all data pertaining to an individual including name, age, identities of relatives, property owned and residence.

Voter registration

The right to vote is guaranteed to all Kenyan citizens over the age of 18. The Independent Electoral and Boundaries Commission requires registrants to provide either a national Identity Card (ID) or a valid passport as proof of identity.

SIM card registration

Identification and registration of subscribers

In 2010, the Communications Commission of Kenya (CCK) (renamed the Communications Authority in 2014) announced that mobile phone subscribers would be required to register their details with operators or risk having their SIM cards deactivated. Subscribers have been obliged to provide the following personal information in order to register their SIM cards: full names, physical and postal addresses, dates of birth, and alternative contacts. When a minor is registered, the child’s guardian must produce an identification card.

The Kenya Information and Communications (Amendment) Act (2013) integrated some requirements already included in the Kenya Information and Communications (Registration of Subscribers of Telecommunication Services) Regulations (2012)

Policies and Sectoral Initiatives

Cybersecurity policy

In 2014, the Ministry of Information, Communications Technology published its cybersecurity strategy. The four goals of the strategy are to:

  • Enhance the nation’s cybersecurity to facilitate the country’s growth, safety, and prosperity;
  • Raise cybersecurity awareness and develop Kenya’s workforce to address cybersecurity needs;
  • Foster information sharing and collaboration among stakeholders to facilitate an information sharing environment; and
  • Provide national leadership by defining the national cybersecurity vision, goals, and objectives and coordinating cybersecurity initiatives at the national level. 

Cybercrime

Kenya does not yet have a law dealing specifically with cybercrime, though public officials claim that rates of cybercrime are on the rise. The 2014 draft Cybercrime and Computer Related Crimes Bill seeks to equip law enforcement agencies with the legal and forensic tools to tackle cybercrime. Free speech advocacy group Article19 warned that if enacted, the Bill risked having a devastating effect for freedom of expression online in Kenya because of its broad definition of speech offences, offences against computers and other computer-related offences.

A 2016 version of the bill, the Cybersecurity and Protection Bill, is scheduled to be debated. The new bill reportedly provides for the creation of a National Cyber Threat Response Unit to receive and investigate reports on cyber threats and suggest measures to curb the threat. The bill introduces a raft of new liabilities for cyber crime offenses, including that a person who accesses or causes to be accessed a computer or computer system or network for purposes of terrorism is liable if convicted to life imprisonment.

Encryption

There are no specific regulations concerning the use of encrypted communications methods. The use of encryption of banking and other online traffic and data is routine.

Licensing of industry

Kenya has a diverse market of telecommunications and internet service providers. The main mobile data and internet service providers were Safaricom, Airtel, Telka) and Finserve (Equitel) in June 2015. Safaricom dominates the market with 63 % of mobile data/internet subscriptionsThe Kenyan government owns 35% of Safaricom shares, while 40% are owned by Vodafone and 25% are freely floated. 

The top fixed/wireless internet providers are Wananchi Group Limited, Liquid Telecom Limited, and Safaricom with 53.6, 16.5 and 9.2 % of the market respectively.

The relationship between companies and government agencies is not clear. However, Safaricom, which controls a large share of both the mobile telephony and internet market, is a stated partner of the Kenyan police service and has recently won a number of high-value state security contracts, including for a nationwide CCTV and emergency response monitoring centre.

E-governance/digital agenda

A variety of government services, including business documentation, marriage documentation and land documentation, are provided online through the eCitizen portal. The eCitizen services terms of use state that "No personally identifiable information is automatically collected about visitors who simply browse this site or who download information from it. eCitizen does not release any information about the collection of IP addresses to any third party, except under court order or as required by law."

Health sector and e-health

In 2011, the government of Kenya published a national e-Health strategy. The strategy is linked to the achievement of Vision 2030, a Kenyan governemnt initiative whose overall goal in health is to have an “equitable and affordable healthcare at the highest achievable standard” for Kenyan citizens. 

Safeguarding privacy and security is one principle of the strategy, which states that the governemnt will aim to "[a]dhere to/put in place applicable legislation to protect consumer confidentiality as a mandatory part of the regulatory environment governing procedural or systems development processes to support e-Health. In addition, to providing basic system security and protect against unlawful access or malicious damage to information, every effort must be made to ensure that access is absolutely restricted to authorized persons in accordance with their rights and permissions profile."

Smart policing

In May 2014, the government announced that the partially state-owned Kenyan communications provider Safaricom had been awarded a government tender to set up a new surveillance system for the Kenyan Police, known as the Integrated Public Safety Communication and Surveillance System.

When the surveillance system was made public, it was announced that the system would cost KES 12.3 billion (approximately US$ 140 million). There are two elements to the project. First, the system would link all security agencies in order to facilitate information sharing and public safety activities. Secondly, it would establish a surveillance camera system consisting of 1,800 CCTV cameras nationwide. These would be installed in Nairobi, the capital, and the coastal city of Mombasa and connected to 195 police stations through a secure 4G network. The system would have a facial and movement recognition capacities in real time. The main organising hub for the system would be a monitoring centre in Nairobi where data collected would be retained and analysed. The system is now functional in Nairobi and Mombasa.

In June 2014, the Kenyan National Assembly's Committee on National Security had decided to suspend the contracting process for the new system on the basis that the procurement process had failed to meet necessary standards, following complaints from unsuccessful companies who bid for the contract. The final decision in May 2015 has been to award Safaricom the contract for the system.

The tender has since become the focus on a corruption scandal following the publication in Nairobi Law Monthly of details alleging improper procurement procedures and bribery by Safaricom and Huawei.

Transport

Privacy International is not aware of any specific privacy issues related to transportation in Kenya. Please send any tips or information to: research@privacyinternational.org

Migration

Privacy International is not aware of any specific privacy issues related to migration in Kenya. Please send any tips or information to: research@privacyinternational.org

Emergency response

Privacy International is not aware of any specific privacy issues related to emergency response in Kenya. Please send any tips or information to: research@privacyinternational.org

Humanitarian and development programmes

Privacy International is not aware of any specific privacy issues related to humanitarian and development programmes in Kenya. Please send any tips or information to: research@privacyinternational.org