The Elephant


Data Protection in the Age of Huduma Namba: Who Will Benefit?

By Rasna Warah

Data Protection in the Age of Huduma Namba: Who Will Benefit?

A few years ago, in my Monday column in the Daily Nation, I explained why I was not among the millions of Kenyans who are on Facebook. I told my readers that the main reason I had not joined Facebook was because I wanted to keep my private life private.

I said that Facebook allows users to connect and “make friends” with dozens, if not hundreds, of people they would not normally interact with in daily life, which would not be such a frightening prospect if those you interacted with were people you trusted with all your heart. But because Facebook is an equal opportunity friendship-maker, the “friends” you make on the social networking platform could range from your boss to your plumber. This could affect your career development and your home life in significant ways.

Mark Zuckerberg, the founder of Facebook, believes that by allowing many people to share more of their personal lives with each other, he is helping to create a virtual global community where “people stay in touch and maintain empathy for each other.” In other words, he believes he is creating a more caring world, where transparency and openness are the modus operandi and where there are no secrets.

However, critics have argued that instead of connecting people in meaningful ways, Facebook actually isolates people, who spend more time online rather than doing things that strengthen relationships, such as talking to each other or sharing a meal. With an estimated 2.7 billion Facebook users around the world and an estimated 10 million users in Kenya alone, that is a scary scenario that has severe consequences on how people socialise and interact.

But what is even scarier is that Facebook – the company – has been sharing users’ private data with third parties without their knowledge, as has been confirmed by the Cambridge Analytica scandal, which revealed that Facebook users had been manipulated to impact elections in the United States and in Kenya, as well as in the Brexit referendum in the UK. The Cambridge Analytica scandal has shown that no data is safe and that those with ill intentions can use people’s personal information for nefarious objectives or for political gain.

It is not just companies like Cambridge Analytica (which closed shop as a result of the scandal) that are using Facebook data without users’ knowledge or consent. Recently, a local newspaper revealed that in the first half of 2019 the Kenyan government had on five different occasions demanded that Facebook reveal private information about Kenyan users of the social networking site. According to an article published in the Standard (which somehow did not raise any furore in Kenya perhaps because, as one Twitter user commented, we are so used to being abused that we no longer have the energy or motivation to fight back), “the [Kenyan] State refused to use proper legal channels while demanding the information, insisting on the urgency of the demand”.

The Cambridge Analytica scandal has shown that no data is safe and that those with ill intentions can use people’s personal information for nefarious objectives or for political gain.

The article, based on Facebook’s transparency report, further says that Facebook complied with at least one of these demands, but the company did not give details on the nature of the information the Kenyan government had demanded. The government also asked Facebook to preserve the account information of seven users. Apparently, such requests/demands are not unusual; reports indicate that the United States government requested Facebook to provide data on 82,461 users in the first six months of this year, while India made such requests on 33,324 users.

Data privacy and protection: An illusion?

At a time when data privacy and protection are becoming increasingly important, especially in light of revelations that governments and private companies are using social media platforms to manipulate voters, as happened in the Cambridge Analytica case, and in an environment of increasing xenophobia and fear-mongering, this revelation should have been a cause for alarm. But as is with most things in Kenya, news that the government was spying on its citizens and collecting data on them without their knowledge or consent barely elicited a yawn.

The story becomes even more intriguing given that Facebook is facing heavy criticism for violating users’ privacy. In July this year, Facebook was fined $5 billion by the US Federal Trade Commission for violating users’ privacy. The settlement includes several provisions that limit Facebook owner Mark Zuckerberg’s decision-making powers, including the creation of a privacy committee on Facebook’s board of directors.

We must also remember that the Jubilee government of Uhuru Kenyatta and William Ruto has not been averse to manipulating social media users to win elections. Not only has this government been implicated as a beneficiary of Cambridge Analytica’s social engineering and “psychological warfare” tactics in the 2013 and 2017 elections, but it also employed a gang of bloggers known as “The State House Boys” to bombard Kenyans with propaganda prior to and during the election period.

But as is with most things in Kenya, news that the government was spying on its citizens and collecting data on them without their knowledge or consent barely elicited a yawn.

Ironically, this is the same government that is now going after bloggers through the controversial Kenya Information and Communications (Amendment) Bill that some view as a gagging order on bloggers and social media users – a form of censorship that will severely curtail what and how Kenyans communicate via the Internet.

The Bill says that bloggers will need a licence to operate. Failure to comply with this requirement and to adhere to the standards set by the Communications Authority of Kenya could lead to fines of up to Sh10 million or two years in prison. Offences include “degrading” and “intimidating” recipients/readers. This leaves the door wide open for politicians and others to charge bloggers with all manner of offences just because they do not like what they have to say about them. Columnists, cartoonists, writers and even photographers could be “criminalised” on spurious grounds.

Huduma Namba and commercial interests

Ironically, while this Bill is being debated, Parliament has finally woken up to the fact that privacy is a right guaranteed by the Kenyan Constitution. A few days before Kenyans learnt that the government was spying on its citizens through Facebook, President Uhuru Kenyatta approved legislation that complies with the European Union’s General Data Protection Regulation. The Data Protection Bill, 2019, which came into force in mid-November this year, prevents governments and corporations from sharing an individual’s personal data without the consent of the owner of the data. Personal data is defined as information relating to a person’s race, ethnicity, gender, marital status, educational background, medical condition, criminal history and financial transactions, among others. (Note: Some data, such as a person’s credit rating, though protected by privacy laws in Kenya and in other countries, are still easily accessible to interested parties.)

A Data Protection Commissioner will also be appointed to ensure that the law is enforced. The Commissioner will not only receive complaints about data privacy violations but will also have the power to investigate breaches of privacy and to impose fines. However, the Data Protection Bill also says that this law will not apply to personal data collected for the purposes of national security or in the public interest.

This law is viewed as critical to ensuring that data is not abused by third parties and is seen as a necessary and important step to increase investor confidence in Kenya and to regulate the use of mobile phone technology and digital apps, which are increasingly becoming the targets of predatory business and corporate interests.

The timing of the law is, however, interesting. It comes into force at precisely the time when the government is being criticised by some for implementing the National Integrated Identity Management System – better known as Huduma Namba – which many view as a surveillance tool modelled on the Chinese “social credit” system, where citizens gain points for “good conduct” and lose points for “bad behaviour. As I have said before, the idea that you can be denied a service because you cannot identify yourself through a number negates basic constitutional freedoms and rights. Various government mandarins have said that those without a Huduma Namba will be denied government services, including obtaining a Kenya Revenue Authority Personal Identification Number (PIN).

Critics have also raised privacy concerns with regard to Huduma Namba, which is perhaps why the Data Protection Bill was passed in a hurry – to reassure Kenyans that their personal biometric data is safe and that government institutions have perfected the art of making digital technology secure. However, as has been witnessed in the recent past, laws in Kenya are not sufficient to protect Kenyans from electoral or other types of fraud and invasions of privacy.

For instance, Kenya’s electoral body, the Independent Electoral and Boundaries and Commission, has proved to be completely inept (or deliberately malicious) in using technology, as demonstrated during the 2013 and 2017 elections when the biometric digital systems for voting either failed or malfunctioned. Apart from questions regarding the procurement of the technology, and whether kickbacks were involved, Kenyans watched in horror as the electoral body fumbled through the election results, even claiming that several voting stations could not electronically transmit the election results. Almost all attempts by this so-called “digital” government to introduce computerised systems in government, ostensibly to reduce corruption and to streamline service delivery, have also failed miserably; in fact, corruption has reached unprecedented levels. It is now an accepted fact that the introduction of the Integrated Financial Management Information System (IFMIS) in government procurement led to the disappearance and theft of billions of shillings from state coffers. If IFMIS can be so easily manipulated by government officials, then how easy will it be to hack or manipulate the Huduma Namba and other data collection systems?

There are also strong rumours that the National Hospital Insurance Fund (NHIF) is being routinely robbed by unscrupulous medical officers and NHIF employees. Kenya Power, the country’s only electricity company, has also been accused of stealing from customers by sending them fictitious and inflated bills. All this is possible because employees have access to subscriber/customer data that they can easily manipulate. In other words, no Kenyan is safe from government bodies that provide a service at taxpayers’ expense – you will either be denied the service or will be robbed. –.

Citizens or borrowers? The debt trap

But protecting people’s privacy in order to comply with the Constitution may not be the primary motive of the data protection bill. As David Ndii has suggested in a recent article, the Huduma Namba is not so much a personal identity tool for Kenyan citizens as it is a credit facility that ensures that every Kenyan is a potential “customer” for micro-credit services, and which has the potential to place every adult Kenyan on a borrowing treadmill that will benefit banks and businesses associated with the Kenyatta family.

The scheme could have severe adverse effects on citizens/customers/borrowers who risk getting a negative credit rating, and thus becoming criminalised, not for “bad behaviour” as the Chinese would define it, but for not paying back a loan on time. Remember, unlike a normal credit card, the customers –Kenyan citizens – have not been given a choice whether or not to apply for the card – the government has deemed it mandatory for everyone.

Given the high standards set by international credit card companies on issues such as customer privacy and data protection, it is possible that the Data Protection Bill was a means to make the Huduma Namba (and its local and international commercial partners) compliant with international norms and standards, thus giving the illusion that, unlike rogue betting companies or greedy loan sharks, the Huduma Namba is a respectable and legitimate way of borrowing money.

If IFMIS can be so easily manipulated by government officials, then how easy will it be to hack or manipulate the Huduma Namba and other data collection systems?

The question one must ask is: if the Huduma Namba is essentially a credit card, what business is it of the government to impose credit cards on people who can barely make ends meet, thanks to the same government’s economic policy failures? For the government and its commercial partners to make money from hapless Kenyan borrowers is not only unethical, but raises questions about whether – like the subprime mortgage crisis in America where the US government’s housing agencies encouraged low-income people to buy houses even though they did not have the means to pay the mortgage – this scheme could lead to the collapse of an economy that is already in the doldrums.

Coupled with the “Affordable Housing” pillar of the Jubilee government – which is based on the erroneous premise that a majority of low-income people in the country are eager to own apartments (a notion I refute in this article), I see many Kenyans losing their money and their property because the government has encouraged them to take loans they cannot afford. This government has already set the country on a path to unprecedented and unsustainable debt. Now it wants every Kenyan to become a reckless borrower.

The problem is that, unlike the government, individuals cannot rely on taxpayers or a second credit facility to get them out of a debt trap. Families in the United States who lost their homes during the subprime mortgage crisis have still not recovered, despite President Barack Obama’s efforts to avert a financial crisis in 2008 – a lesson this government is unwilling or unable to process but which signals doom for the many Kenyans who are being made to believe that taking a loan, no matter how risky, is the easiest way out of poverty.


Published by the good folks at The Elephant.

The Elephant is a platform for engaging citizens to reflect, re-member and re-envision their society by interrogating the past, the present, to fashion a future.

Follow us on Twitter.