In August this year, misconfigured power apps from Microsoft led more than a thousand web apps to mistakenly expose 38 million records on the open internet, including data from a number of COVID-19 contact tracing platforms, vaccination sign-ups, job application portals, and employee databases. Many people's phone numbers and COVID-19 vaccination status were visible due to the leak.
This recent sensitive information exposure comes months after a joint report by Article 19, Kickanet and Pollicy revealed that in an effort to curb COVID-19, the Kenyan government used various contact tracing apps, digital surveillance technologies, and biometric technologies to track and trace citizens without regard for due process. The report further confirms that despite the heavy use of these technologies, there was limited impact or effectiveness in curbing the spread of the virus.
The government has upscaled contact tracing and testing in the country to determine the level of spread of the Indian variant in the community. https://t.co/w3kZW9W9Jr
— Oliver Mathenge (@OliverMathenge) June 2, 2021
The government is using biometric technologies and CCTVs in public spaces for facial recognition; smartphones for call data, tapping, and geotagging; and contact tracing apps to help identify those who have come into contact with infected people. All the equipment was sourced or made locally like the coronavirus contact tracing app that was launched by the government to track passengers on public transportation.
However, some are concerned that the Kenyan government's efforts to curb infections are seriously infringing on citizens’ guaranteed human rights of privacy, data protection, freedom of expression, and access to information. Human and digital rights activists are concerned about the surveillance of public spaces using CCTV and biometric technologies, the use of telecommunications data to “track and trace” individuals, and the coronavirus contact tracing applications.
Mobile phone surveillance
An April 2021 report by Article 19, Pollicy, and Kictanet revealed that Telecommunications data was used to track “mobile phones of people suspected of having COVID-19 as a way of enforcing a 14-day mandated isolation period” and anyone who entered Kenya who pledged to self-quarantine, in real-time. The giant telecom company, Safaricom procured phone information for the government. It is not the first time the government tapped Safaricom for a sensitive project, in 2021 they secured a contract for a 13.5 million US dollar police surveillance project.
The National Intelligence Service used phone data to track COVID-19 patients’ travels, according to the report by Article19 of East Africa. The patients were “not supposed to turn off their phones,” because breaking these official rules could lead to detention in government-run monitoring centers.
The report cites an incident from March 2020, in which a woman traveling from the United Kingdom to Kenya was monitored using her phone and taken to a government medical facility after going to work, indicating a violation of the self-quarantine mandate.
Before coronavirus apps were suggested, built, or utilized, the Kenyan government used telecommunications data to track and trace individuals through location and call data from smartphones. Neighboring Uganda also used national security and public health concerns to justify restricting privacy and data protection rights while ignoring due process, bypassing the internationally recognized three-part test of legality, necessity, and proportionality.
Data protection laws
Kenya's 2019 data protection legislation was supposed to offer a framework for the acquisition of personal data in a transparent and rights-respecting manner. However, throughout the first year of the pandemic, documented surveillance trends and unsupervised data collecting indicated two issues.
For starters, the lack of independent oversight of these data protection rules led to a lack of enforcement and regulation implementation on data controllers and processors, including public health agencies. Second, the surveillance capabilities and practices of state and non-state actors were not limited or checked as a result of this oversight problem.
Governments have a duty to protect human rights at all times under international human rights law, while corporations have a general obligation to respect human rights in all circumstances.
Although international law allows for a temporary increase in special powers during the COVID-19 pandemic, the UN Special Rapporteur on Privacy warned in his July 2020 report to the UN Human Rights Council that several minimum requirements must first be met. These include legal safeguards that ensure “surveillance cannot be initiated until, or unless, such surveillance is shown to an independent and competent body that such surveillance is legal, necessary, and proportionate to the aim pursued.”
When commenting on the problem of smartphone and contact tracing apps, the Special Rapporteur on Privacy previously stated that;
Relying solely on legislative measures is insufficient. Privacy should be considered from the start, beginning with the application's engineering.’
Whether the app employs a centralized or decentralized approach, whether the app is deployed via required or optional techniques, whether free consent is prioritized, and whether anonymization and encryption measures exist are all important factors to consider.
Lack of accountability and transparency
Kenya lacks the necessary laws that regulate and limit the number of times mobile operators are allowed to “share with authorities the geo-location data of self-quarantined patients with confirmed COVID-19 to monitor that the patients observe self-quarantine,” as well as provide guarantees during this data sharing.
Furthermore, state agencies and private companies in Kenya have not disclosed the scope of their data sharing operations, which include the dissemination of information and data on publicly available platforms (open government platforms) and through publicly accessible resources (corporate transparency reports).
The surveillance efforts grew in response to a lack of accountability and transparency, as well as the government's non-proactive disclosure of information from the pandemic response, making it difficult to determine whether privacy, data protection, and freedom of expression safeguards were applied.
The April 2021 report by ARTICLE 19 Eastern Africa, the Kenya ICT Action Network, and Pollicy made recommendations to the Kenyan government.
Review all measures and systems deployed to address the COVID-19 pandemic which includes data collection programmes, systems, and apps to ensure they strictly comply with the three-part test under international human rights law, and data protection principles, including data minimisation and privacy by design.
Even though surveillance has now taken a low turn compared to when the pandemic started, there seems to be no effort raised by the Kenyan government to address these human rights concerns.