General Discussion: Data Privacy

The year 2018 can be termed as the Year of Privacy. Exhibited by the reaction on Facebook - Cambridge Analytica scandal and sensitivity of data breaches to #google axing GooglePlus, Mariott Hotels paying for new passports for guests affected by a major security breach …etc

And #apple driving privacy Ads such as recently in CES and various talks by their C-level staff …


I recently signed up for a credit and prepaid card(3 - 4 months ago) and only linked my prepaid account to my AWS account .

Surprise surprise trying to upgrade(Remove Ads) on an app to premium in #google playstore. I was presented with a buy with #Gpay payment methods Visa- ####.

A quick research online shows prevalence of #google purchasing local/offline payment transactions from as early as 2014 from #Reddit rumblings here and here to more prominent articles such as MIT tech’s Review in 2017.

This broadens in scope further than your smart phone and computer to institutions that hold sensitive data about you be it Govt or not(Insurance, healthcare, retailers etc…).

It’s not all doom and gloom with 2 bills being proposed currently for a Data Protection Law courtesy of June Okal and Techweez for coverage.

My main worry is a dystopia where large organizations or governments can surveil and further even build structures such as China’s Social Credit System which incorporates many sources of info about you(Face recognition -> Cameras, Access to your cloud accounts, WeChat, Alibaba etc…) aspects

The hustle of finding alternatives to configuring things and expenses involved might be too much for some of us. The two major culprits #google(Gmail, Gsuite, YouTube, Photos and Calendar) and #Facebook(itself, WhatsApp, Instagram and Messenger) seem hard to be replaced…

The former may not have had serious breaches or it’s data used in controversial ways but the extent to which it has data about you may be much more significant than #Facebook.

Recent reports on studies indicate that average Facebook users would have to be paid 1000$ to stop using #Facebook for only an year.

For things that cannot be easily substituted or replaced like Govt institutions makes it impossible.

It is a relevant time for such a discussions as smaller discussions are currently emerging -> Data privacy in some Kenyan apps

Are you concerned about your data privacy? What was your Aha! that you thought was private/confidential? Have you been able to replace services/apps you feel are excessive?

Lets also have a discussion …

1 Like

This is scary although not entirely surprising from Google.

Implementation will determine the success or failure of this piece of legislation. IMO in this country we don’t take data privacy seriously enough.

The Snowden leaks (remember them?) was a real eye opener for me. Unfortunately the scale of abuse of personal data by both private companies and governments seems to have gotten worse since then.

I’ve managed to wean myself off social media, closing my Facebook, Twitter, LinkedIn and migrating from Gmail to a personal domain powered by Protonmail. Another good webmail alternative is Tutanota. Whatsapp is the only exception because it is the de facto communication medium between Kenyans.

Another significant change is that I am more thorough with my account settings and computer/ phone configurations.

A password manager is a good idea, where possible true two factor authentication and using Have I Been Pwned to monitor and alert on data breaches.

On the configuration side; Google Chrome was the first to go, default off location settings is a force of habit now, ad blocking by default and all sort of small tweaks and enhancements.

I feel that I have more control over my data than the average user however the big tech firms and state agencies still have too much access.


Oh I forgot about informed consent that we sign off and skip over reading(fine prints) just to use a service/app etc… and also OAuth authorizations instead of creating an account for that new app/service you want so badly to start using …

I have been slacking on this but will definitely do it step by step…but a different approach of hosting my own mail, photos, open office etc… in a home and remote server.

Curios to know if either team #android or #iOS …If it’s #android I really doubt location collection is turned off completely unless you’re running something on top like CopperheadOs.

I just hope #Mozilla’s JS engine doesn’t differ so much from Chromium’s where due to market share we start to see "For the best experience use Chrome/Edge etc… "

I guess it’ll get more worse with agencies digitizing their operations in information systems accessible/operating on the internet.

1 Like

This sort of permissions should be opt in by default. The nightmare of managing the privacy settings on a Google account is proof enough.

It is easier these days but that’s because of strict European Union privacy laws and not Google themselves.

There are some great email and file hosting alternatives out there.

For file storage I recommend mega. A free account gives you 50 gigs free and for 30 Euros you can get 8TB per month.

A more advanced user should definitely have a seedbox.

Rooted Android with custom firewall rules. In this era where everything from Bluetooth to the accelerometer are fair game, fully locking down Android is difficult.

These days Firefox has feature parity with Chrome plus its faster and kinder on resources. Mozilla’s Project Quantum has done a lot to revive the old man of the Internet.

I remember when websites carried these badges back in the Internet Explorer 6 days. Single tab browsing, broken Javascript, ActiveX and Adobe Flash :sob::sob::sob:

China’s social credit system cited in the first post is scary as it is.


Crucial data

The Integrated Population Registration System (IPRS) will store data of all Kenyans and visitors at the central location for easy electronic access by institutions, including private corporations that provide crucial and sensitive services.

At the touch of a button, it would produce one’s details stored at the various registries including births and deaths, marriages and divorce, as well as passport, aliens, ID cards and citizenship registers.

Such details will be linked and relayed in real time to other agencies like Lands registry, National Social Security Fund, law enforcement agencies, National Hospital Insurance Fund, Kenya Revenue Authority, financial agencies, immigrations, National Transport and Safety Authority, Independent Electoral and Electoral and Boundaries Commission and universities.


These activities go in line with e-government functions, where accountability of actions or records is one of the key requirements. While the details of the process are yet to be revealed, the government would like to know which Kenyan has taken a specific action, or which citizen is the owner of a certain record. On the other hand, we can only speculate that the government is trying to streamline these records for accountability, which may strongly rely on Huduma Numbers.


The government is now free to collect data on Kenyans’ DNA and physical location of their homes including satellite details during registration of persons.

This follows President Uhuru Kenyatta’s approval of amendments to the Registration of Persons Act that has included the two to the list of requirements needed at the national people’s registry.

Adults applying for documents such as IDs will be required to provide additional information about their location, including land reference number, plot number or house number.

This is also ongoing.

Anyone who comes across that bill awekelee hapa we see what our options are.


Here’s a link to the Senate Bill

How could I forget this? @june.tessy did review the bill in an article here.

Also discussed here.

1 Like

This integration is important especially for security purposes and to kinda help reduce fraud but the elephant in the room is our data safe & under what circumstances will the data be used first address the data security before the collection of all these information because last i remember the e-citizen portal is hack-able and not that secure.

Every system in existence is “hack-able”, that is not up for discussion. In your opinion what makes e-citizen so insecure?

That’s some good analysis. Data portability is a big win as is privacy by design. I am also happy that in this era of the cloud, data must not necessarily be stored locally.

If the bill passes, implementation and building local capacity will be it’s own challenge.

Quite insightful!! Danke.

But on the issue of institutions, IMO the office is necessary and comendable move towards regulating the data market in Kenya. A line needs to be drawn though, between the powers and roles of the Data Commissioner v. the functions and powers of the Commission on Administration of Justice currently empowered to handle govt. data (generic term for information in possession by Govt.) under the Access to Information Act.

You will not be able to access govt services if you are not registered …

What happens upon failure to register
According to Interior Principal Secretary Karanja Kibicho, lack of registration on the NIIMS portal will lead to missing out on accessing government services, ID, passport, driving licenses and birth certificates.

Last month, the Kenya Parliament passed a seriously concerning amendment to the country’s national ID law, making Kenya home to the most privacy-invasive national ID system in the world. The rebranded, National Integrated Identity Management System (NIIMS) now requires all Kenyans, immigrants, and refugees to turn over their DNA, GPS coordinates of their residential address, retina scans, iris pattern, voice waves, and earlobe geometry before being issued critical identification documents. NIIMS will consolidate information contained in other government agency databases and generate a unique identification number known as Huduma Namba.

  • Security Concerns: The centralized nature of NIIMS creates massive security vulnerabilities. It could become a honeypot for malicious actors and identity thieves who can exploit other identifying information linked to stolen biometric data. The amendment is unclear on how the government will establish and institute strong security measures required for the protection of such a sensitive database. If there’s a breach, it’s not as if your DNA or retina can be reset like a password or token.
  • Surveillance Concerns: By centralizing a tremendous amount of sensitive data in a government database, NIIMS creates an opportunity for mass surveillance by the State. Not only is the collection of biometrics incredibly invasive, but gathering this data combined with transaction logs of where ID is used could substantially reduce anonymity. This is all the more worrying considering Kenya’s history of extralegal surveillance and intelligence sharing.
  • Ethnic Discrimination Concerns: The collection of DNA is particularly concerning as this information can be used to identify an individual’s ethnic identity. Given Kenya’s history of politicization of ethnic identity, collecting this data in a centralized database like NIIMS could reproduce and exacerbate patterns of discrimination.
1 Like

am not boarding this train of NIIMS it got serious privacy flaws and any breach of my privacy is not a welcomed move ppl survive without ids out here why would i go the mile of exposing my whole life to access gov’t services am sure someone will be in court battling this.

It’s compulsory and more significantly you will not be able to access government services without it.

Outside of really remote parts of this country this is not practical at all.

On a more positive note, NIIMS seems to have been passed through the backdoor by parliament meaning a legal challenge is a possibility and as a nation, we can highlight the importance of data privacy.

after all am not the only one opting out of hudama number watu wamefunguka macho so many wont board and the gov’t will have to reconsider

Here in the real world some of these services are not luxuries that one can opt out of. The phrase you are looking for is pambana na hali yako.

They are not government services but public services, denying one public services is illegal.

For both legal and ethical reasons, services like access to healthcare and security services are undeniable rights.

On the other hand an adult Kenyan citizen is legally required to possess a KRA Pin certificate and ensure their tax obligations are in order. You could choose to opt out at the expense of denying yourself access to other services.

These are semantics, government is the people.

The Huduma Namba scheme has been highlighted in 2019 Internet Health Report by Mozilla. There are critical topics discussed such as the state of #ad driven social media platforms, Oppressive Govt. Internet shutdowns/Blackouts/Censorships and biases encoded to AI systems and the consequences e.g Facial Recognition systems biased against people of colour. A treasure trove it is. Give it a read.

Biometrics are being abused. When large swaths of a population don’t have access to physical IDs, digital ID systems have the potential to make a positive difference. But in practice, digital ID schemes often benefit heavy-handed governments and private actors, not individuals. In India, over 1 billion citizens were put at risk by a vulnerability in Aadhaar, the government’s biometric ID system. And in Kenya, human rights groups took the government to court over its soon-to-be-mandatory National Integrated Identity Management System (NIIMS), which is designed to capture people’s DNA information, the GPS location of their home, and more.