When Al Jazeera’s investigative unit trained its cameras on the nerve centre of Kenya’s telecommunications infrastructure, it did not discover a scandal so much as confirm one that human rights organisations, investigative journalists, civil society and even a series of court proceedings had been assembling, piece by damning piece, for the better part of a decade.
The documentary variously referenced in early circulation as Invisible Eyes: Inside State Surveillance in Kenya — draws a devastating portrait of a company that controls nearly 90 percent of Kenya’s mobile money transactions and holds intimate data on more than 44 million subscribers, and which, the film alleges, has quietly placed that empire of information at the disposal of the state’s security apparatus, often without the inconvenience of a court order.
Safaricom did not respond to Al Jazeera’s requests for comment before the documentary aired. That silence, considered against the backdrop of everything that has come before it, is itself a statement.
“Security personnel could pull subscriber data, location information, call records, and even mobile money transaction details without court orders or warrants.”
A Decade of Warnings Nobody Was Supposed to Hear
The story Al Jazeera is telling in 2026 was first told, with clinical precision, by London-based Privacy International in a 2017 report titled Track, Capture, Kill: Inside Communications Surveillance and Counterterrorism in Kenya.
That document, based on interviews with current and former intelligence officers, military personnel and officials of the Communications Authority of Kenya, described an architecture of surveillance so embedded within Safaricom’s physical infrastructure that the line between the country’s largest private telecommunications company and its intelligence services had become functionally impossible to locate.
The Privacy International report described, in terms that remain damning today, how approximately ten Criminal Investigation Department officers sat on a dedicated floor within Safaricom’s central headquarters building, providing information to all police branches.
It described how the National Intelligence Service had stationed agents informally within Safaricom’s facilities undercover, their presence apparently known to Safaricom but not disclosed to customers.
It described how NIS-owned base transceiver stations had been positioned to directly access Kenya’s telecommunications backbone, enabling the interception of live calls at NIS offices across Nairobi and regional centres.
And it described, through the words of a serving Anti-Terrorism Police Unit officer, exactly how the arrangement was rationalised: if the intelligence request was not destined for court, no warrant was needed.
The DCI officer attached to Safaricom would simply provide the data. Warrants were only required when the evidence had to be made fit for judicial consumption.
A Communications Authority official interviewed in the same report said, without apparent embarrassment, that telecommunications operators largely felt they could not decline security agencies’ requests, in part because of the vagueness in the law — and in part because the agencies wielded the implicit threat of licence revocation.
Safaricom, for its part, has maintained across every iteration of this story that it only shares customer data through lawful means and that its systems are not designed to enable live subscriber tracking.
The company has said so in press releases, through its lawyers, and in letters to human rights organisations. What the courts, the human rights investigators, the international press and now Al Jazeera have collectively established is that those assurances and the documented reality are irreconcilable.
Neural Technologies, the British Company at the Heart of the Machine
When Nation Media Group published its landmark October 2024 investigation a months-long examination of how Kenya’s security agencies access Safaricom subscriber data it identified a detail that the company’s public statements had never disclosed: a little-known British software company called Neural Technologies had, at some point, embedded a data management system directly within Safaricom’s internal architecture.
According to the investigation, that system gave Kenya’s security services virtually unrestricted real-time access to Kenyans’ call data. One component of the toolset was described as a browser portal capable of allowing security agency officers operating in the field to track individuals in real time through their call data records.
The investigation also documented the mechanics of the Law Enforcement Liaison Office an institutional unit lodged within Safaricom headquarters and staffed by police officers from the Directorate of Criminal Investigations.
Requests for subscriber data from police and prosecutors were supposed to flow through this office, logged and verified. What the Nation found was that the same officers who were attached to this office and who therefore had privileged access to the raw data were also officers from agencies accused of extrajudicial killings, enforced disappearances and renditions.
The conflict of interest was not theoretical.
The investigation found specific instances in which call data records certified by Safaricom as authentic bore signs of manipulation and falsification in cases involving suspected state-enforced disappearances.
In one documented case involving a missing person named Ndwiga, police submitted CDRs to Safaricom’s Law Enforcement Liaison Office on February 3, 2022 days before a court order authorising the same disclosure was issued on February 8.
The records submitted to court under both the pre-order and post-order requests covered the same time period and the same mobile line. They were not the same document.
“The same officers attached to the Law Enforcement Liaison Office were from agencies accused of extrajudicial killings and enforced disappearances they handled the very data that could have implicated them.”
The Kenya Human Rights Commission and Muslims for Human Rights wrote to Safaricom CEO Peter Ndegwa in November 2024 laying out seven specific allegations: routine data access without court orders; the handling of court-ordered CDRs by the very police officers suspected of crimes those CDRs might expose; the certification as authentic of records bearing signs of manipulation; the habitual refusal to provide complete records even when courts demanded them; the facilitation of tracking and capture of individuals whose subsequent fates disappearance, extrajudicial killing raised grave questions about why the state wanted to find them in the first place. Safaricom responded through its law firm MMC ASAFO. The allegations, the firm wrote, were not only false but malicious, or alternatively a product of ignorance about how Safaricom’s systems work.
The company then suspended its advertising contract with Nation Media Group worth approximately five million US dollars per month, making Safaricom one of the country’s largest commercial advertisers and threatened a Strategic Lawsuit Against Public Participation, an instrument widely recognised internationally as a tool of corporate intimidation rather than legitimate legal redress. Reporters Without Borders condemned the pressure campaign.
The Kenya Human Rights Commission, Katiba Institute and Muslims for Human Rights wrote to the Media Council of Kenya Complaints Commission urging it to reject Safaricom’s complaint as baseless. The commission, to date, has continued to entertain it.
The Gen Z Dead, the Missing and the Map That Led State Agents to Their Doors
Between June and August 2024, Kenya’s Generation Z shook the country. Young people poured into the streets across 44 of Kenya’s 47 counties to protest the Finance Bill and what they saw as a predatory tax regime imposed on ordinary citizens by an administration that had demonstrated contempt for their futures.
The government’s response was documented by multiple international human rights bodies: police opened live fire into crowds, military vehicles patrolled civilian streets, and a covert campaign of abductions and enforced disappearances was launched against the movement’s perceived organisers and amplifiers.
The Kenya National Commission on Human Rights documented 82 abductions and forced disappearances between June and December 2024.
The targets were not exclusively political figures.
They included online activists, student leaders and ordinary citizens who had, by virtue of a post on X or a location captured at the wrong moment, come to the attention of state security.
Amnesty International, in its November 2025 report, stated that human rights defenders it interviewed believed state surveillance was supported by Safaricom, with the company’s data enabling clandestine police units to locate and track activists who were subsequently forcibly disappeared.
The abductions spiked again in December 2024, following the viral circulation online of AI-generated images depicting President William Ruto in a coffin. The state treated a digital provocation as a national security emergency.
Among those arrested in the coffin-image crackdown was David Oaga Mokaya, a fourth-year finance student at Moi University.
His case would produce, entirely by accident and in open court, the most explicit judicial confirmation yet that Safaricom was sharing subscriber data with security agencies without the protection of a court order.
In September 2025, a Safaricom employee identified in proceedings as Mr Daniaf admitted under cross-examination that the company had complied with a DCI request for Mokaya’s personal data his phone number, location coordinates, call details and submitted a comprehensive report covering nearly a month of his digital life, acting on nothing more than a written request letter from the DCI.
No court order had been obtained before the data was disclosed. Chief Inspector Bosco Kisau, the lead DCI officer in the case, admitted separately that a detention warrant for Mokaya’s electronic devices was only obtained after Mokaya had already been arrested. Mokaya was acquitted on February 19, 2026.
“A Safaricom employee admitted in open court that the company had handed over a student’s phone number, location and call records to the DCI on the basis of a letter alone no court order, no judicial oversight.”
Following the acquittal, a demand letter was issued to Safaricom by advocates acting for Nairobi businessman Alex Mutuku Mbalezi, who had been subjected to the same treatment location tracking, warrantless data disclosure, arrest in a separate case.
The letter demanded Sh250 million in compensation.
The Law Society of Kenya filed a constitutional petition at the High Court seeking a court-supervised audit of every data request the DCI made to Safaricom between June 2024 and December 2025, a formal public apology published in national newspapers across fourteen consecutive days, the expungement of charges brought against protesters on the basis of illegally obtained data, and the creation of a victims’ compensation fund.
The LSK described what it had found as an organised conspiracy to illegally surveil Kenyan citizens. Safaricom, the petition alleged, had maintained a near-real-time backend access arrangement with security agencies a clandestine pipeline of personal information flowing directly to the DCI that operated entirely outside the protections guaranteed by Kenya’s Data Protection Act, 2019.
The Raphael Tuju Episode: When the Nation Watched Safaricom Hand a Man to His Hunters
If there remained any residual possibility that the controversy over Safaricom’s data sharing arrangements was merely theoretical or confined to activist circles, it was extinguished on the morning of March 24, 2026.
On that day, former Cabinet Secretary Raphael Tuju was arrested on the basis of location data that his lawyers and civil society commentators alleged Safaricom had provided to the DCI without judicial authorisation.
Tuju’s arrest generated a furious public debate not merely about the propriety of the action against him, but about the infrastructure that had made it possible a debate that, with uncomfortable timing, was still unfolding on the day Al Jazeera’s documentary began circulating online.
Critics drew a direct and disturbing line: the same apparatus that had been used to track Gen Z protesters in 2024, to locate a university student who posted a satirical image, to facilitate the disappearances of 82 Kenyans documented by the human rights commission, had been deployed against a senior political figure who had run afoul of those in power.
The question being asked publicly was not whether Safaricom’s systems could do this. The question was whether there was any category of Kenyan citizen for whom they would not be deployed.
The Data Breach That Wasn’t About the Government
The surveillance controversy exists alongside, and is compounded by, a separate and equally disturbing scandal involving the commercial exploitation of Safaricom subscriber data. In October 2025, the Business Daily reported that two former senior managers at Safaricom had allegedly accessed and shared customer data names, phone numbers, birth dates, location records, gambling histories, passport and national identification numbers with a private businessman, who sold it onward to a major sports betting firm.
The stolen data pertained to 11.5 million subscribers.
A constitutional petition seeking Sh100 million for the primary victim and Sh10 million for each of the 11.5 million affected subscribers was filed in court. The company sought to block the sale or transfer of the data. The legal actions are ongoing.
What this second scandal reveals, compounding the first, is that the risk to Safaricom subscribers comes not only from an authoritarian government that has decided their data belongs to the state, but from within the company’s own walls.
A subscriber’s M-Pesa transaction history, their precise location at any given moment, their communication patterns, their gambling habits and their official identity documents exist within a single corporate ecosystem.
The demonstrated willingness or failure to protect that ecosystem from both external coercion and internal exploitation has catastrophic implications for 44 million people whose daily lives are now inseparable from the network Safaricom operates.
“Two former Safaricom senior managers allegedly sold data from 11.5 million subscribers names, locations, gambling histories, national ID numbers to a sports betting firm. The subscribers were never told.”
Safaricom, the Surveillance Infrastructure and the 2027 Question
Kenya moves toward the 2027 general election against a background of political turbulence without recent precedent.
President Ruto’s administration has survived a wave of mass protests, the impeachment of a deputy president, sustained international criticism over extrajudicial killings and enforced disappearances, and mounting legal pressure over the data practices that Al Jazeera’s documentary has now placed before a global audience.
The opposition has publicly warned that surveillance infrastructure will be turned against political rivals in the run-up to the vote.
Their concern is not speculative.
A commercial litigation filed at Milimani High Court in November 2024 revealed that aides to the President had allegedly sought to procure software described in court papers as having the capacity to spy on targets, ostensibly as part of efforts to manage communications ahead of the 2027 campaign. The defendants in that case include senior officials of the National Treasury and the Head of Public Service.
The significance of Safaricom’s position in this landscape cannot be overstated. M-Pesa processes the overwhelming majority of Kenya’s mobile money transactions.
Safaricom’s network is the primary mode of communication for the majority of Kenya’s adult population.
Its subscriber database is, in effect, a near-complete map of Kenya where people live, where they travel, who they talk to, what they spend money on and when.
In the hands of a security apparatus that has demonstrated both the willingness and the technical capacity to use that map to hunt its own citizens, the implications are not abstract.
They were played out in real time in the streets of Nairobi in June 2024, in the detention facilities where protesters were held incommunicado, and in the cases that have since wound their way through the courts carrying evidence that was never supposed to see daylight.
The Communications Authority of Kenya has, historically, been no safeguard.
An official from the Authority confirmed to Privacy International nearly a decade ago that telecoms operators felt they could not decline security agencies’ requests without risking their operating licences.
That institutional cowardice if cowardice is what it is, rather than active complicity has persisted through every subsequent scandal, every human rights report, every court revelation and every denial.
The Office of the Data Protection Commissioner, established under the Data Protection Act, 2019, has issued penalty notices to small businesses and schools for privacy violations involving comparatively trivial datasets.
Its conspicuous silence in the face of allegations concerning 44 million Kenyans and the country’s most politically significant data pipeline requires an explanation that, to date, it has not provided.
The Architecture of Denial
Safaricom’s response to each iteration of this scandal has followed a consistent template. Deny. Threaten. Advertise silence.
The company has maintained at every turn that its systems are not designed to track the live location of any subscriber, that data is only shared through lawful means and for lawful purposes, and that the allegations are false and malicious.
It has cited its ISO 27701 Privacy Information Management System certification as evidence of its commitment to data protection. It has pointed to the existence of the Law Enforcement Liaison Office as evidence that requests are channelled and logged.
What the evidence — not allegations, evidence, placed before courts and documented by Amnesty International, the Kenya Human Rights Commission, Privacy International, Reporters Without Borders, Freedom House and now Al Jazeera shows is something different. It shows a company that constructed an institutional architecture, the Law Enforcement Liaison Office, that embedded police officers with access to subscriber databases in a system where the very same officers could handle, and potentially manipulate, the call data records that might otherwise implicate those officers in crimes.
It shows a company that, under oath in the Mokaya trial, disclosed that it had complied with a DCI data request on the basis of a letter alone.
It shows a company that pulled its advertising from the Nation Media Group the moment that newspaper published findings the company could not rebut on the merits.
It shows a company that has repeatedly declined to address the specific factual allegations made against it, preferring instead to attack the credibility of those making them.
That pattern of behaviour is not what an innocent party does. It is what a company does when the truth is more expensive than the denial.
“Safaricom pulled Sh600 million in monthly advertising from Nation Media Group and threatened a SLAPP suit the moment a newspaper published findings it could not rebut on the merits. That is not what an innocent party does.”
What Must Now Happen
The Al Jazeera documentary does not introduce new facts to this record so much as it assembles the existing facts before an audience that extends far beyond Kenya’s borders. Vodacom, Safaricom’s parent company through its 34.94 percent shareholding, has been called upon by digital rights organisation Access Now to launch an independent investigation into Safaricom’s conduct.
The call has gone unanswered.
That silence is its own verdict on the priority Vodacom assigns to the rights of the 44 million subscribers it profits from through the Safaricom network.
The High Court petition filed by the Law Society of Kenya, if prosecuted with the rigour the moment demands, could force into the public domain a complete record of DCI data requests to Safaricom across the period when Kenya’s Gen Z protests were being suppressed by violence and surveillance. That audit, if it happens, will be the definitive accounting.
The question is whether the Judiciary which has itself, in this administration, come under sustained pressure and whose past judgments in cases touching on state power have not always reflected institutional independence will allow it to proceed.
For every Kenyan who carries a Safaricom SIM card and that is very nearly every Kenyan adult the Al Jazeera documentary raises questions that will not recede.
They are questions about the smartphone in their pocket, the M-Pesa transaction they completed this morning, the location data generated by a call they made last week. They are questions about who has access to that data, under what authority, and to what end.
They are questions about whether the country that markets itself as East Africa’s technology capital has, instead, constructed one of the region’s most comprehensive and least accountable surveillance states and whether the most powerful private company in that country has been the willing instrument through which the state has made itself invisible to its own citizens while making its citizens entirely visible to itself.
Safaricom has not responded to the Al Jazeera documentary. It has not responded to the specific findings of the Nation Media Group investigation. It has not responded to the open letter from the Kenya Human Rights Commission and Muslims for Human Rights.
It has not appeared before a parliamentary committee to answer the probe launched by lawmakers over subscriber privacy breaches.
Its CEO Peter Ndegwa has given no public accounting of the Law Enforcement Liaison Office, Neural Technologies’ embedded browser portal, the CDRs that bore signs of manipulation and falsification, or the real-time location data that has been used by security agencies to find and arrest people whose only documented offence was criticising the government of William Ruto.
The company’s silence is understandable from a legal and commercial perspective. It is indefensible from any other.
As June 2026 arrives one year since the first anniversary of the Gen Z protests that left dozens of Kenyans dead, shot by security forces in the streets of a country that calls itself a democracy the question of what Safaricom knew, what it enabled and what it concealed will not be answered by another press release.
It will be answered in court.
It will be answered through the Al Jazeera documentary now circulating among the 44 million Kenyans whose data this company holds. And it will be answered, ultimately, at the ballot box in 2027, when Kenyans will be asked to choose between a government that built this machine and an alternative whose own relationship with institutional power is, as yet, untested.
The machine is real. The evidence is public. The denials have run out.
