Kenya Insights

Tag: state surveillance

  • Human Rights Groups Accuse Safaricom of Illegal Data Sharing with Security Agencies

    Human Rights Groups Accuse Safaricom of Illegal Data Sharing with Security Agencies

    Telecom giant allegedly provided unfettered access to customer data without court orders, facilitating tracking and capture of suspects

    Kenya’s largest telecommunications company, Safaricom PLC, faces serious allegations of systematically violating customer privacy rights by providing security agencies with unrestricted access to sensitive customer data without proper legal authorization.

    In a scathing open letter addressed to CEO Peter Ndegwa, the Kenya Human Rights Commission (KHRC) and Muslims for Human Rights (MUHURI) have accused the telecom giant of engaging in “criminal and unconstitutional practices” that may have facilitated human rights violations by Kenyan security forces.

    Explosive Investigation Reveals Years of Alleged Misconduct

    The accusations stem from an investigation published on October 29, 2024, by journalists Namir Shabibi, Claire Lauterbach, and Kenya’s Daily Nation newspaper, which revealed what the rights groups describe as a pattern of illegal data sharing spanning several years.

    According to the investigation, Safaricom allegedly allowed security agencies “routine access to consumer data (including but not limited to call data records and other location data) without a court order, assisting in the tracking and capturing suspects.”

    This practice is particularly concerning given what the rights groups describe as Kenyan security forces’ “reputation for using unlawful tactics, including enforced disappearances, renditions, and extrajudicial killings of suspects.”

    Seven Damning Allegations

    The human rights organizations have outlined seven specific allegations against Safaricom:

    Data Manipulation and Evidence Tampering: The company allegedly handed over responsibility for extracting and handling court-ordered call data records (CDRs) to police officers attached to its Law Enforcement Liaison Office. This created a serious conflict of interest, giving accused security forces the opportunity to “handle the data and conceal evidence of state crime.”

    Falsified Records: Safaricom allegedly released CDRs it certified as authentic despite bearing “signs of manipulation and falsification” in cases involving suspected state-enforced disappearances.

    Obstruction of Justice: The company is accused of habitually declining to provide complete CDRs despite court orders, potentially frustrating the course of justice in investigations of state crimes.

    Unauthorized Surveillance: Security agencies allegedly received routine access to customer data without proper court authorization, enabling them to track and capture suspects.

    Data Retention Deception: Safaricom allegedly retained customer data it claimed had been deleted, including information that could aid in investigating state crimes.

    Surveillance Software Development: In partnership with Neural Technologies Limited, Safaricom allegedly developed software granting security agencies “virtually unfettered access to private consumer data.”

    Predictive Profiling: Police attached to Safaricom allegedly used specialized software to “predictively and preemptively profile Kenyan citizens,” constituting what rights groups call “invasive breaches of customers’ private data rights.”

    Constitutional and Legal Violations

    The rights groups argue these alleged practices make Safaricom potentially liable for violating multiple sections of Kenya’s Constitution, including provisions protecting privacy, dignity, freedom from torture, and access to justice.

    The company may also have violated the Data Protection Act of 2019, which establishes strict guidelines for handling personal data.

    Inadequate Response

    While Safaricom released a public statement on October 31, 2024, attempting to address the allegations, KHRC and MUHURI dismissed it as inadequate, saying the company “conveniently ignored to respond to key findings presented in the investigation.”

    The rights groups characterized Safaricom’s response as a “selective response to grave human rights violations,” failing to address the core allegations about unauthorized data sharing and potential complicity in human rights abuses.

    Demand for Accountability

    In their letter, KHRC and MUHURI demanded that Safaricom “address the substance of the allegations with haste and clarify what steps Safaricom PLC will take to ensure that its data is not used unlawfully, whether by Safaricom staff, Kenyan security forces, or any other third party.”

    The organizations gave Safaricom seven days to respond to their correspondence, setting a deadline that would put additional public pressure on Kenya’s telecommunications leader.

    Implications

    The allegations against Safaricom raise serious questions about corporate responsibility in protecting customer privacy and the role of private companies in potential human rights violations. If proven true, the claims suggest a systematic partnership between Kenya’s largest telecom provider and security agencies that may have facilitated serious human rights abuses.

    The case also highlights growing concerns about digital surveillance and data privacy in Kenya, where telecommunications companies hold vast amounts of personal data that could be misused by authorities.

     

    As Kenya continues to grapple with allegations of enforced disappearances and extrajudicial killings by security forces, the Safaricom case represents a critical test of corporate accountability and the protection of digital rights.

    The telecommunications giant now faces mounting pressure to provide a comprehensive response to the allegations and implement stronger safeguards to protect customer data from unauthorized access.

    [pdf-embedder url=”https://cms.kenyainsights.com/wp-content/uploads/2025/06/Open-letter-to-Safaricom-over-alleged-breaches-of-customers-data-privacy.pdf”]

    Safaricom PLC has not yet responded to the specific allegations outlined in the human rights groups’ letter.

  • Activist Claims Her Safaricom Line Was ‘Behaving’ Weeks To Her Arrest As She Dissects State Surveillance and Safety in Kenya

    Activist Claims Her Safaricom Line Was ‘Behaving’ Weeks To Her Arrest As She Dissects State Surveillance and Safety in Kenya

    Software developer Rose Njeri Tunguru alleges extensive surveillance preceded her detention over anti-Finance Bill website, raising concerns about digital rights and citizen safety

    NAIROBI, Kenya – Software developer and activist Rose Njeri Tunguru has detailed what she describes as extensive state surveillance that preceded her controversial arrest last month, alleging that her mobile phone line exhibited suspicious behavior weeks before authorities detained her over an anti-Finance Bill website.

    In a detailed account published Saturday in the Daily Nation, Tunguru claimed that officers from the Directorate of Criminal Investigations (DCI) revealed during her interrogation that they had been monitoring her communications and movements, including overhearing her phone conversations and tracking her physical location.

    Tunguru was arrested on May 30, 2025, and formally charged with unauthorized interference with a computer system following her creation of a website that allowed Kenyans to send memoranda objecting to the Finance Bill 2025.

    The online tool, known as Civic Email, was designed to facilitate public objections to the Finance Bill 2025.

    Surveillance allegations

    According to Tunguru’s account, the surveillance began months before her arrest.

    She described experiencing unexplained behavior from her Safaricom SIM card, including automatic message sending and phantom notifications with unfamiliar sounds.

    “Whenever I’d put that sim card in my smartphone, it’d send messages on its own. I’d see ‘message sent’. I would also get phantom notifications with sounds not native to my phone,” she wrote.

    The activist claimed that during her statement recording, DCI officers told her: “we weren’t sure you’d go for the event. We heard your calls to your friends and you sounded unsure,” indicating they had been monitoring her private communications.

    She further alleged that officers revealed they had been tracking her movements, stating they were “right behind” her when she crossed an expressway on foot and knew where she lived with her children.

    Questionable calls and location tracking

    Tunguru described receiving calls from unknown numbers where callers spoke in foreign languages, including Arabic.

    In the week following the creation of her email platform but before her arrest, she received concurrent calls to both her work and personal lines from the same caller.

    She also reported receiving fraudulent text messages purporting to be from loan app Tala, sent from random numbers rather than the company’s official short code.

    In hindsight, she believes these communications were used to triangulate her location.

    Safaricom has denied any role in surveillance activities, particularly following similar allegations related to the recent death of blogger Albert Ojwang in police custody.

    Violations

    Tunguru’s account raises questions about compliance with Kenya’s legal framework governing surveillance and data protection.

    The Data Protection Act provides strong privacy protections but explicitly exempts national security and intelligence operations, provided there is court-ordered authorization.

    Under the Computer Misuse and Cybercrimes Act of 2018, law enforcement officers must obtain court-issued warrants before accessing, searching, or seizing computer data.

    Tunguru claims no such warrant was presented when officers confiscated her computer, hard drives, flash discs, and smartphone.

    “The DCI officers who illegally arrested me also illegally took my computer, hard drives, flash discs and smart phone without such a warrant,” she wrote, adding that while officers prepared an itemized list, it did not contain everything taken and she was not provided a copy.

    Connection to recent deaths

    Tunguru’s allegations come in the wake of widespread protests following the death of blogger Albert Ojwang, 30, who died in police custody after being arrested for criticizing a senior police official on social media.

    A postmortem report concluded Ojwang had suffered blunt force trauma, contradicting the official story and pointing to possible foul play.

    According to the Independent Policing Oversight Authority (IPOA), 20 people have died in police custody in just the past four months.

    “In light of Albert Ojwang’s death immediately following an arrest similar to mine, we must ask the hard questions. Are you safe? Are you next?” Tunguru wrote in her account.

    Rights groups have said the arrest signals a trend of criminalizing digital civic engagement.

    The case has drawn attention to the intersection of digital rights, civic participation, and state surveillance in Kenya.

    Despite the allegations, Tunguru says she cannot boycott her mobile service provider as her business depends on calls and mobile money services. She acknowledges that surveillance will likely continue.

    “For now, we must admit and accept this: we are living in a state of surveillance. All of us,” she concluded.

    The DCI had not responded to requests for comment at the time of publication. Safaricom has previously denied involvement in surveillance activities related to recent arrests.

    The case highlights growing concerns about the extent of digital surveillance capabilities and their deployment against citizens engaged in legitimate civic activities in Kenya.