Conflict on Personal Data Protection

Dear listers,

See this case in twitter. A lady was carjacked, her phone stolen and mpesa
transferred to other numbers by thieves. Safaricom does not want to reveal
the beneficiary numbers for the criminal transactions to the registered
line owner. This is despite them going to Safaricom with an OB number.
x.com/herine_lando/status/1831366028443709797?s=46

Question:

1. Is Safaricom justified to use data protection for its reason to decline
request for information? What’s the real intention of the DPA?

2. Where are consumer and data protection rights on the side of the line
owner? Esp where data protection policy is in conflict with consumer
interests?

3. The line infrastructure belongs to Safaricom, but who does the
transaction data belong to? And how do they share the responsibilities to
protect the data?

4. Are there laws to solve this situation in the interest of the customer?
Do we need to amend some?

Best regards.
Liz.

PGP ID: 0x1F3488BF

19 thoughts on “Conflict on Personal Data Protection

  1. @Liz Orembo <[email protected]> I thought this is the work of DCI as
    this is a criminal matter? An OB number is insufficient to compel the MNO
    to provide the statement. A court order may be required. Also, I think one
    can easily access their statements online, which I doubt would be tampered
    with. But this is interesting. Waiting to hear what listers think and
    suggest. Thanks.

    On Thu, Sep 5, 2024 at 10:39 AM Liz Orembo via KICTANet <
    [email protected]> wrote:

  2. On Thu, Sep 5, 2024 at 10:39 AM Liz Orembo via KICTANet <
    [email protected]> wrote:

    I am not too conversant with the DP Act, but as long as the lady still has
    the number, she can use a USSD option to obtain the M-Pesa statement sent
    directly to her email by the system.
    But then what does she do with it after finding who her money was sent to?
    DCI. The DCI are the ones who will handle that case – which to me is a
    robbery with violence case.

  3. Liz,

    1. All phone numbers in an MPESA statement have six digits masked, for
    obvious reasons; if the statement is accessed illicitly, the individual
    unique numbers can not be determined.
    2. There is both security and privacy justification for this. BUt also
    business case, including liability
    3. The DCI can via a court order get access to the said phone numbers as
    part of investigation, the OB is only a record of the incident with police.

    Imagine a scenario where wakora wa Nairobi, grab you and transfer money to
    a number(s) linked to a terrorist cell, the ATU will seek/find you as the
    owner without having to get an OB no. – but this is their job!

    On Thu, Sep 5, 2024 at 11:40 AM Odhiambo Washington via KICTANet <
    [email protected]> wrote:

  4. Guys I get it. And I am guessing the case here is that Safcom shared the
    statement, but protected personal details in the transactions.

    Where my point of confusion is, where are the lines drawn on ownership and
    responsibility for the transaction data. Remember that this data being
    transacted is about the client’s money. Are they protecting the data
    because of the rights of the beneficiary of the funds? Or should they
    exercise transparency for the rights of the owner of the funds?

    The other questions about the investigative gaps between the DCI and
    Safaricom is, where are consumer rights here? You know this is Kenya. You
    report a case, get an OB, but it ends there? Who is responsible to follow
    up on action? Customer, DCI, Safaricom?

    *I was in another complicated situation two weeks ago, where my device was
    stolen and had data of its movement. A case of burglary where the cop were
    not interested in taking up. Was later told that its because I was not
    speaking their language.*

    On Thu, Sep 5, 2024 at 12:44 PM Cephas Joseph via KICTANet <
    [email protected]> wrote:

  5. Hi Liz,

    OCS/Deputy OCS should assign a DCI officer to investigate. The DCI officer
    should ask the court for a warrant/court order so that he/she can present
    to Safaricom for cooperation during the investigation.

    If you don’t get such a help from the police station, you can also go
    directly to the DCI office in Kiambu and an investigating officer should be
    able to help.

    All the best.

    On Thu, 5 Sept 2024, 10:38 Liz Orembo via KICTANet, <
    [email protected]> wrote:

  6. The best thing to do in such a synario is to report the nearest police
    station immediately which the lady did.

    On Thu, Sep 5, 2024, 1:10 PM Odhiambo Washington via KICTANet <
    [email protected]> wrote:

  7. Liz,

    Kenya it is, but (un)fortunately Kenya also has that standard process of
    Police/DCI -> Court -> Safaricom for data access.
    Safaricom is a data custodian hence has obligations and accountability for
    any persons data, (illicit) beneficiary and owner too.

    Two scenarios::

    1. Full transparency by Saf to the owner, with the risk of exposure for
    (illicit) beneficiaries. Take a case where, even innocently, one accesses
    the unique MPESA statement code sent via SMS and authN to your statement.
    With numbers in plain text, what can they do?

    2. With current masking, protecting beneficiaries numbers, when one
    accesses the unique MPESA statement code sent via SMS and authN to your
    statement, the masked numbers aren’t useful for them. This covers both
    beneficiary privacy and assures Saf accountability.

    Unfortunately, Safaricom would not place the privacy burden on the
    customer. DPA laws shift this labor to the org, aye? The criminals are also
    Saf’s customers, you know!

    I suppose visiting an official Saf Shop, for a thorough verification of
    customer ID, then being issued with the specific, limited data (cell nos.)
    needed might be a way? Or adopt a technical means, coded MPESA statement in
    app, with strignest security/privacy controls (TBD)?

    On Thu, Sep 5, 2024 at 1:04 PM Wilfred Omondi via KICTANet <
    [email protected]> wrote:

  8. Cephas,

    Why is it that Safaricom masks numbers on the statement, yet that
    information comes back to the account owner when you send money.

    Why do I need a court order to get information that I already have?

    *Kind regards,*

    *Ochieng A. Ogango*

    *Advocate, LLB (Hons), CPM(M.T.I)*

    On Thu, Sep 5, 2024 at 1:38 PM Cephas Joseph via KICTANet <
    [email protected]> wrote:

  9. Well, in this case she doesn’t 🙂

    Then there are varieties of access. SMS is user privacy level – direct
    verification method, under user control (can delete it).

    MPESA statement is robustly generated from org data stores/records, issued
    by the org as an official asset (even if you losse the SMS, statement
    remains), so it will naturally have org measures applied – can’t be deleted
    by the user in the org data store!

    Even so, open to hearing others thoughts.

    On Thu, Sep 5, 2024 at 2:57 PM Ochieng A. Ogango <[email protected]>
    wrote:

  10. Surely you want to believe such a tweet, don’t you think she out to spew
    the idea of an alleged breach!!

    *Kind regards,*

    *Ochieng A. Ogango*

    *Advocate, LLB (Hons), CPM(M.T.I)*

    On Thu, Sep 5, 2024 at 4:24 PM Florence Awino via KICTANet <
    [email protected]> wrote:

  11. How does Safaricom handle data subject rights? Doesn’t every customer of
    theirs have a right to information about their transactions, similar to
    bank statements?
    Masking of important information like where a customer’s phone sent money
    to seems contrary to the right to information.

    On Thursday 5 September 2024, Ochieng A. Ogango via KICTANet <
    [email protected]> wrote:

  12. Nic,

    Do you own the sim card or are a custodian of the Simcard, English is not
    my tongue.

    Regards

    On Thu, Sep 5, 2024 at 3:41 PM Nicodemus Nyakundi via KICTANet <
    [email protected]> wrote:

  13. The processes are punitive, tideous and an avenue for extortion. For the
    police to follow thro, you have to pay bribes or forget the whole thing.

    On Fri, Sep 6, 2024 at 1:49 PM Ali Hussein via KICTANet <
    [email protected]> wrote:

  14. Does Data Protection mean me being protected from my own data or me being
    enabled to protect my data? Remember data is embodied, creates a data
    double of a person and they have the rights to control how this looks like.

    Question 2. There’s a lot of ‘things work this way, so let them continue.’
    Well is it fair to the people experiencing this? Should we leave it because
    it creates bad precedent or should we try to balance the areas of policy
    conflict to serve the public.

    3. The police does nothing, the DCI does nothing, Safaricom also does
    nothing. In short, when you’re robbed through your phone which leaves
    digital tracks, you’re the one with the responsibility to go helter skelter
    looking for justice, when the answer to these cases are on people’s noses.

    Best regards.
    Liz.

    PGP ID: 0x1F3488BF

    On Fri, 6 Sep 2024 at 16:50, Johnsey Kivoto via KICTANet <
    [email protected]> wrote:

  15. Transaction histories/statements are personal data belonging to the
    customer and data subject rights should kick in here. Although the telco
    should disclaim its liability for any unlawful use of the statement, the
    statement should be unmasked. The masking conflicts with consumer
    protection rights too.

    Regards,

    Michael Mugo

    On Fri, 6 Sep 2024, 5:51 pm Johnsey Kivoto via KICTANet, <
    [email protected]> wrote:

  16. Hi Twahir,

    Your breakdown is very insightful, and I appreciate how you’ve framed the
    issue. Striking the right balance between privacy and access to critical
    transaction data is essential, especially for a paid service like M-Pesa.
    The information flow you’ve outlined highlights the deliverables that
    customers are rightfully entitled to.

    As a service provider, Safaricom holds this data in trust and should
    prioritize transparency rather than using the Data Protection Act as a
    means to withhold access to such vital information. Denying customers this
    data not only undermines fairness but also ethical business practices.

Comments are closed.