Conflict on Personal Data Protection
See this case in twitter. A lady was carjacked, her phone stolen and mpesa
transferred to other numbers by thieves. Safaricom does not want to reveal
the beneficiary numbers for the criminal transactions to the registered
line owner. This is despite them going to Safaricom with an OB number.
x.com/herine_lando/status/1831366028443709797?s=46
Question:
1. Is Safaricom justified to use data protection for its reason to decline
request for information? What’s the real intention of the DPA?
2. Where are consumer and data protection rights on the side of the line
owner? Esp where data protection policy is in conflict with consumer
interests?
3. The line infrastructure belongs to Safaricom, but who does the
transaction data belong to? And how do they share the responsibilities to
protect the data?
4. Are there laws to solve this situation in the interest of the customer?
Do we need to amend some?
Best regards.
Liz.
PGP ID: 0x1F3488BF
@Liz Orembo <[email protected]> I thought this is the work of DCI as
this is a criminal matter? An OB number is insufficient to compel the MNO
to provide the statement. A court order may be required. Also, I think one
can easily access their statements online, which I doubt would be tampered
with. But this is interesting. Waiting to hear what listers think and
suggest. Thanks.
On Thu, Sep 5, 2024 at 10:39 AM Liz Orembo via KICTANet <
[email protected]> wrote:
On Thu, Sep 5, 2024 at 10:39 AM Liz Orembo via KICTANet <
[email protected]> wrote:
I am not too conversant with the DP Act, but as long as the lady still has
the number, she can use a USSD option to obtain the M-Pesa statement sent
directly to her email by the system.
But then what does she do with it after finding who her money was sent to?
DCI. The DCI are the ones who will handle that case – which to me is a
robbery with violence case.
Liz,
1. All phone numbers in an MPESA statement have six digits masked, for
obvious reasons; if the statement is accessed illicitly, the individual
unique numbers can not be determined.
2. There is both security and privacy justification for this. BUt also
business case, including liability
3. The DCI can via a court order get access to the said phone numbers as
part of investigation, the OB is only a record of the incident with police.
Imagine a scenario where wakora wa Nairobi, grab you and transfer money to
a number(s) linked to a terrorist cell, the ATU will seek/find you as the
owner without having to get an OB no. – but this is their job!
On Thu, Sep 5, 2024 at 11:40 AM Odhiambo Washington via KICTANet <
[email protected]> wrote:
Guys I get it. And I am guessing the case here is that Safcom shared the
statement, but protected personal details in the transactions.
Where my point of confusion is, where are the lines drawn on ownership and
responsibility for the transaction data. Remember that this data being
transacted is about the client’s money. Are they protecting the data
because of the rights of the beneficiary of the funds? Or should they
exercise transparency for the rights of the owner of the funds?
The other questions about the investigative gaps between the DCI and
Safaricom is, where are consumer rights here? You know this is Kenya. You
report a case, get an OB, but it ends there? Who is responsible to follow
up on action? Customer, DCI, Safaricom?
*I was in another complicated situation two weeks ago, where my device was
stolen and had data of its movement. A case of burglary where the cop were
not interested in taking up. Was later told that its because I was not
speaking their language.*
On Thu, Sep 5, 2024 at 12:44 PM Cephas Joseph via KICTANet <
[email protected]> wrote:
Hi Liz,
OCS/Deputy OCS should assign a DCI officer to investigate. The DCI officer
should ask the court for a warrant/court order so that he/she can present
to Safaricom for cooperation during the investigation.
If you don’t get such a help from the police station, you can also go
directly to the DCI office in Kiambu and an investigating officer should be
able to help.
All the best.
On Thu, 5 Sept 2024, 10:38 Liz Orembo via KICTANet, <
[email protected]> wrote:
On Thu, Sep 5, 2024 at 1:03 PM Wilfred Omondi via KICTANet <
[email protected]> wrote:
You can go to the DCI office nearest to you. Not necessarily the HQ.
The best thing to do in such a synario is to report the nearest police
station immediately which the lady did.
On Thu, Sep 5, 2024, 1:10 PM Odhiambo Washington via KICTANet <
[email protected]> wrote:
Liz,
Kenya it is, but (un)fortunately Kenya also has that standard process of
Police/DCI -> Court -> Safaricom for data access.
Safaricom is a data custodian hence has obligations and accountability for
any persons data, (illicit) beneficiary and owner too.
Two scenarios::
1. Full transparency by Saf to the owner, with the risk of exposure for
(illicit) beneficiaries. Take a case where, even innocently, one accesses
the unique MPESA statement code sent via SMS and authN to your statement.
With numbers in plain text, what can they do?
2. With current masking, protecting beneficiaries numbers, when one
accesses the unique MPESA statement code sent via SMS and authN to your
statement, the masked numbers aren’t useful for them. This covers both
beneficiary privacy and assures Saf accountability.
Unfortunately, Safaricom would not place the privacy burden on the
customer. DPA laws shift this labor to the org, aye? The criminals are also
Saf’s customers, you know!
I suppose visiting an official Saf Shop, for a thorough verification of
customer ID, then being issued with the specific, limited data (cell nos.)
needed might be a way? Or adopt a technical means, coded MPESA statement in
app, with strignest security/privacy controls (TBD)?
On Thu, Sep 5, 2024 at 1:04 PM Wilfred Omondi via KICTANet <
[email protected]> wrote:
Cephas,
Why is it that Safaricom masks numbers on the statement, yet that
information comes back to the account owner when you send money.
Why do I need a court order to get information that I already have?
*Kind regards,*
*Ochieng A. Ogango*
*Advocate, LLB (Hons), CPM(M.T.I)*
On Thu, Sep 5, 2024 at 1:38 PM Cephas Joseph via KICTANet <
[email protected]> wrote:
Well, in this case she doesn’t 🙂
Then there are varieties of access. SMS is user privacy level – direct
verification method, under user control (can delete it).
MPESA statement is robustly generated from org data stores/records, issued
by the org as an official asset (even if you losse the SMS, statement
remains), so it will naturally have org measures applied – can’t be deleted
by the user in the org data store!
Even so, open to hearing others thoughts.
On Thu, Sep 5, 2024 at 2:57 PM Ochieng A. Ogango <[email protected]>
wrote:
Interesting development; because Safaricom has just called the
complainant’s mother. Isn’t that the real breach? 😊
x.com/herine_lando/status/1831679155647152508?t=dt9dXNBxvRpP8ZLTFPkpLw&s=19
On Thu, 5 Sept 2024, 15:41 Nicodemus Nyakundi via KICTANet, <
[email protected]> wrote:
Surely you want to believe such a tweet, don’t you think she out to spew
the idea of an alleged breach!!
*Kind regards,*
*Ochieng A. Ogango*
*Advocate, LLB (Hons), CPM(M.T.I)*
On Thu, Sep 5, 2024 at 4:24 PM Florence Awino via KICTANet <
[email protected]> wrote:
How does Safaricom handle data subject rights? Doesn’t every customer of
theirs have a right to information about their transactions, similar to
bank statements?
Masking of important information like where a customer’s phone sent money
to seems contrary to the right to information.
On Thursday 5 September 2024, Ochieng A. Ogango via KICTANet <
[email protected]> wrote:
Nic,
Do you own the sim card or are a custodian of the Simcard, English is not
my tongue.
Regards
On Thu, Sep 5, 2024 at 3:41 PM Nicodemus Nyakundi via KICTANet <
[email protected]> wrote:
The processes are punitive, tideous and an avenue for extortion. For the
police to follow thro, you have to pay bribes or forget the whole thing.
On Fri, Sep 6, 2024 at 1:49 PM Ali Hussein via KICTANet <
[email protected]> wrote:
Does Data Protection mean me being protected from my own data or me being
enabled to protect my data? Remember data is embodied, creates a data
double of a person and they have the rights to control how this looks like.
Question 2. There’s a lot of ‘things work this way, so let them continue.’
Well is it fair to the people experiencing this? Should we leave it because
it creates bad precedent or should we try to balance the areas of policy
conflict to serve the public.
3. The police does nothing, the DCI does nothing, Safaricom also does
nothing. In short, when you’re robbed through your phone which leaves
digital tracks, you’re the one with the responsibility to go helter skelter
looking for justice, when the answer to these cases are on people’s noses.
Best regards.
Liz.
PGP ID: 0x1F3488BF
On Fri, 6 Sep 2024 at 16:50, Johnsey Kivoto via KICTANet <
[email protected]> wrote:
Transaction histories/statements are personal data belonging to the
customer and data subject rights should kick in here. Although the telco
should disclaim its liability for any unlawful use of the statement, the
statement should be unmasked. The masking conflicts with consumer
protection rights too.
Regards,
Michael Mugo
On Fri, 6 Sep 2024, 5:51 pm Johnsey Kivoto via KICTANet, <
[email protected]> wrote:
I agree with this notion 100% @Mugo
On Fri, Sep 6, 2024 at 6:17 PM Mugo Michael via KICTANet <
[email protected]> wrote:
Hi Twahir,
Your breakdown is very insightful, and I appreciate how you’ve framed the
issue. Striking the right balance between privacy and access to critical
transaction data is essential, especially for a paid service like M-Pesa.
The information flow you’ve outlined highlights the deliverables that
customers are rightfully entitled to.
As a service provider, Safaricom holds this data in trust and should
prioritize transparency rather than using the Data Protection Act as a
means to withhold access to such vital information. Denying customers this
data not only undermines fairness but also ethical business practices.