Datenschutz

Kenya: Data from 11.5 million customers of a provider end up on black market

M-Pesa is a Kenyan system for cashless payment. This business model of the Kenyan communications provider Safaricom is built on the transfer of data. Now, employees of the provider have also leaked the personal information of 11.5 million users. The case ends up in court.

This is how the M-Pesa app looks. CC-BY-SA 2.0 Fiona Graham / WorldRemit

Now Kenya has its own data protection scandal. The data of 11.5 million customers of the telecom provider Safaricom have ended up on the black market. These are not only clear names, mobile numbers and the location, as one would expect from a mobile phone provider. It’s also about gambling: exact transactions, on which platforms a customer bet how much.

This is because Safaricom also operates the M-Pesa mobile payment system, which is extremely successful in Kenya. The system can be found at every corner, in every kiosk. At these kiosks, users can deposit money. They can then simply send this credit on by SMS, for example to betting sites.

Message from „Mark“ and „Charles“

The current affair begins when on 18 May two men named „Mark“ and „Charles“ get in touch with a man named Benedict Kabugi Ndun’gu and offer him the data of 11.5 million gamblers. He searches the dataset, finds his own data – „I have from time to time used my Safaricom mobile number for gambling“ – and is then convinced of the data’s authenticity. Ndun’gu reports for several weeks to various police authorities and even Safaricom itself. He is stalled and instructed to keep the potential seller on his toes. At least that’s how he presents the matter in the lawsuit he’s now filed against Safaricom.

„I now found myself in a rather unique position to say the least as I was awaiting feedback from the investigating officer and [Safaricom] whilst creating all manner of lies,“ he writes in the complaint against Safaricom. Ndun’gu was then arrested for one night, without any reasons being given. Still, the next day he helped the police to arrest the two potential sellers in a sting operation.

They led the police to the source of the leak: two high-ranking Safaricom employees. A court then opened the case against them, but with a small surprise for Ndun’gu: „that Charles and Mark, who had illegally accessed the data were not charged and have to date not been charged, they have instead been listed as witnesses.“

Instead, Ndun’gu himself was arrested and charged again. According to the prosecution, he had tried to blackmail Safaricom with the stolen data between May 1 and June 7.

Kenya is proud of M-Pesa

This scandal is not the exception that confirms how well data protection works at Safaricom otherwise. M-Pesa and the surrounding ecosystem have institutionalized the lax handling of data, could not function without it.

M-Pesa was introduced in 2007 as a microcredit settlement system, but then expanded by Safaricom into a general cashless payment system. Today, 20 million Kenyans use M-Pesa or comparable systems, according to a recent study by the central bank and the NGO FSD Kenya. Mobile payment is a top priority in Kenya, M-Pesa a Kenyan success story.

In September 2016, Mark Zuckerberg visited Kenya „to learn about mobile payment,“ where he said said Kenya was the world leader. And after Facebook announced its own currency Libra this month, there was speculation whether the strong culture of mobile payment in Kenya would be an advantage for Libra – or whether M-Pesa would prevail as an established solution.

The panacea against poverty

International media have been celebrating M-Pesa for years. „Why does Kenya lead the world in mobile money?“ was a 2015 Economist headline, while CNN dedicated a jubilant biography to the system for its tenth birthday in 2017.

„Access to the Kenyan mobile money system M-PESA increased per capita consumption levels and lifted 194,000 households, or 2% of Kenyan households, out of poverty.“ This is the conclusion a study from 2016 came to, and which fast became the oft-cited core of the argument that development aid can also be profitable.

A brief history of Safaricom

And that M-Pesa definitely is: The parent company Safaricom is today the most profitable in East Africa. The company alone represents forty percent of the value traded on the Kenyan stock exchange. If there is a definition of „too big to fail“, then it’s Safaricom for Kenya.

The former division of the state-owned postal and telecommunications provider was partially privatised in 2008. Today, the state holds 35 percent of the shares, 25 percent are freely traded on the stock exchange and the rest is owned directly or through the subsidiary Vodacom by the British company Vodafone. In the financial year 2018, Safaricom’s turnover with M-Pesa grew to 75 billion shillings (640 million euros), one third of the total turnover. Shareholders received a bonus of the same amount.

„Another False Messiah“

„This demonstrates that significant value is being created by M-Pesa based on the tiny transactions of the poor, but most of it is spirited abroad via dividend payments to foreign shareholders,“ conclude the authors of the study „Another False Messiah: The Rise and Rise of Fin-Tech in Africa“.

The M-Pesa-banishes-poverty study „actually contains a surprising number of errors, omissions, poor logic, and methodological flaws,“ criticize the authors. It was also largely funded by FSD Kenya and the Gates Foundation, both very interested in expanding digital finance. FSD Kenya? Yes, exactly the NGO that is also responsible for the FinAccess study on the dissemination of these services in Kenya.

The authors of „Another False Messiah“ compare the M-Pesa system with the exploitation of the poor in the USA before the 2008 financial crisis through gambling, mortgages and short-term loans. Just like then, they write, poor people in Kenya are now being exploited by the „digital mining“ of transaction fees and interest rates.

And indeed: the fees for withdrawing M-Pesa as cash can be as high as 17 percent for small amounts. When someone withdraws the minimum amount of 200 shilling, around 1.72 euro, from an ATM, they pay the equivalent of 29 cent as a fee.

Creditworthiness, determined by algorithm

At least you can transfer small amounts for free, up to three times a day. This can be done simply by SMS. The catch: SMS are not encrypted and can therefore simply be read – and with it the transfers made via them.

This is exactly what an important component of the M-Pesa system does: Apps for instant credits. Install the app, give permission to read all messages, and the user has access to credit. More than eight percent of adults in Kenya use instant credit apps; three years ago it was less than one percent.

Two of the most popular of these apps, Tala and Branch, were examined in a 2017 report by the NGO Privacy International. Both were developed in California for African and Filipino users. Both needed access to phone calls, contacts, messages and GPS location.

From this data, an algorithm determines whether a loan is approved or not. Tala also evaluated whether enough messages are sent to contacts stored under „mama“ or whether that number is called often enough: „their analysis has found that people who make regular calls to family are 4% more likely to repay their loan.“ Branch needed access to the user’s Facebook account and evaluated the behavior of friends.

„How Tala Mobile is Using Phone Data To Revolutionize Microfinance,“ Forbes titled an interview with Tala’s founder. „f data privacy was important for the Kenyan consumer, we would do it,“ an employee of the Kenyan company M-Kopa told Privacy International. This company offers solar panels, paid in installments, equipped with SIM cards. These transmit to M-Kopa how much electricity is generated and what program is running on the connected TV. If the installments are no longer paid, they switch off the solar panels.

Debts instead of bank accounts

To understand the success and danger of M-Pesa, you need to know two more facts. First, six out of ten Kenyans do not have a regular bank account. The most common reason: lack of savings. „Only one fifth of the adult population was considered financially healthy,“ says the FinAccess report mentioned earlier. Secondly, almost ten percent of those who take out a loan via such an app cannot repay it. With traditional bank loans, the figure is only two percent. Sustainable financial development looks different, agree the authors of „Another False Messiah“. South Africa serves as a cautionary example.

And there’s another problem: gambling. Because that is booming in Kenya. Five years ago the industry was worth 2 billion shillings, now it’s 200 billion. More than three quarters of the young people gamble, half a million have already been unable to repay a loan, according to government authorities. This huge increase would hardly have been possible without simple mobile money and quick loans.

Data protection law under discussion

Companies have now realised that this could be a potential image problem. Last week, 13 companies committed themselves to ethical lending practices. In October last year, some of the companies, including Branch and Tala, had already spoken out against parts of a Kenyan data protection law.

This law has been going through Kenyan legislation for a year. A current draft stipulates that the data of Kenyan customers may only be stored on Kenyan servers. Kenyans would also have the right to know how their data is collected, stored and processed, and to have it deleted. The similarities to the GDPR are clear to see. A right to forget and „privacy by default“ are also planned in the draft.

For Safaricom, one thing is particularly explosive: customers should be able to have all records of mobile transactions, for example with M-Pesa, transferred to other providers of mobile payment. These do exist, but the supremacy of M-Pesa and Safaricom is overwhelming and the rates for transferring money to customers of other providers are high. In mobile payment, M-Pesa’s market share is 78 percent.

The draft provides for a prison sentence of up to two years for people who violate the privacy of others. However, it does not mention penalties for companies that violate the rules. Those are to be decided by a „complaints commission“.

Marketing on Wikipedia

That Safaricom is also interested in its image is shown by the case of the Wikipedia editor Githinji.mwai. „M-Pesa 1Tap is the faster way to pay with MPESA,“ he added to Safaricom’s Wikipedia article. „With M-Pesa 1Tap, you simply tap, enter PIN to pay and go!“ However, he deleted the paragraph under the heading „Controversy“, just like in the article of Safaricom manager Sylvia Mulinge. There he deleted the mention of an ongoing trial: Mulinge had been accused of carelessly running over and killing a minor. His reason for the deletion: „Accusations are not true.“

By now, Githinji.mwai has been warned not to edit any articles with which he has a personal connection. What personal connection? Githinji Mwai works for the Kenyan marketing company Squad Digital, which worked on Safaricom’s „This is My Kenya“ campaign, among other things. Wikipedia editors may be paid to write articles, but they must make it public and remain neutral in their work. Githinji.mwai did neither.

Lawsuit demands 115 trillion

In the current case, the plaintiff Ndung’gu now vehemently denies that he ever blackmailed Safaricom with the stolen 11.5 million records. He also takes offence at the fact that Safaricom has not yet sent any of the victims a message or apology. Ndun’gu is complaining about this in a spectacular way: In his indictment, he demands 10 million Kenyan shillings for each of the 11.5 million victims. In total that would be 115 trillion shillings – equivalent to 990 million euros.

„I pray that the court renders a decision that ensures that the behemoth that is [Safaricom] treats the issue of privacy with the graveness that it deserves and that a breach of this nature does not happen again,“ the indictment says.

2 Ergänzungen

Wir freuen uns auf Deine Anmerkungen, Fragen, Korrekturen und inhaltlichen Ergänzungen zum Artikel. Unsere Regeln zur Veröffentlichung von Ergänzungen findest Du unter netzpolitik.org/kommentare. Deine E-Mail-Adresse wird nicht veröffentlicht.