Wednesday, 1 July 2015

Overreaching surveillance in the most extreme

From Kenya comes news (here and here) that has really blown this blogger away, twice!

First, the Communication Authority of Kenya (CA), the government regulatory body, has issued a directive requiring that all devices using public Wi-Fi hotspots must be registered. Thus, a coffee shop or hotel patron using the free Wi-Fi with a laptop or smartphone must register the device with the CA, using a phone number and/or a national ID number. The Wi-Fi providers are also required to assign a unique IP address to all users so that all internet traffic can be linked to the specific device and user.

Second, the CA also intends to require that all businesses registered in Kenya must acquire a .ke (dot ke) domain address.
Big Brother really is watching...
Source: Getty Images

Oh, how are these mandates misguided?  Let me count the ways!

Problem #1: how will CA verify the information that is provided?  There are databases of national ID numbers, but some users such as tourists won't have a national ID. Does that mean I can enter my passport number, including a made-up number?

Problem #2: this will create a vast database of user information. How confident are we that the government will keep such information secure?  In fact, centralized storage of such information only makes cybercrime easier for the criminals - with a single hack, mountains of personal ID data can be obtained, and we all know that the Kenyan government websites are targets for attack (e.g., Kenya's military Twitter account).

Problem #3: will this Directive achieve the stated goals of reducing the risk from cyberterrorism, terrorists using Wi-Fi access, and cybercrime? This blogger thinks not, unless the CA knows how to overcome anonymizing tools such as Tor, VPNs, and encryption. (Comments from tech-savvy readers on this point are most welcome.)

Problem #4: what happens if the .ke domain for my business name is already taken? Then I'm forced to register something that is irrelevant or not as relevant? And, am I forced to maintain such registry and pay yearly renewal fees? What happens if the domain lapses?

Problem #5: rarely does a business want a .ke domain when the same .com or .org domain name is also available. So for those users, this directive merely increases the cost and red tape of doing business in Kenya. For the remaining users, this directive will make no difference as they would have registered the .ke in any case.

Problem #6: the intrusion into personal privacy by this directive speaks for itself. This blogger wonders about the legality of the directive. Article 31(c) of the Constitution of Kenya 2010 provides that every person has the right to privacy, including the right not to have information related to their family or private affairs unnecessarily required or revealed. This is, essentially, mass surveillance of the Snowden variety, and this blogger cannot believe that such surveillance is not unnecessary (particularly when 99+% of the monitored activities are likely to be legitimate).

This blogger is not aware of any country on earth that has either of these requirements - either in black letter law or in practice. If any reader knows of such a country, do share!

1 comment:

Mose Karanja said...

As the government collects mass data from citizens, it is necessary we remind it how poor personal data protection is in the country. A case in point was the illegal use of SIM card registration data by political parties in the run up to the 2013 general elections as a requirement of qualification to contest the elections from the Office of the Registrar of Political Parties. See this link:

Two, even with benefit of doubt that this device registration will see the light of day and be magically enforced, how safe are their databases? Hacking sites feels like a cottage industry of late, with the embarrassing 103 sites hack still fresh in our memory.

I personally think this is not only out of line with best practises of cyber crime management, but deeply disturbing from a privacy position.