What we know - the technology behind the ‘phone spying' programme

Will the Communications Authority of Kenya spy on Kenyans?

This seems to be the question of the week. With mainstream media recently splashing headlines to that effect, this conversation is likely to capture the imagination and concerns of Kenyans right through the election period.

A court has put a temporary stay on the move by the Communications Authority (CA) while it hears and determines the matter, but it could be implemented if the courts so decide.

The older generation that lived through the Kanu regime, particularly during the early 1990s, when what you thought, whispered, said or wrote was captured and used to decide your fate, has every reason to be jittery.

Are we getting back to the dark old days, when the state organs were deployed to monitor citizen activities with particular focus on suppressing contrary opinion, independent thinking and shrinking freedoms?

It is difficult to tell.

On one side, we have the telecom operators, who seem very wary of the regulator’s new approach to dealing with illegal communications.

They seem to think this new approach opens up opportunities for state organs to access personal and private subscriber data.

On the other hand, we have the regulator, which has publicly denied these allegations and wonders why the operators are attacking plans to introduce the system through the media at such a late stage, considering that the new system has been in the works over the past one year.

One way to try and figure out who is fooling who is to read through the tender document for this so-called Device Management System (DMS), which is to be deployed and managed by the CA.

The technical specification sections of the tender talks of a DMS that links into the operator networks with a view to blocking stolen, counterfeit, substandard and SIM-box devices from communicating on the telecommunication networks.

Stolen, counterfeit or substandard devices are a well-known socio-economic menace for the National Police Service and the Kenya Bureau of Standards, not just telecom operators.

Such devices need to be blocked from communicating over our networks since they are often used both by criminals and innocent citizens who may have been duped into buying them.

The SIM-box allows operators or their accomplices to illegally terminate and convert international traffic into local traffic.

WHITELIST DATABASE

If you have ever received an international call from a friend, yet the originating caller ID reported was a local number, that call is most likely being routed through a SIM-box.

The issue with that is that statistics and revenues reported by operators for international calls do not reflect reality, creating reporting gaps for the regulator and other interested agencies such as KRA. So far so good. 

It’s clear the new device management system means well since the rationale for blocking these illegal devices is obvious. Even telecom operators would not argue against this.

However, the devil, as they say, lies in the details. What could be contentious, but is not coming out in the open, can be seen from the schematic diagram describing how the DMS would be deployed.  

It is clear from this diagram that the power to block these illegal devices from communicating is shifting from the operator to the Communications Authority of Kenya and other state agencies.

Specifically, the CA would control what is known as a "whitelist" database, which is a list of valid devices, and expect the operator’s network to, subsequently and automatically, block any device that is not "whitelisted".

The police might, for example, share a list of stolen-device identities that would subsequently be removed from the whitelist database. The Customs Services Department might also share a list of validly imported devices, which would also be used to streamline the whitelist database.

Previously, operators controlled their own whitelist and retained the bigger prerogative or power to decide what to block and when and how to block it.

If the courts allow, this power could be taken away and given to the CA once the DMS is fully operational.

Whether the regulator would then have access to subscribers' private communication during this process is difficult to tell, unless we have access to the actual implementation details as proposed by the winning bidder.

For now, the real battle may be lying elsewhere other than around consumer-related privacy concerns. Nevertheless, in the absence of a comprehensive Data Protection Act, it would be risky to dismiss and rule out such concerns.

Mr Walubengo is a lecturer at the Multimedia University of Kenya, Faculty of Computing and IT. Email: [email protected], Twitter: @jwalu