From Tuesday, the government wants to be allowed to listen to your calls, read your text messages and review your mobile money transactions.
The government, through the Communications Authority of Kenya, has ordered mobile phone companies to allow it to tap their computers.
The tapping into these computers will be done by a company contracted by the agency.
Though the reason given for the tapping is tracking counterfeit devices, the minute it starts, 40 million Kenyans will lose their privacy.
Usually, governments can listen to private conversations and access personal data, but by law they need to have a good reason and get a warrant from a judge.
Additionally, Kenya has no data protection law, so people who gain access to others’ personal information can abuse it.
The authority has already written to mobile phone service providers setting up dates for the plugging of the snooping device, with some as close as Tuesday next week.
It will involve the third party company getting hooked up to all routers at Safaricom, Airtel and Orange Telkom, effectively opening up private communication data to an entity other than those licensed to hold them and the government.
LETTER TO OPERATORS
The Nation has obtained a copy of a letter addressed to one of the operators, asking it to authorise the third party to install the link that would open up SMS, call and mobile money transfer data to the third party as the plan takes shape quietly.
“Kindly facilitate our principal contractor, M/S Broadband Communications Networks Ltd, to access your site and install the link at the data-centre or the mobile switching room.
"The link should terminate close to the core network elements that shall integrate to the DMS solution.
"The DMS block diagram and integration requirements for this setup was shared with your technical team on January 17, 2017,” read the letter signed by the authority’s director, licensing, compliance and standards Christopher Kemei on behalf of the director-general.
Broadband Communications Services Ltd was awarded the Sh207.2 million tender to design, supply, deliver, install, test, commission and maintain the device in September 2016.
Before the hook-up, the authority and the contractor were to survey all the operators’ sites and a January 31 letter announced the intended visit.
But in a strange twist, the regulator later converted the survey into the actual installation, heightening suspicion.
Of bigger concern to the operators is that the company contracted by the authority, which does not legally bear the responsibility to protect customer confidentiality, will get a direct access to call data before transmitting it to the regulator, splitting responsibility between three parties and leaving users exposed to intrusion of privacy.
A source privy to the system said the need to tell fake devices from genuine ones will only need a control on the unique 15 digit code called International Mobile Equipment Identity or IMEI.
The number, usually found behind phone batteries, is given to every handset and whenever it is connected to a network, the number can be accessed in a database Equipment Identity Register.
“When your phone is reported stolen or is not type approved, this number is marked invalid and that is exactly what the regulator would need to do in dealing with fake phones.
"What is going to happen is an invasion into privacy of Kenyans who do not know what is going on,” said the source.
Although the regulator has listed the Anti-Counterfeit Agency, Kenya Bureau of Standards, Kenya Revenue Authority and the National Police Service as key players in the snooping, it is not clear what their roles would be.
KRA has made previous attempts to access M-Pesa transaction records to catch tax cheats, a move Safaricom, which has 26.6 million customers, resisted, citing the need for proper legal backing.
Efforts to get a response from the CA over the plan that may compromise data privacy were futile.
An email, SMS and calls to Director-General Francis Wangusi were not answered.
The telcos are said to be plotting joint resistance to the plan, with several meetings having been held in a bid to come up with a common voice to protect customer data.
Safaricom will see its 26.6 million customers lose privacy.
Airtel Network Ltd has 6.7 million subscriptions, Telkom Kenya Ltd, 2.9 million while Finserve Africa Ltd and Sema Mobile Services Ltd subscriptions stand at 2.2 million subscribers, according to the latest statistics.
Private communication data sitting with the regulator would probably be unsafe from outside parties.
The Communications Authority, whose website was hacked in January alongside that of the National Environment Management Authority, also leaves the public exposed to such breaches in a country where cybercrime is on the rise.
A hackers group calling itself AnonPlus defaced the CA homepage by posting a manifesto promising to “defend freedom of information, freedom of the people and emancipation of the latter from the oppression of media”.
Consumer Federation of Kenya Secretary-General Stephen Mutoro said the move is against the Constitution and will expose the telcos to lawsuits for breach of confidentiality.