Kenya does not have a data protection law. But there is a data protection bill [1] pending somewhere in the corridors of power.

Police in Eldoret arrested a man suspected of stealing over Sh180,000 from mobile money agents in Nandi using dozens of stolen SIM cards and ID cards, which were used to register M-Pesa lines

This is an election year in Kenya. As part of the requirements to vote, the Independent Electoral and Boundaries Commission (IEBC), the electoral body mandated to conduct elections, registered voters who will participate in the 2017 plebiscite. Just like most countries, to qualify to vote in Kenya[2], the voter has to be over 18 years, a citizen of Kenya, and hold an identification document which is either a National ID card, or a Kenyan passport.

This year, 19.6 million [3] people registered as voters. That is just about half of all Kenyan citizens of 48 million [4]. The beauty of the new revamped IEBC is that they released publickly all the datasets of registered voters [5]. Voter registration is only by physically going to a registration center. There is nothing like online registration. Registration entails capturing the biometric data of the vote. The biometrics are finger prints of both hands and facial features. They also capture all the details available at the registrar of person (full name, ID/passport number, and date of birth). Finally they capture your phone number, address, and voting location. To prove you are a registered voter, you are given a laminated card, which serves no purpose apart from bragging rights in the village pub. This whole process is called Biometric Voter Registration.

The author undergoes Biometric Voter Registration. Photo credit Mariana Mulinge.

Verification of voters
For some strange reasons, Kenyans feel a need to confirm their voter registration details. In this part of the world, elections are a high stake game, and the level of mistrust with the system is at it’s highest. According to the Constitution, the Electoral body has to provide a mechanism for the electorate to verify their voter data. Section 6 of the Election Laws 2011 was updated by The Election Laws (Amendment) Act, 2017 where “The Commission shall cause the Register of Voters to be opened for inspection by members of the public at all times for the purpose of rectifying the particulars therein, except for such period of time as the Commission may consider appropriate [6].

According to IEBC, there are two ways of identifying voters; through finger print scan, or though the ID document by either searching the ID number or scanning the machine-readable part of the ID. This process and tools are called Biometric Voter Identification (BVID).

In their wisdom, the IEBC provided a two week windows for voters to verify and correct any registration anomaly by physically going to a verification center. After the correction, the voter register is supposed to be accessible to the general public for auditing. IEBC has a provision to give the entire voter register to any entity for Ksh20,000 [7] (US$200). The law requires IEBC to provide the register for free or at a reasonable cost.

Not every Kenyan would require the entire register. Individual voters want to confirm their details on ongoing basis. IEBC has an SMS system where the voter sends an ID number to the phone number 70000 [8], and the system returns the registration details of that number if it’s registered. The cost of that SMS is Ksh7 (Us¢7). These are the parameters that the SMS returns; name, county, name, constituency, polling station code, polling station, ward. It does not matter who queries the database, the information returned is the same. One phone number can query as many registered voters as the amount of Ksh7 they are ready to spend. The system will return the full list of all those parameters. You don’t even need to send a challenge code like a date of birth to get that information.

IEBC SMS verification output. Image source twitter @OwenKims [9]

To make the system more intuitive, IEBC development a Web portal where voters can query the same voter information at http://voterstatus.iebc.or.ke/voter. Here at no cost, the voter uses their ID number to query and get their registration status. The query returns all these parameters; ID number, name, date of birth, gender, poling station, county, constituency, and ward. It does not matter which ID number you query, you will be able to get the voter data. Here too, more data than required for verification is displayed, and there is no challenge code asked by the system. Any automated bot can harvest the entire database. And that is the problem.

more data than required for verification is displayed, and there is no challenge code asked by the system. Any automated bot can harvest the entire database. And that is the problem.

The problem

For the privacy conscious, IEBC is doing poorly with how they are exposing raw data of nearly 20 million Kenyans to the world. Anybody with basic programing skills would be able to harvest the raw data through an automated search. If you search any random number with the format of Kenya ID numbers, say hypothetically 12345678, you will realize you can pull up citizen’s details, at least ID number, and name, and locality they live. Basic security tips would require the system to have a captcha to prevent automated harvest of the information, and also output just the required information for verification, and nothing more. A captcha is defined as program or system intended to distinguish human from machine input, typically as a way of thwarting spam and automated extraction of data from websites.

Screenshot IEBC website returning more information than necessary, and without requiring a captcha

 

To test this problem, I Googled one of the top Presidential candidate Raila Odinga’s ID number, which was readily available online [10]. I then went ahead to retrieve his registration details as shown in the screenshot below.

Screenshot of Raila Odinga’s Voter details. Image source @lordmwesh [11]

The technical solution

This data breech was discussed at length at the KICTANET mailing list [12], where the community provided several solution;

  • Have a captcha to prevent automated harvest of the information, and have a challenge questions like date of birth to supplement the ID number, therefore only have the data owner have access their information (suggestion by yours truly)
  • Limit requests per IP address (suggestion by Emmanuel Chebukati)
  • Implement a two factor authentication (suggestion by Denis G. Wahome)
  • A government backed smart card which would offer appropriate level of authentication without locking out access to a section of users (suggestion by Mark Kipyegon)
  • Use ID Serial Number as a check to match the ID number (suggestion by Ngigi Waithaka), which he thought could be central to Kenya’s citizen data authentication, where Citizens are made to keep their ID Serial number as their ‘private key’ for all authentication in government platforms. This suggestion was backed by Odhiambo Washington.
  • Integrate the IEBC system with the ecitizen platform [13].  (Suggestion by Victor Kapiyo)

The policy, legal, and procedural solution

Still on the mailing list, Grace Githaiga supported an idea of legitimate implementable solution, which could be sent to IEBC, mooted by Emmanuel Chebukati. Ali Hussein suggested the whole verification exercise be suspended until the rookie mistake by IEBC is rectified. He continued,  “This is a serious breach. In the dark web there are vendors of stolen identities. What IEBC has done is to basically leave the bank vaults open and invite every identity theft vendor in the world into this treasure trove.” Victor Kapiyo added that the implementation by IEBC showed that in the absence of guidelines on how citizens data is managed, then anything is possible, and it wouldn’t be so hard to mine this data from IEBC servers for whatever purpose.

Grace Mutung’u provided a legal interpretation quoting the provision of the elections act on the inspection of the register by the public. She said the idea of the elections act was not only for voters to verify their details but also for the public to inspect the register. Inspection serves an important role in assuring the integrity of the vote by weeding out errors, and non existent voters. The register is also available in physical form at constituency offices for public inspection. It should therefore be possible for members of the public to view other people’s voter registration details. The question should only be what details are made public and also how to prevent harvesting of the data. She objected the justification for serial numbers or SMS [two factor] verification.

From the problem statement, only two of these implementations seem feasible, and still comply with the elections law of allowing a public audit of the register. The solution is have a captcha, and output just enough information to verify a voter, and nothing more.

From the problem statement, only two of these implementations seem feasible, and still comply with the elections law of allowing a public audit of the register. The solution is have a captcha, and output just enough information to verify a voter, and nothing more.

Changes by IEBC

On being notified of the glaring data breaches, IEBC put of the online system for 2 weeks as they were implementing the security mechanisms. The SMS platform remained firmly online.

Computer screenshot of IEBC verification page temporarily down

 

Now, the new, robust system according to IEBC is live. With only one change, captcha.

A mobile screenshot of IEBC website voter identification form screenshot with the captcha

 

From the query, the system is still spewing out more information than required. From a data protection perspective, a clean implementation should maybe just show the initials of the voter, in the case for Raila Odinda, show RO, and his polling station. The query should certainly not show his date of birth, and gender.

A mobile screenshot query from the IEBC system still with more private information relayed to the public than necessary.

 

This sort of rookie mistakes makes you feel there are no competent programmers, cyber security analysts , legal professions, and policy experts remaining in Kenya. But we are here :-). This serves as an indictment to the community who develop applications without proper system analysis.

Kenya does not have any data protection law. But there is a draft data protection bill. This should be a priority for us in lobbying the next Parliament. Data protection is envisioned in the constitution [14]. Article 31(c) of the Constitution outlines the right of every person not to have “information relating to their family or private affairs unnecessarily required or revealed” and Article 31(d), the right not to have “the privacy of their communications infringed”. It would also regulate the collection, retrieval, processing, storing, use and disclosure of personal data.

The Access to Information Act 31 of 2016 confers the Commission on Administrative Justice the oversight and enforcement functions to ensure citizen’s privacy is maintained. in section 21 of the Act, the Commission on Administrative Justice has the Functions [15]; (b) request for and receive reports from public entities with respect to the implementation of this Act and of the Act relating to data protection and to assess and act on those reports with a view to assessing and evaluating the use and disclosure of information and the protection of personal data; (d) work with public entities to promote the right to access to information and work with other regulatory bodies on promotion and compliance with data protection measures in terms of legislation; (h) perform such other functions as the Commission may consider necessary for the promotion of access to information and promotion of data protection.

Why is all this important?

The Business Daily newspaper has case in point of citizen data breach. In 2011, a convicted criminal serving time at the Kamiti Maximum Prison, forged an ID card belonging to retired Chief of the Kenya Defense Forces (KDF), General Jeremiah Kianga. The fraudster conned Kenyans off thousands of shillings via mobile money with the promise of enrolling them in the army. Last March, police in Eldoret arrested a man suspected of stealing over Sh180,000 from mobile money agents in Nandi using dozens of stolen SIM cards and ID cards, which were used to register M-Pesa lines [16].

Who else is mishandling citizen data in Kenya? Reach out to me if you have such case studies at @lordmwesh

The next debate on information confidentiality is usually centered around the question, “Why should I care if I have nothing to hide?” The next article will try to answer that question. Do you have anything to hide?

Sources

  1. Data protection bill 2013 http://icta.go.ke/data-protection-bill-2012/
  2. Elections Act No: No. 24 of 2011 http://www.kenyalaw.org/lex//actview.xql?actid=No.%2024%20of%202011
  3. Registered Voters Per Constituency For 2017 General Elections https://www.iebc.or.ke/docs/Registered%20Voters%20Per%20Contituency%20For%202017%20General%20Elections.pdf
  4. Kenya Population http://www.worldometers.info/world-population/kenya-population/
  5. Statistics of 2017 voters https://www.iebc.or.ke/registration/?stats
  6. Election Laws Amendment Act 2017 http://kenyalaw.org/kl/fileadmin/pdfdownloads/AmendmentActs/2016/ElectionLaws_Amendment_Act_No1of2017.pdf
  7. IEBC register Sh20,000 price tag questioned www.businessdailyafrica.com/news/IEBC-register-Sh20-000-price-tag-questioned/539546-4002054-fdm6p9/index.html
  8. Check registration status by texting ID or passport number to 70000 – IEBC www.the-star.co.ke/news/2017/06/29/check-registration-status-by-texting-id-or-passport-number-to-70000_c1588008
  9. SMS verification output https://twitter.com/OwenKims/status/880376549920448512
  10. Raila shares ID number with another voter https://citizentv.co.ke/news/raila-shares-id-number-with-another-voter-155443/
  11. Screenshot without captcha https://twitter.com/LORDMWESH/status/880554515832782855
  12. [kictanet] Poor show by IEBC: Data Protection in year 2017 and the case of raw voter registration datahttps://lists.kictanet.or.ke/pipermail/kictanet/2017-June/052096.html
  13. Kenya E-citizen portal https://www.ecitizen.go.ke/ecitizen-services.html
  14. Constitution of Kenya http://www.kenyalaw.org:8181/exist/kenyalex/actview.xql?actid=Const2010
  15. Access to Information Act No. 31 of 2016 http://www.kenyalaw.org/lex//actview.xql?actid=No.%2031%20of%202016
  16. Safaricom goes for photo IDs to block M-Pesa fraud http://www.businessdailyafrica.com/corporate/companies/Safaricom-photo-ID-agents-M-Pesa-fraud/4003102-4008158-1sep6kz/index.html retrieved 10 July 2017

 


Humans have been traveling across the globe even before borders were drawn for reasons ranging from business, exploration, social, medical, education, and migration. After 9/11, traveling became more complex with tight Visa rules, military grade screening of passengers, and increased surveillance. The latest casualty of these tight measures are ICT savvy travelers.

In March 2017, The US and Britain introduced new regulations for flights from Middle East, and Africa. The regulations ban passengers from carrying large electronic devices citing security concerns. The countries affected were Jordan, Egypt, Turkey, Saudi Arabia, Qatar, Kuwait, Morocco and the United Arab Emirates. The circular from the US homeland security read:

“These enhancements apply to 10 specific airports. The affected overseas airports are: Queen Alia International Airport (AMM), Cairo International Airport (CAI), Ataturk International Airport (IST), King Abdul-Aziz International Airport (JED), King Khalid International Airport (RUH), Kuwait International Airport (KWI), Mohammed V Airport (CMN), Hamad International Airport (DOH), Dubai International Airport (DXB), and Abu Dhabi International Airport (AUH).”

With the new regulations, any device bigger than a hand help phone should be put in the checked-in luggage, and not carried onboard by the passenger. The listed devices are laptops, tablets, e-Readers
cameras, Portable DVD players, electronic game units larger than a smartphone, travel printers, and scanners.

In the age of Snowden and Wikileaks, these regulations pose a cyber security risk. It gives a window of opportunity for anybody targeting data in the devices to get access to the checked-in devices, usually a laptop. The checked-in laptops of persons of interests will either be cloned, or disappear altogether. A federal agent will mark the luggage of the person of interest, and along the several luggage transfer chain, locate it and remove the laptop and clone the hard disk getting away with a wealth of data. This process can be done by either physically removing the hard disk, using a live CD like Tails to copy the contents of the laptop, or just crack the user account and gaining access to the laptop. This may sound far fetched, but federal agents have been known to go to great lengths to access information they deem necessary in their work.

Airlines have started being creative to help their clients experience the same convenience they are used to. For example, Emirates Airlines has introduced two services to it’s clients, a laptop handling service that lets clients use their devices until before boarding, and complimentary laptops for business and first class customers, where the customers are given Microsoft Surface 3 tablets to work onboard. Although this does not remove the security concerns mentioned above, it gives those who can afford a window to be productive while flying.

How do you secure your data while traveling?
The Electronic Frontier Foundation, an international non-profit digital rights group based in San Francisco, California, gives some suggestions on traveling with data, especially after the U.S. government reported an increase in the number of electronic media searches at the US border.

  • Store all sensitive data on a secure cloud offering like Dropbox or SpiderOak, or better still on a private hosted server.
  • Use a Chromebook as your travel laptop, which by default store all data on the cloud
  • If you must travel with your data, have two hard drives which you swap on convenience. One with a clean operating system install without any data, and another with the operating system and data, but only swapped when the laptop is in use.
  • Always use full strong disk encryption for all your data.
  • The next debate on information confidentiality is usually centered around the question, Why should I care if I have nothing to hide? The next article will try to answer that question. Do you have anything to hide?


    The 25th Africa Network Information Center (AFRINIC) meeting will be held from 25th to 30th November 2016 at Sofitel Imperial hotel in Mauritius.

    Tutorials will be held on Computer Emergency Response Teams (CERTs), IPV6 foundation training, Internet Number Resource Management, and a session on increasing participation at the Internet Engineering Task Force (IETF) in the African Region.

    The session on AFRINIC Government Working Group will explore ways of involving more African governments and multilateral organisations in Internet Governance efforts.

    The Fund for Internet Research and Education (FIREAfrica.org) will hold a session training their grantees on Leadership skills, project management, and pitching to investors.

    An interesting development will be the launch of AFRINIC’s new IPv6 testing and certification platform available at http://certi6.io.

    The hallmark for all Regional Internet Registry meetings is usually the Policy Discussion Working Group (PDWG). The PDWG will discuss four policies among them Inbound Transfer Policy, Soft Landing policy Overhaul, the proposal to Transfer IPv4 Resource within the AFRINIC region, and Internet Number Resources Review by AFRINIC.

    The last day will have the Special general members meeting, where members will vote for Special Resolutions for AFRINIC Proposed Bylaws Changes, and elections of members for the AFRINIC Governance Committee.

    The Agenda of the meeting is available here: https://meeting.afrinic.net/afrinic-25/agenda


    For several generations, Kenya will never have a revolution.

    we are not divided on ideological lines. Just look at what happened in 1990 when we thought the opposition had Moi by the horns. Come 1991, we had aligned ourselves in tribal cocoons, denied mzee Jaramogi his moment of fame, and lost the “revolution” for the next 10 years.

    We had a brief chance after 2003 to galvanise the county into nationhood but the experiment failed miserably. We were more than eager to support only our own(s). Ask if our owns are eating enough like other owns.

    Currently, the writing is on the wall. Locals from the west loathe those from the East and the reverse is true. Not on ideological lines. Pure heavy unfounded hate. When you cut, it will bleed. We hate the tribe collectively, not the thief politician. The masses are hearded around like livestock. That is why one side will say “Uthamaki ni witu, thamaki ni ciao”, to quote David Ndii.

    And that my friends, is the recipe for a Civil war. The revolution is naught.

    There is a big difference between a revolution and civil war. See what happened in the Balkans or Rwanda. The common man was killing the fellow common man because he is of a difference heritage. That is civil war. Look at what happened in Russia when Tzars were diposed. Or French Revolution when the King was exiled and Queen hanged. Or what happened in Cuba, and Tunisia. That is a revolution. Kenya nearly achieved a revolution in 2003.

    It’s not a fight of brother against brother, but fighting the corrupt system. I sit in the villages in Kenya and the vitrol thrown around by locals from one section of poor Kenyans to another section of poor Kenyans is retching.

    And that my friends, is where our political leaders across the divide want us to be. Not fight the system. So that when they are in power, its their time to eat, as the nobodies fight proxy tribal wars.

    Our new constitution was very good because it tried to save us from ourselves. For once, it envisioned independent institutions like Judiciary, executive, parliament, police, different commissions, etc. Real checks and balances of power. But what are we doing with all those checks and balances? We are diluting them, and transferring all the power to one person.

    I remember with soNice discourse guys. Walu, you got me all wrong. There is a big difference between a revolution and civil war. See what happened in the Balkans or Rwanda. The common man was killing the fellow common man because he is of a difference heritage. That is civil war. Look at what happened in Russia when Tzars were diposed. Or French Revolution when the King was exiled and Queen hangged. Or what happened in Cuba, and Tunisia. That is a revolution. Kenya nearly achieved a revolution in 2003.

    It’s not a fight of brother against brother, but fighting the corrupt system. I sit in the villages in Kenya and the vitrol thrown around by locals from one section of poor Kenyans to another section of poor Kenyans is retching.

    And that my friends, is where our political leaders across the divide want us to be. Not fight the system. So that when they are in power, its their time to eat as the nobodies fight proxy tribal wars.

    Our new constitution was very good because it tried to save us from ourselves. For once, it envisioned independent institutions like Judiciary, police, different commissions, etct. Real checks and balances of power. But whatarewe doing with all those checks and balances? We are diluting them, and transferring all the power to one person. I remember with sorrow the words on one Michuki “we don’t need a new constitution. What we wanted is to remove Moi from power. Now that he is gone, we don’t need it”. What he ment was that so long as one good person is in power, he can have all powers. But what happens when one bad person is in power?

    Lord Acton put it so clearly, “Power tends to corrupt and absolute power corrupts absolutely. Great men are almost always bad men, even when they exercise influence and not authority; still more when you superadd the tendency of the certainty of corruption by authority.”


    The Eastern Africa nations in March 2016 formed a network to tackle Cybercrime.

    Uganda, Kenya, South Sudan, Ethiopia, and Somalia have formed the Eastern African Cybercrime Criminal Justice Network. This will help exchange of information between law enforcement agencies among members on issues pertaining to the fight against cybercrime. The network will facilitate learning on best practices, and harmonisation of national laws. It will also provide technical assistance needs in the area of international cooperation to combat cybercrime. The initiative was championed by the United Nations Office on Drugs and Crime and the Commonwealth Secretariat.


    According to investopedia.com, leadership is the ability to make sound decisions and inspire other to perform well. My definition of Leadership is the intrinsic ability to bring out the best in all team members by putting the group’s different talents to work for the betterment of a situation. Leaders are trustworthy, and demonstrate to their followers that they trust them. A leader is able to see a better world and convince others to join in his vision.
    Leadership includes inspiration, confidence, courtesy, a clear mind, and respect to others. Empowering followers is paramount to success of the leader. Leadership also includes giving guidance, and consultancy. Leaders have the ability to share their vision, purpose and passion with others so that others can do remarkable things that they didn’t believe they could do. Some people have described this phenomenon as the reality distortion field. A good example is when Henry Ford directed his engineers to cast an engine with 8 cylinders in one block. The design was drafted but the engineers agreed, to the last man, that it was an engineering impossibility to cast an 8 cylinder engine in one piece. But Ford persisted and it led to the famous V8 motor.
    Leaders have foresight to see the future needs of an organization and they have the commitment to move with the vision, making the leader greatly respected.
    An icon of the 21st century that I greatly admire his leadership style is the late Steve Jobs, the founder of Apple computers. His resilience when odds were against him, his unrivaled work ethics, his humble upbringing, his ability to question the status quo, his vision to change the world, and his unwavering believe that whatever man can conceive, he can achieve. This is a man that had major carries setbacks, but he bounced back to the topmost positions in corporate America with indisputable financial and popular support to Apple products, with a cult following to boot. This is a man, according to his own words “put a dent on the universe” thought the revolutionary products he produced. He said “My passion has been to build an enduring company where people were motivated to make great products”. Sarah McInerney of Sidney Morning Herald observed that Jobs was a passionate advocate for his vision and incredibly effective at communicating this to shareholders, customers and staff.
    A statement I find great inspiration from was a 1997 advertisement by Apple Inc called Think Different where they refer to the leaders who change the world as “The misfits … The round pegs in square holes … The ones who see things differently, but the only thing you can’t do is ignore them. Because they change things. They push the human race forward. While some may see them as the crazy ones, we see genius. Because the people, who are crazy enough to think they can change the world, are the ones who do”.
    If you look at all the inspirational leaders of the near past, Winston Churchill, Mahatma Gandhi, Martin Luther King Jnr., Mother Teresa, and Henry Ford, you will see the same traits mentioned by the Apple Inc advertisement. These are People who believed they could change the world, and they did.

    I have learned several leadership lessons in my line of work, and from observing successful leaders. My favourite lesson is never to stop learning. The more knowledge you acquire, the more you’ are able to solve life’s problems either in the organization or at a personal level.

    Lesson two is that a leader needs to seek for advice. We should realize that we don’t posses the sum of all human knowledge, and when we seek for advice, we will see the world through another persons view. Consultations make other team members feel that they are appreciated and meaningful in the overall scheme of things. Good leaders are those that can listen. It’s puzzling how LISTEN is an anagram for SILENT!
    Lesson three is being decisive because after you have lived the greater part of your life, you will only regret the things you never did. Decisiveness is based on the premise that better to try and fail than never to have tried at all. Decisiveness also means that there is no one way of doing things correctly. Different leaders can take different approaches and still arrive at the same goal.

    Lesson number four is confidence which can also be termed as burning the ship. This is best espoused by the Spanish Warrior Hernán Cortés who is claimed to have burned his ships during battle so as to cut all sources of retreat for his troops. Confidence entails moving as if failure is not an option; as if failure does not exist. Confidence is the unwavering belief that you will succeed whatever the challenges you face.

    Lesson number five is team work. Benjamin Franklin nailed it when he said “We must all hang together or, most assuredly, we shall hang separately.” Team work is the principle that you will achieve more in the long run if you cooperate in tasks than if you work alone. If you go alone, you will go fast, but if you go as a team, you will go far. A good demonstration is a Marathon race where athletes run in groups, with pacesetters leading the pack. This way, the race is faster, covers greater distance, and the athlete that keeps to the group is likely to win the race which is a gruelling 42 kilometres. In the contrary, the 100meters race is very short, but the athletes run with individual effort, at super-human speeds. With such individuality, you cannot go far.

    Lesson number six is having ambitious goals. Without ambition, man has no difference with other primates. James Collins and Jerry Porras in their 1994 book entitled Built to Last: Successful Habits of Visionary Companies called this principle Big Hairy Audacious Goals “BHAGs”. A leader should understand reality but give hope to the team, dream big, and pursue those dreams. All the greatest inventions in the world from the Piano, to the light bulb, to the Airplane were all because of ambition.

    Lesson number seven is concentrate on one task and give it undivided attention. When you are distracted from your goal, you will loose focus, your target might take forever to achieve, or it might be superseded by other events. Apple Computers have employed this lesson very successfully by concentrating on very few products, but at the same time ensuring that the few products they concentrate on have the best quality in the market.

    Lesson number eight is encouraging growth within the team, and boosting others self esteem. When the team is empowered, it means that you can perform more since even with the absence of a key individual, others will be able to fit into those shoes, and the performance will not be affected. Encouraging growth also helps with succession. A company with good succession ensures Knowledge is transferred between team members.


    I got a call from a stranger selling a product with the marketing cliche “become wealthy and healthy”.

    I was curious on how the Caller got my number. As she giggled, “You are our corporate customer on Bank B remember, I’m so and so”.

    I politely declined the offer, but I’m just wondering how far our data is used by unscrupulous employees. Do these corporate companies (banks, hospitals, insurance firms, telecoms …) understand what data protection is and the liabilities they face if there is a breach? Suppose I used my call log to launch a formal complain or even sue the bank!

    What does the current law in Kenya say?

    How does this affect you? Identity theft is real and here with us. Anybody that can get access to full information on your identity can easily wipe your bank account.


    Netflix is the US based on-demand internet video streaming service that rolled out globally earlier this year. It offers subscribers an extensive array of streaming videos. Netflix is an expensive affair. To access it, you need a proper working broadband internet, a specialized device like chromcast to stream if you don’t have a smart TV or a computer, and pay a monthly subscription fee. This is out of reach of many Kenyans.

    Despite it being expensive, Netflix will disrupt the Internet landscape in Kenya. It will bring Internet prices down, increase internet access and coverage, and increase competition in the industry.

    Netflix is accessed through a broadband Internet connection. That means the 30 million internet users can theoretically access it. But they can’t since majority of them only have feature phones. Those with smartphones must be ready to break the bank to have enough data bundles to stream movies month in, month out.

    Affordable unlimited internet is the only way many Kenyans will be able to access Netflix. How Internet Service Providers (ISPs) improve their products and coverage to cater for home users will determine the uptake of Netflix. Zuku, and Jamii Telkom (JTL) are poised to lead on this one because they relatively have the best products on unlimited fixed broadband access in the market. But they will feel the heat because the international Netflix traffic consumes a lot of bandwidth. This may lead to trotting bandwidth to survive. Cellular companies like Safaricom, Airtel and Orange too can capitalize on Netflix demand if they can have competitive unlimited broadband Internet. Airtel’s Unliminit product seem to be popular within the low income bracket. Satellite provides too can roll out VSAT and cover underserved regions. The entrance of Kenya Power in the fray may be what the consumers need. Bruising competition.

    ISPs are barely scratching the surface with JTL having 7,486 and Zuku 50,000 subscribers. According to Communications Authority of Kenya (CA) data, broadband subscriptions increased by 19.3 per cent to reach 6.3 million in 2015, marking a penetration level of 14.7 per cent. Most of these being from cellular companies.

    Our market is unique. The cost for Netflix alone is around 800 bob a month, but the cost of unlimited broadband is around 4000 bob. 800 bob can give you 16 DVDs in River Road, enough to entertain your family for a whole month. Technology must match the cost of buying a counterfeit DVD to dismantle that market. That day is coming.

    To promote locally hosted content uptake, ISPs may need to discriminate between local and international transit. Netflix should setup a local cache, and ISPs should give an unlimited package for local content for say Ksh1000 a month, that will see local content production and utilization explode.

    This may go against net neutrality principles, but since CA has not given any policy direction on the same, the ISPs may take advantage of it. A cache peering at the Kenya Internet Exchange Point (KIXP) will make the service really affordable because the cost of international bandwidth will be eliminated.

    Every user I meet who lives outside the coverage area of fixed cable internet is praying that they roll out in their neighborhoods, although the ISPs are hesitant since the only wish to invest in areas where they have the highest return on investments.

    I live in one of the most non digital estate, a place called “Rungiri rwa Ngwaci”, where my village mates may never have use for the internet and where zuku or JTL would never have thought of venturing. But with Netflix, we might see places like “Rungiri rwa Ngwaci” covered because my neighbors may see the use of Internet as a tool for entertainment.

    When we reach that stage where internet is a utility like water and electricity, then we shall know development. Before then, let me renew my internet bundles before they expire. There is one more reason to have Internet at home. Family entertainment.

     

     


    (Published in Daily Nation in Kenya, and at circleid)

    A very Interesting meeting The Internet Governance Forum (IGF) with an ambitious theme of connecting the worlds next billion people to the Internet took place in early November in a beautiful resort city of Joao Pessoa in Brazil under the auspice of the United Nations. Few Kenyans paid attention to it yet the repercussions of the policy issues discussed affects us all.

    Each year, there is one topic that takes the world by storm at the IGF. Two years ago, it was surveillance. This year, it was net neutrality. Net Neutrality in its most basic form is the ability of Internet service providers to treat all content that pass through their network equally without any form of discrimination. For example, Safaricom should not give preference to Wikipedia.com offering it for free, or Airtel should not give preference to Youtube, giving it a fast lane at the expense of other websites. There are many ways to which Net Neutrality is abused, among them giving fast lanes to certain services, traffic shaping, and zero rating.

    Zero rating means the end user does not pay for accessing a certain service, but the service offerings are limited. For example, the user will only have free access to Facebook, or Wikipedia, and nothing else. The content the user can access is determined by those with financial power. And there lies the problem, limited access for the end user. You see, the Internet is a public good, an engine for economic growth and development. The utilitarian approach is therefore to have as many people have access to the Internet as possible for a nation to attain its economic potential.
    At the IGF, researchers took sides on zero rating depending on their interests. A research in Asia revealed that zero rated services were an entry point for people who had no access to Internet, and those who used zero rated services converted to paid users after a while. Another research showed that people don’t use the Internet not because of the cost or availability, but because they don’t need it. Weird conclusion I can say. An interesting fact is; in communities where zero rated services were the norm, the users did not know the difference between the Internet and Facebook. That is a major problem if you ask me. Another research by Mozilla Foundation dubbed equal rating found that when users are given Internet bundles, they accessed diverse types of websites, not just one single website. But the big question was who funded these types of research? Facebook was accused of flying Cabinet Ministers from developing countries to expensive resorts in California to influence them allow zero rated service in their countries.

    We should say no to zero rating because it leads to monopolistic behaviours, anti-competitiveness, and customer lock-in. Zero rating gives a false Internet because it removes incentives for giving the underserved regions a proper Internet. Remember the definition of Internet is a global system of interconnected computer networks, not just a single website.  Companies running zero rated services are crafty and just want to add up number of users to their platforms to increase their advertisement revenue streams. Zero rating stifles innovation because innovators are not able to penetrate the market where market leaders with tonnes of money have directed all the users to their own services.

    Zero rating is here with us. Airtel partnered with Facebook to offer Free Basics, a service that allows users to only access specified websites.

    The government has not taken any steps to protect the users, and innovators among us from such demeaning service. What is more annoying is government inaction to formulate proper ICT policies that move with the rapid changing times. Can you believe the National ICT Policy was last updated in 2006? It is therefore sad to have a government with pools of policy expert, who cannot formulate a Net Neutrality policy. The government is getting everything wrong in ICT policy formulation. Isn’t it Plato who said, “We can easily forgive a child who is afraid of the dark; the real tragedy of life is when men are afraid of the light!”

    All that notwithstanding, the government should pay keen interests to the following points:

    • Zero rating is illegal in most of the developed countries. Ask yourself why.
    • Communications Authority of Kenya (CA) is a regulator and not a policy maker. Without policy on Net Neutrality, they have nothing to enforce thus leaving market players to their own devices, and anti-competitive behaviour.
    • The community, in an all-inclusive manner should develop a Net Neutrality policy.
    • CA is usually given targets to ensure universal coverage of communication services. They are very happy to maintain the status quo since they will report zero rated services as a metric of increased Internet access. This will be a big lie because they will have denied the rural folks access to the Internet. We all know one website is not the Internet. The best practice is to have the regulator pressure telcos increase rollout in under-served regions as part of their Universal Service obligations.
    • Zero rating infringes on fundamental human rights by denying users access to the Internet. It may be a conspiracy to keep developing countries in the darkness of the information age.
    • Let us advocate for universal coverage, better utilisation of Universal Service Fund, telecommunication infrastructure sharing, increased road coverage, accessible wayleaves and cable ducts, affordable energy, local content and hosting. All these will ensure the COST of internet comes down to a level where every citizen can afford.

    As Vyria Paselk, Director of Internet Leadership at Internet Society put it, “if your country does not have access to the Internet, then you are not participating in the internet economy”. And isn’t the entire world now an Internet economy?

     

    Mwendwa Kivuva is a research fellow at Strathmore University’s Centre for Intellectual Property and IT Law, and a fellow at Kenya ICT Action Network (KICTANET), Nairobi, Kenya.

    kivuva@transworldafrica.com, Twitter: @lordmwesh


    (Published in Daily Nation on Tuesday 19th January 2016)

    Technology can help Kenya achieve free Universal healthcare, and make it efficient too.
    Kenya is a country where its leaders have the temerity to gives its children dog food, as the leaders eat pizza.

    Consider this; healthcare in public hospitals is pathetic. It has always been like that. The public hospitals are ill equipped, Patients share beds, subjected to demeaning service , drugs are missing, doctors are few and apart, and when they are available , they do speed diagnosis so that they can go back to private practice. This systematic ruin has led to years of neglect in our healthcare system. Persevering Kenyans are used to this. They have accepted the poor service as a standard, dreading when they shall fall sick. The struggling middle-class raise funds, take loans and insurance to go to private hospitals. They are trying to escape the failures of government, and are too busy to pressure the government to offer better healthcare.

    This can change. And it would not cost an arm and a leg. Nearly all civil servants access healthcare in private hospitals. Private hospitals are doing booming business. They are equipped, pharmacies have drugs, hospitals are clean, and doctors are always on time. All this is paid by taxpayers, literally. And these private hospitals are conniving. They triple bills, conspire with patients for claims, and all manner of unimaginable malpractice.

    The government could have a policy that requires patients whose bills are paid by taxpayers to only access treatment in public hospitals, from the President to the lowest ranked civil servant. The policy makers would therefore demand better services because it affects them directly, and the benefits of this would reach every Mwananchi. This way, government would prioritize healthcare the way they prioritize other infrastructure projects. Former health Minister Charity Ngilu tried to change public perception by insisting on being admitted at KNH whenever she was sick.

     

    Assuming the 150,000 civil servants together with their families use Ksh100,000 per year on medical care, that translates to 15billion. If this is allocated to public healthcare, it is enough to build 4 hospitals the size of KNH every year.

     

    It’s scandalous that one hundred and fifteen years since King George hospitals (now Kenyatta hospital) was built, there is no national Electronic Medical Records (EMR). According to the US which has a Health Insurance Portability and Protection Act (HIPPA), an EMR is a systematized collection of patient and population electronically-stored health information in a digital format. These records can be shared across different health care settings. Records are shared through networked, enterprise-wide information systems. EMRs include a range of data, including demographics, medical history, medication and allergies, immunization status, laboratory test results, radiology images, vital signs, personal statistics like age and weight, and billing information.

     

    EMR systems are designed to store data accurately and to capture the state of a patient across time. It eliminates the need to track down a patient’s previous paper medical records and assists in ensuring data is accurate and legible. It can reduce risk of data replication as there is only one modifiable file, which means the file is more likely up to date, and decreases risk of lost paperwork. Due to the digital information being searchable and in a single file, EMR’s are more effective when extracting medical data for the examination of possible trends and long term changes in a patient. EMRs also facilitate population-based studies of medical records.

     

    An EMR is ripe for Kenya which is committed to ensuring there is Internet in all health centers across the country by the year 2017. An EMR will bring efficiency to our hospitals and cut on costs, reduce the number of record officers, eliminate storage of voluminous files, and the time doctors spend with patients. Patients on the other hand will be able to access quality medical care anywhere in the country.

    I hope the current CS Dr. Mailu can read in between the lines and rescue ailing Kenyans. From his resume, he’s an intelligent and accomplished man. He can convince the self-christened digital government to walk the talk. If he teams up with the ICT CS Mucheru, I believe that will be a winning combination in bringing meaningful change.

    A healthy nation is a wealthy nation. With technology, and all of us eating dog food, we will achieve free universal healthcare.