KRA, Safaricom & You

So, there I am, like a good boy, reading my morning paper. I come across this story in the Business Daily. And upon reading it come across this, that triggered the following reaction

The section in particular was this one

mining

Yes, friends. The Kenya Revenue Authority is / wants to data mine your transactional information.

Personally, this offended my sensibilities. And it should offend yours too.

Of course the question arises, what’s the big deal?

Well to understand, perhaps a shotgun data mining primer.

Data mining, to cut a long story short, is a fascinating discipline that I have spent a few years studying and designing solutions around. It is basically using transactional data to detect patterns and trends.

The technical details of how this is done are fascinating but I need not go into detail. But it is used by serious companies to derive insights from data. Have you ever wondered why your mobile phone tariff is what it is? Or why there are promotions with strange twists like free calls that on paper make no sense?

Data mining.

If you find, for example, a promotion where they tell you that free calls begin from minute 3, that is because call logs were mined and it was found that most telephone calls are shorter than 3 minutes. Ergo those that make 3 minute calls will pay for those what make longer than 3 minute calls.

Examples abound.

Let me be blunt – given enough of your data, I OWN YOU.

Back to the point.

KRA wants to mine our transactional records.

An mobile money transaction contains the following

  • Date
  • Time
  • Sender
  • Recepient
  • Amount
  • MPesa outlet

If you give me a large dataset with ONLY this information over say 4 months I can tell you the following with a pretty large confidence level. Which is not to say it is 100% gospel truth, but can be pretty accurate.

  • Where you live
  • Where you work
  • When you are paid
  • How old you are
  • Your gender
  • An idea of how well of you are financially
  • Whether you are married or not
  • Whether you have children or not
  • Etc

And no, this is not magic. It is a simple co-relation of data.

For instance, the MPesa outlets you go to are usually the ones nearby.

For instance we notice that John goes to the same 3 or so MPesa outlets between 8 AM and 5 PM, and then a 3 different ones between 5PM and 10 PM.

BTW am using MPesa because the numbers of Orange Money, Airtel Money, Yu Cash etc. are of nuisance value. But the principals still apply.

We know where these outlets are.

We can therefore infer that the outlets John visits during the day are those near where he works and those in the evening are those near his home. Given enough outlets we can triangulate with great probability where exactly he lives.

If we notice a sudden spike of transactions (payments) around 3rd we can infer he has received inflows of cash fairly recently. If the same patterns repeats every month we can infer that the income  is regular.

Analyzing the recipients can tell us a lot about John.

If his payments are mostly to bars, utility bills and ticketing to event websites we can postulate John is probably a young bachelor.

If his payments include school fees, salons, supermarkets – we can infer John probably is either married or has a significant other, and probably either has a child or is supporting one.

I can go on about how you can infer a lot from this data (believe me this is just scratching the surface) but you get the drift.

It offends me that KRA want do this all the time. Not because I have anything to hide, but I resent that government feels like it has the right to scrutinize me in this fashion as if I am already guilty of something.

So I of course asked our friends at @SafaricomLtd

And asked them again

Their original response was they didn’t have any information about it, and I forgot to take a screenshot as that tweet has since vanished.

Next was this

And then I asked

Last I’ve heard from them. And by the way that response is bana oil. Transaction infromation without send and recepient is ABSOLUTELY useless to the KRA

So there are two queries

  1. Is it legal for Safaricom to hand over our data for mining?
  2. Is it within their terms of service to allow this?

Let us begin with the second.

Since most of you I feel sure never read a word of the terms of agreement, here it is in its entirety [PDF]. In case it is accidentally lost in a site update, I have saved a local copy.

The relevant sections are two.

One is under Privacy, Section 4

image

The other is under Disclosure & Data Retention, Section 16

image

Now, I am no lawyer but handing our data to KRA to data mine does not strike me as being within “genuine inquiry or investigation”.

In fact, the only way genuine inquiry can be stretched to allow what KRA wants would be if KRA says “we suspect EVERYONE of tax evasion so hand over everyone’s data”.

Is Safaricom handing over our data in breach of their own agreement?

Lawyer types, please assist.

It should bother you that KRA wants to just mine your information, never mind that you’re not actually guilty of anything.

The other issue is the larger issue of what Government can do / does with our data. Our data protection bill has been stuck in parliament for stages but it simply cannot be that government can willy nilly mine citizen data for its own ends in a civilized society.

This simply cannot be.

23 thoughts on “KRA, Safaricom & You”

  1. I’ve heard of a massive project underway to link your ID, bank accounts, PIN, mobile number, email etc to a central database where the government can easily mine this data and share it with interested parties. Call it the Kenyan PRISM

  2. I had heard of a pilot project where taxes would be remitted via mPesa……don’t know how this play out.

    Iko shida.

  3. MMK

    The project is called IPRS(A department within the defunct Immigration Ministry) – Integrated Population Registration System based loosely on the US social security number. It generates a unique Identification number for consolidating all types of registration. It has many merits as for the demerits, well that is for another day.

  4. They already done it. IPRS is behind the RFID in the new Kenyan passport, the RFID in the new Kenyan identification card, the new hologram chip on your government issue vehicle number plate, the mobile number registration, the voters registry, and it has been going on with no prior consent from the people.
    Weren’t the people not arm-twisted into registering their mobile lines?
    Were the people given T&C’s which said with the issuance of this passport you can be tracked and your location given over to anyone who needs it across the United Nations Security Council?

    Back to taxes, what right did the taxman have to start taxing rental income? What justification is there for them to demand citizens loyalty in paying taxes yet they splurge it on parliamentary seat refurbishment and 3000cc fuel guzzlers for transportation? Werent civil servants allowed 1 official car alone, and that’s the top brass, then where is the justification in most of the Vice Chancellors and Public Secretaries and the like have garages bedecked with a range of German and Austrian cars?

    #FreeJahar

  5. The big issue is what regulations/ laws are in place to protect Wanjiku’s online privacy. It quite obvious that very few understand how dangerous it is to trust state agencies and private firms with so much information.

  6. Your Research is a wow, Only that we should read positive into what the Government agencies and loyal stakeholders intent for its citizens. Its for good not for evil. Tracking is inevitable in order to provide the citizens what is due to them. Do more research on CHIPS and that will even shock you more to the core.

  7. Actually taxes are levied on all incomes legal or illegal which includes rental income & the taxman did not start taxing rental income but merely started enforcing Income Tax Act cap 470 that requires taxes be paid on rental income less any expenses incured in generation of the same.

  8. Our only defense right now is the incompetence of our governmental institutions. Somehow I reckon they’d find a away to f*ck this up. But for how much longer?

  9. Privacy is the hefty price we are paying in exchange for technologically tailored conviniency. I agree that the data is important to the service providers to project trends and all that. Safaricom’s reply that it respects and protects customer data is just a PR stunt. Remember the tech giants had also refuted claims they were sharing data with NSA until Snowden came up.

  10. This is nonsensical, KRA is a Law Enforcement agency with policing and investigative powers to enforce over 18 laws in Kenya. The ignorance displayed here is shocking….!

  11. Good content (A few typos here and there). But that aside. The privacy implications here are extremely serious. The unfortunate thing is that the people who call the shots are pretty impervious to such concerns because I believe they don’t understand simple human rights – and privacy is one of them. Informational self determination is key and should not be lost because there are air-heads calling the shots.

  12. That is freaky weird… the devil is in the details and I wonder why I never read the Terms And Conditions before acceding to this freaking contract

  13. Very important post … salient issues emerging with the growth of data (collection, value) and technology. Would be interesting to find out what the law (yers) say re: data protection bill, privacy laws and so on.

Leave a Reply

Your email address will not be published. Required fields are marked *