The Economy Of Data

Understanding and optimizing the foundational inputs that will power Artificial Intelligence in Africa.

Recent posts:

About the Author:

Linet is a computer scientist, Certified Data Privacy Solutions Engineer, and practitioner in AI policy, data science and data policy. She works to strengthen data ecosystems in partner countries across Africa and Latin America, as well as strategies to tackle technical challenges and achieve their data for decision and policy making commitments.

  • Dear Internet, I Love You But We Need to Talk…

    Over the past few weeks, the world has boiled over with the revelations of how Facebook allowed its vulnerabilities to be exploited by Cambridge Analytica (CA) in using data of its users in political campaigns.

    For most of the global North, these conversations have carried on to a point leading to the Facebook CEO, Mark Zuckerberg appearing before a senate committee hearing and two CEOs of CA finding their way in an out the position due to the complexities of the outcome of the events.

    The news that Cambridge Analytica harvested 50 million Facebook profiles is a major data breach . The point in fact is without the consent or knowledge of the Facebook users. The wrongdoings of FB and CA are widespread in the Global North with a lot of users expressing their concerns while many celebrities including Elon Musk opting to delete their and companies’ facebook pages.

    In the Global South, these revelations have led to the call for better data privacy and protection practices while some have gone as far as recommending that African countries adopt the European Union’s GDPR policies that will come into effect in May 2018.

    Given these revelations, I seek to understand, if our personal data is really as valuable as we make it be, why are we so careless with how we share it, who we share it with and where we share it.

    Considering the following statements:

    “We exploited Facebook to harvest millions of people’s profiles and built models to exploit what we knew about them and target their inner demons. That was the basis the entire company was built on…”

    and that

    “about 270,000 users agreed to have their data collected and used for academic research in exchange for a small payment, we conducted a survey to understand more about the effect of sharing personal information on social media.

    Below is an image of the data protection landscape in Africa, where only 17 countries have defined data protection legislation.

    The Africa Data Protection Landscape. Source, @Deloitte.

    Sample size: 500

    Location: Kenya

    Project platform: poll.co.ke

    Here are the top 5 insights about Kenya, Facebook Use and Sharing of Personal Information.

    #1. Third party applications and many other applications access our personal data because we share it with them. What we don’t know is how do they use it? When asked whether they were aware that Facebook authorized the use of their data by third party applications, our respondents had something to say…

    #2. Ever wondered why those that use FB are all stuck with it? While some use the service to store old pictures, well, it’s mostly to stay in touch with friends and family.

    #3. After the recent revelation that CA improperly accessed Facebook users’ personal information, Kenyans were prompt to act by reducing interaction with Facebook, changing user settings while others continued with normal operation of FB, unfazed.

    “Less than a second later, a Facebook app had harvested not only Mr. Deason’s profile data, but also data from the profiles of 205 of his Facebook friends. Their names, birth dates and location data, as well as lists of every Facebook page they had ever liked, were downloaded — without their knowledge or express consent — before Mr. Deason could even begin reading the first survey question.” reported The New York Times.

    #4. It is also interesting to see how helpless social media users are, especially since they do not trust the services but still continue to use them. Also, a key lesson to getting users to trust your services? Have them read the terms and conditions of the services.

    An analysis of those that read, do not read or do not remember reading or not the terms and conditions and whether they trust the services or not.

    #5. The respondents strongly felt that Instagram, Facebook and OLX are the applications that mostly misused their information. Mobile lending apps like Branch and Tala also had a significant showing while betting apps were also accused of misusing customer data.

    In summary, loads of data and personal information has been collected and used to influence our decisions, behaviors and perceptions of others. In 2013 and 2017 campaigns of Kenyans’ Presidential elections: The personal data collected was used inappropriately. We face limited data protection in Africa and Facebook sees 123 million users across sub-Saharan Africa.

    The GDPR specifies that users need to sign different opt in consents for custodians of their data to use the data especially for marketing etc. Just because a user gave you access to their mobile phone number to allow you to complete a service does not grant you the permission to send them a marketing campaign or a new product.

    So, which way, Kenya?

  • The Internet of You.

    28th January was World Data Privacy/Protection day. A day that is well represented and known in the Global North. It so happened that on this day, I was in Amsterdam enroute to San Francisco for our Mozilla Work Week and when I got on the internet at the airport, I kept getting all those notifications from the various sites I visited telling me that i had to be sure that i knew that the site was either using cookies or that they would be collecting or monitoring information about my activities online. Thanks European Union! This is as a result of the GDPR regulations in the EU. Upon landing in San Francisco (read jet lag) I was back to normal operations where no one bothered to let me know that they were looking at my clicks and swipes.

    Last week, in readiness for the day, we decided to carry out a survey in Kenya where the idea was to understand whether people generally knew about the ideas of data protection. The survey was administed to 200 respondents spread across the 47 counties of the country. Below is a summary of the findings.

    1. A whole lot of people are aware about Data Privacy…

    2. Surprisingly, more people read the terms and conditions but…

    3. …Not enough people have the power to do anything about what they just read. They find the terms too complex, time consuming or helpless since its my way or the highway.

    4. The data protection bill has been in discussion for a while now and interestingly, a lot of people have read it. The bill is available here.

    5. In comparison to what the government defines as personal information, more people have varied ideas of what that should be. To most, Personal Information has a lot to do with their bank accounts and family information.

    6. While some people have had their information obtained and used against their consent…

    7. … A lot of people have lost this data to their close friends! So careful with who you trust out there!

    8. It was quite interesting that more people know that they are ultimately responsible for their data. That said, it looks like the government is also deemed responsible for some of it.

    9. We sent out a targeted survey to people around the country (47 counties) and received responses from 22 counties. Not bad 🙂 We hit our 200 people target.

    In conclusion, this was a great exercise and the findings were quite interesting. At the end of the day, your data security is your responsibility. The government has been discussing the data protection bill since 2013 and still no progress made. Private sector organizations have their own vested interests in accessing and using private data and in some cases, we have seen close family and friends use our information to defraud us.

    Take away, guard your information because it is the power that can be used for or against you. All the best!

  • Identity Theft, Is This Really You?

    The fluidity with which we treat our personal information is surprisingly underestimated. The ease with which we share information with perfect strangers, leave our very important details and documents without having agreed to terms and conditions is also quite surprising. Especially in Kenya.

    The other day i came across the image below shared by @0000001ac on instagram.

    The same individual had cloned himself 6 times, using what you would think are “fake details” of a national identity card number.

    At first stance, I thought that the numbers that are used on the various cards were made up. So i decided to put these thoughts to a test.

    In a previous blog post, I talked about Elections and Government Systems and the little that is done to protect citizen data. So, I only share the following information purely out of the fact that these details are freely and publicly available online, through a government body’s website. And also to prove a point.

    I took the ID numbers on all the fake IDs above and used the online verification system for voter registration to try find out if these numbers were indeed legitimate.

    All 6 numbers were and they indeed belonged to registered voters of Kenya.

    There are numerous things that one can do simply by holding a “valid ID card” in this country. “Proof” that you are a citizen of Kenya, open a bank/Mobile money account, get a job, own property e.t.c

    With the disconnection of our government and corporate systems, there is also no saying what one can do as an owner of multiple identities ranging from fraudulent transactions to easily acquiring citizenship of this country.

    So, my question to you is, when you walk/drive into that building and leave your identity card, name, car registration details, e.t.c, details that should be guarded with your all, is there only you in existence?

  • Elections Systems and Citizen Data Protection.

    Governments and government agencies globally are some of the largest custodians of citizen data, collected over time for various intents and purposes as prescribed by different laws. The Kenyan government is no different. This is an essential part of the government’s planning and especially in resource allocation.

    The Independent Electoral and Boundaries Commission is an independent body that is responsible for the collection, storing and use of voter details to carry out voting exercises around the country. The Kenyan elections happened 8th August 2017 through a process that was both nationally and internationally acclaimed and criticized in equal measure. The recent Supreme Court Running overturned the outcomes of the elections and ordered for a new election scheduled for October 2017.
     
    To qualify as a voter in a Kenyan election, one must be a Kenyan Citizen, be above the age of 18, hold a national ID or Passport and register as a voter. After the voter registration process, all voters are encouraged to verify their registration details through online or mobile systems set up by the IEBC as stipulated in the elections laws. The details that are collected about the voter include the Voter’s ID/Passport number, name, their age, gender, and birthdate. These are also the same details that are verified by the voter using the online/mobile systems.

    According to the Access to Information laws 2016 on personal information that should be protected, a few key parameters stand out; information relating to gender, age, birth of an individual, any identifying number (ID/Passport). These are exactly the details that were collected by the elections body for 19,687,563 citizens of Kenya. 40% of the population.

    System Privacy Vulnerabilities:
    In the advent of data protection regulations and interventions, these regulations aim to regulate the collection, retrieval, processing, storage, use and disclosure of personal data. The IEBC is required by law to make the voter register available for individual verification of registration status online.

    With the rising cases of identity theft in Kenya, the expectation is that the security of a system that carries 40% of personal data of Kenyan Citizens would be secure enough to prevent any cases of data breach or theft; instead, the system that was deployed had some weaknesses that exposed all of the data that should be protected freely and openly accessible to anyone that could type any variation of numbers that match a national ID number.

    Some of the system weaknesses include:

    1. No captcha

    The initial voter verification system had no captcha (a program or system intended to distinguish human from machine input, typically as a way of thwarting spam and automated extraction of data from websites), meaning that a well versed computer programmer could write a piece of code that could harvest all the data from the voter register.

    Even with the introduction of a captcha after a public uproar on the vulnerabilities of the system, the system still only required the entry of an ID number, any ID number, to get multiple layers of citizen personal data.

    2. Selling the entire database for $200

    Systems in most developing countries are usually porous enough to allow for mashing up of different datasets to recreate an identity or detail of an individual. The IEBC selling an entire voters’ register to whoever could afford to pay $200 meant that this information could potentially be used to reconstructed to create the identities of individuals, a result of which could be used for targeted reach of un-consenting voters.

    The above is a text message I received from an aspirant that not only identified me, but also had the exact details of my polling station.

    3. Not limiting access to the voter register.

    Anyone with a mobile phone or an internet connection had access to pretty much the entire voter register depending on their determination to access it. There was no security feature installed to ensure that for one to have access to the voter details, they had to have a level of knowledge of the voter.

    All the details contained in the above image are great parameters for identity theft.

    Recommendations

    Citizen data being very critical for national and subnational planning, there needs to be more that is done to ensure this particular set of data is not only secure but that it is also kept clean, accurate and correct. The easiest way to ensure that this happens is by streamlining the processes that are involved in data collection, storage, access and dissemination.

    Custodians of any datasets that contain personal data of any individuals need to be properly trained on how to handle that data and especially to prevent cases of introducing impurities into the data, such that the data becomes too unreliable and undependable especially for decision making.

    Access to datasets that contain personal data needs to be limited to only those with the right clearance of the owners of that data themselves. Article 31(c) of the Kenyan constitution under the right to privacy provides that citizens have a right to not have information about their private affairs unnecessarily required or revealed.

    For mass access of data, the normal standard is to anonymize the data as much as possible so that it cannot be used to map back to any one or group of individuals. These lessons can be taken in to inform the process that is going in to inform the formulation and improvement to the current data protection bill. To do it right before it becomes law.

  • Privacy in The Era of Big Data

    In an age where the Internet does not forget, access to technology and technological devices is not only easy but cheap. People are using all kinds of tech products and services and most users sign on to these services without reading through the terms and conditions keenly to ensure that they are protected before sharing their private information.

    On top of that, most organizations (private and public alike) tend not to invest enough in ensuring the protection of user data. The rules and regulations are also very lax, especially with the lack of data protection laws in most countries and thus, there are currently no real consequences for the mishandling of private or personal information.

    Data protection and privacy are some of the most underrated acts of personal protection. Without proper laws, rules, regulations, and sensitization around data protection and privacy, increasing numbers of corporate and government institutions will continue to exploit user data for their own benefits without proper consent or acknowledgement. And without meaningful data literacy, individuals will continue to share private information online while being oblivious of the impact of their data being made available in this way.

    By being unaware about the value of their data, Internet users expose themselves to cases of identity theft and data fraud. Increasingly, these cases are starting to take center stage in developing countries. Cases of identity theft are rapidly growing in East Africa with unsuspecting victims having their identities used for criminal activities or even signing up for services that they do not consent to.

    A recent example of this problem occurred in the just concluded election in Kenya, where voter data for those that are registered ended up in the hands of those that were campaigning for various electoral seats. As a result, many people took to social media to demand that their data be either removed from the voter register that had been shared online or that the electoral commission implement better security measures on the data that has been entrusted with them.

    For a healthy Internet, users need a level of assurance that what they share online will not be used against them. Through the Mozilla fellowship, I aim to raise awareness on the need for data protection and privacy, especially among consumers and providers of services. The support by the Mozilla Foundation is especially important to support the study of the various existing laws that touch on data protection and privacy and cases of infringement of user data privacy in the public and private sectors.

    Through this fellowship, I will have engagements with various key stakeholders (policy makers, industry players and the consumers) and make recommendations on how to ensure that the existing data protection and privacy regulations are more inclusive and that they are educating users on the measures that can be taken to protect their data, while at the same time developing guidelines on how service providers can protect user data more effectively. All the findings are recommendations will be published.

    I was the project coordinator for the Government of Kenya’s Open Data Project and during this time, I was able to create professional networks with the various key stakeholders both locally and in the East African community. This will create an important platform to steer this work. The tech policy fellowship has also provided a great avenue to continue the work and especially to focus on ways to improve our data access, communication and dissemination.