By John Walubengo
Recent media reports indicated that the Communication Authority (CA) has finally been granted the green light by the Supreme Court to install a phone spying gadget, the Device Management System (DMS).
From the CA tender documents, the DMS that the regulator intends to deploy is a gadget that links into the operator networks to block stolen, counterfeit, substandard, and SIM-box devices from communicating on the telecommunication networks.
Stolen, counterfeit or substandard devices are a well-known socio-economic menace for the National Police Service and the Kenya Bureau of Standards, not just telecom operators. Such devices need to be blocked from communicating over our networks since they are often used both by criminals and innocent citizens who may have been duped into buying them.
But then, that’s the good side of things. Civil society groups felt that most good things come with some evil aspects and thought that the gadget if installed, could be used to claw back some of the civil liberties Kenya has fought so hard to enjoy, including but not limited to state surveillance, denial of communication service amongst others.
The legal merits and demerits of the case were well dissected from the Court of Appeal Judgment of 2020, by Strathmore University, Center for Intellectual Property and IT Law and will therefore avoid that conversation.
I also blogged several years ago, about the technical aspects of the DMS and will perhaps just want to review the same – in light of the Data Protection Act (2019) which was at the time not enacted.
Whitelist vs Blacklist Databases
First is the idea of a ‘CA Whitelist’ database.
It is not clear why CA would wish to have a whitelist approach as opposed to a ‘blacklist’ approach. When trying to block illegal devices, one can provide a list of approved devices (e.g., mobile phones) that mobile operators can run on their networks – which becomes the ‘whitelist’.
Alternatively, CA could provide a list of non-authorized devices that should not run on the mobile operators’ networks- which becomes the ‘blacklist’. From a security perspective, the whitelist approach tends to be more secure (restrictive) in that sense that if your device is not on the whitelist, the mobile operators should not provide you with communication services.
However, a whitelist presents a bigger privacy nightmare in the sense that CA now has to secure and protect a larger number of data sets, 50 million and above as opposed to if they had adopted a ‘blacklist’ approach, where fewer devices would be reported and recorded into a smaller, ‘illegal data base’.
In security terms, CA just made itself a hot target for cyber-attacks. Whereas CA can take care of its digital assets, given that they host the national Computer Incident & Response Team, one still wonders why it would want to expand its attack surface and invite extra attention from hackers.
Indeed, the bigger threat would be from the ‘insiders’ or 3rd parties authorised to interact with the system. The list of 3rd parties includes but is not limited to KRA, Kenya Police, Mobile Operators, and Anti-counterfeit agencies amongst others.
It would be interesting to see if the mandatory Privacy Impact Assessment that CA has to carry out with its 3rd parties would be made public. Even more critical is to see the contents of the Data Sharing Agreements that CA will sign with these third parties.
The devil, as they say, is always in the details.
The privacy, or lack of it, presented by this new system will depend on how well the privacy impact assessments are carried out and how well the data-sharing agreements are drafted and executed.
John Walubengo is an ICT Lecturer and Consultant. @jwalu.