Well, in this case she doesn't :)

Then there are varieties of access. SMS is user privacy level - direct verification method, under user control (can delete it).

MPESA statement is robustly generated from org data stores/records, issued by the org as an official asset (even if you losse the SMS, statement remains), so it will naturally have org measures applied - can't be deleted by the user in the org data store!

Even so, open to hearing others thoughts.



On Thu, Sep 5, 2024 at 2:57 PM Ochieng A. Ogango <aochieng260@gmail.com> wrote:
Cephas,

Why is it that Safaricom masks numbers on the statement, yet that information comes back to the account owner when you send money.

Why do I need a court order to get information that I already have?

Kind regards,

Ochieng  A. Ogango

Advocate, LLB (Hons), CPM(M.T.I)



On Thu, Sep 5, 2024 at 1:38 PM Cephas Joseph via KICTANet <kictanet@lists.kictanet.or.ke> wrote:
Liz, 

Kenya it is, but (un)fortunately Kenya also has that standard process of Police/DCI -> Court -> Safaricom for data access.
Safaricom is a data custodian hence has obligations and accountability for any persons data, (illicit) beneficiary and owner too.

Two scenarios::

1. Full transparency by Saf to the owner, with the risk of exposure for (illicit) beneficiaries. Take a case where, even innocently, one accesses the unique MPESA statement code sent via SMS and authN to your statement. With numbers in plain text, what can they do?

2. With current masking, protecting beneficiaries numbers, when one accesses the unique MPESA statement code sent via SMS and authN to your statement, the masked numbers aren't useful for them. This covers both beneficiary privacy and assures Saf accountability.

Unfortunately, Safaricom would not place the privacy burden on the customer. DPA laws shift this labor to the org, aye? The criminals are also Saf's customers, you know!

I suppose visiting an official Saf Shop, for a thorough verification of customer ID, then being issued with the specific, limited data (cell nos.) needed might be a way? Or adopt a technical means, coded MPESA statement in app, with strignest security/privacy controls (TBD)?



On Thu, Sep 5, 2024 at 1:04 PM Wilfred Omondi via KICTANet <kictanet@lists.kictanet.or.ke> wrote:
Hi Liz,

From experience,  once such a case is reported to a police station,  the OCS/Deputy OCS should assign a DCI officer to investigate. The DCI officer should ask the court for a warrant/court order so that he/she can present to Safaricom for cooperation during the investigation.

If you don't get such a help from the police station,  you can also go directly to the DCI office in Kiambu and an investigating officer should be able to help.

All the best.

On Thu, 5 Sept 2024, 10:38 Liz Orembo via KICTANet, <kictanet@lists.kictanet.or.ke> wrote:

Dear listers,

See this case in twitter. A lady was carjacked, her phone stolen and mpesa transferred to other numbers by thieves. Safaricom does not want to reveal the beneficiary numbers for the criminal transactions to the registered line owner. This is despite them going to Safaricom with an OB number.

Question:

1. Is Safaricom justified to use data protection for its reason to decline request for information? What’s the real intention of the DPA?

2. Where are consumer and data protection rights on the side of the line owner? Esp where data protection policy is in conflict with consumer interests?

3. The line infrastructure belongs to Safaricom, but who does the transaction data belong to? And how do they share the responsibilities to protect the data?

4. Are there laws to solve this situation in the interest of the customer? Do we need to amend some?

Best regards.
Liz.

PGP ID: 0x1F3488BF
_______________________________________________
KICTANet mailing list -- kictanet@lists.kictanet.or.ke
To unsubscribe send an email to kictanet-leave@lists.kictanet.or.ke
Unsubscribe or change your options at: https://mm3-lists.kictanet.or.ke/mm/lists/kictanet.lists.kictanet.or.ke/

Mailing List Posts Online: https://posts.kictanet.or.ke/

Twitter: https://twitter.com/KICTANet/
Facebook: https://www.facebook.com/KICTANet/
Instagram: https://www.instagram.com/KICTANet/
LinkedIn: https://www.linkedin.com/company/kictanet/
YouTube: https://www.youtube.com/channel/UCbcLVjnPtTGBEeYLGUb2Yow/
WhatsApp Channel: https://whatsapp.com/channel/0029VaQsX4w6mYPIctLsGh1K

KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation.
KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars
of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's
times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your
wares or qualifications.

PRIVACY POLICY: See https://mm3-lists.kictanet.or.ke/mm/lists/kictanet.lists.kictanet.or.ke/

KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform.
_______________________________________________
KICTANet mailing list -- kictanet@lists.kictanet.or.ke
To unsubscribe send an email to kictanet-leave@lists.kictanet.or.ke
Unsubscribe or change your options at: https://mm3-lists.kictanet.or.ke/mm/lists/kictanet.lists.kictanet.or.ke/

Mailing List Posts Online: https://posts.kictanet.or.ke/

Twitter: https://twitter.com/KICTANet/
Facebook: https://www.facebook.com/KICTANet/
Instagram: https://www.instagram.com/KICTANet/
LinkedIn: https://www.linkedin.com/company/kictanet/
YouTube: https://www.youtube.com/channel/UCbcLVjnPtTGBEeYLGUb2Yow/
WhatsApp Channel: https://whatsapp.com/channel/0029VaQsX4w6mYPIctLsGh1K

KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation.
KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars
of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's
times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your
wares or qualifications.

PRIVACY POLICY: See https://mm3-lists.kictanet.or.ke/mm/lists/kictanet.lists.kictanet.or.ke/

KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform.


--

    
---
Cephas O.M 

                          
_______________________________________________
KICTANet mailing list -- kictanet@lists.kictanet.or.ke
To unsubscribe send an email to kictanet-leave@lists.kictanet.or.ke
Unsubscribe or change your options at: https://mm3-lists.kictanet.or.ke/mm/lists/kictanet.lists.kictanet.or.ke/

Mailing List Posts Online: https://posts.kictanet.or.ke/

Twitter: https://twitter.com/KICTANet/
Facebook: https://www.facebook.com/KICTANet/
Instagram: https://www.instagram.com/KICTANet/
LinkedIn: https://www.linkedin.com/company/kictanet/
YouTube: https://www.youtube.com/channel/UCbcLVjnPtTGBEeYLGUb2Yow/
WhatsApp Channel: https://whatsapp.com/channel/0029VaQsX4w6mYPIctLsGh1K

KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation.
KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars
of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's
times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your
wares or qualifications.

PRIVACY POLICY: See https://mm3-lists.kictanet.or.ke/mm/lists/kictanet.lists.kictanet.or.ke/

KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform.


--

    
---
Cephas O.M