Good morning, 

Topics of Discussion

 

Day  1                     Governing data and protecting privacy.

Day  2                     ICT's and the upcoming elections.

Day 3           Connecting all people and promoting cyber hygiene and emerging issues including youth, online work, inclusion and regulation.

 

Day 1:  Governing Data and Protecting Privacy

Noted: The Kenya Data Protection Act was gazetted in 2019, An Act of Parliament to give effect to Article 31(c) and (d) of the Constitution of Kenya, 2010 (Right to privacy); 

• To establish the Office of the Data Protection Commissioner;
• To make provision for the regulation of the processing of personal data; 
• To provide for the rights of data subjects and obligations of data controllers and processors; and for connected purposes.
•  

Asked: as a lister how safe do you feel about the safety of your personal data online? What do you think could be done better to improve the protection of data online?

Answered: people are over fearful regarding the issue of data protection. It was suggested there is need to take the same approach as organizations are doing by conducting a personal data privacy impact assessment. E.g. what is the real risk of your personal identifiable Information leaking? One example was the personal telephone number. You hide it online but hand out your business cards that have your contact details.

Asked:  how safe are children and persons with disabilities on their data privacy? 

Observed: recently the number of Socially Engineered emails received is at an all-time high. Spam calls also seem to be on the rise. It looks like scammers have realized that the new field of play is the Internet as such I am increasingly weary about engaging in e-commerce transactions online especially using public networks.

Concerned: to know the current statistics in so far as Internet related fraud is concerned and how many people have actually been charged for perpetrating such acts. Maybe the Ke-CIRT team can assist us with the statistics.

Emphasized: children are ever ahead of adults in discovering and using tech applications and tool. The Communications Authority has been running a Child Online Protection program for a while and would be keen to know the current state of play in so far as data protection is concerned. 

Noted: @Lillian recently posted an article from Human Rights Watch on misuse of data by companies targeting children, it would be interesting to hear if any measures have been taken by the Office of the Data Protection Commissioner to curb this.

Recommended: If I may offer you a tip and a safeguard on e-commerce: there are cards that banks issue whether you bank with them or not, which you can load using Mpesa and use to transact online so that you do not expose your main card to fraudsters. I have had one from I&M Bank since 2011 (renewable), and I load it with just the money I need to make a purchase so I never worry about any unauthorized purchases on it. It is  a great way to beat online fraud exposure. 

Thanked: Kathy, for the tip.

Asked: whether all banks have these services and information for  anyone and everyone  or it is one of those *you must ask* .

Observed:  recently in the news CS Joe Mucheru, EGH opened a Data protection and compliance conference, https://www.youtube.com/watch?v=w59n41KX1QQ/.

Asked: whether anyone here in this mailing list had an opportunity to attend and if there were any insights that can help us with our questions for the day.

Thanked: Barrack for the questions, I do hope that those in the relevant institutions/positions will be able to assist or share further information, as we  continue with the discussions. 

Highlighted:  the main issue I have is that most services/websites/apps don’t give any options. You accept the Terms and Conditions or you don’t. It is good that nowadays, at least in Android that I know well, permissions can be easily denied or limited for apps in relation to accessing certain functions from the device. However this is not the same as using data itself. Hopefully in the future there will be more flexibility and options around what one accepts. With cookies, some websites give options (either a list of several things you can toggle on or off, or options of reject, minimum required, all) though other websites don’t give options at all.

Accentuated: I am not aware of any voluntary standards in Kenya that a website/app/service could self-certify against or be independently verified against that shows they meet such standards around use of data protection/privacy. An Act really only defines illegal and legal, but it is good to have different options within legal that can show strong, stronger, very strong protections, for example, that are something that is voluntary but could be recognized by users.

Underlined: we have tonnes of domesticated ISO 27,000 series Standards at the Kenya Bureau of Standards. Together with @John Walubengo and other listers we have been involved in local standards development. The Challenge we have always faced is that Standards focusing on ICT are voluntary. Only those touching on Health and Safety are mandatory. With creation of the Office of the Data Protection Commissioner, things might change.

Asked: since organizations have Standards like the ISO 27000 series, where can individuals get credible standards for self-assessment?

Responded: I think this would be critical tool kit that can supplement the Data protection laws. KICTANet has actually developed a Curriculum on Digital Security and Privacy that attempts to create awareness and empower Internet end users with skills that enable them to conduct self-assessment.

Asked:  Barrack, are those standards addressing the issue I raise around data protection and privacy, i.e. if you meet the standard then you do not share data to third parties, or that any data you share is anonymized, or to some other definition? I am not an ISO expert, but I thought they focus more on following processes than actual results, and may not be specific enough to convince me they are not sharing my data….

Observed: maybe I am just not well enough informed, in which case whoever promotes such ISO standards that can assure me of such are not promoting it very well, or have few apps/websites/services adopting such standards, or both….Being voluntary is a good thing. But there needs to be awareness of the benefits of those standards; and maybe some market pressure to adopt the standards

Emphasized:  the standards are pretty high level but they elicit a sense of responsibility from anyone who acquires them towards ensuring their information assets are properly managed and well protected. Digitalization revolves around processes, the standards actually address such processes. Not sure if there is a simpler solution among other bodies such as ISACA. Probably ISACA members on the list can shed some light. @Mwendwa Kivuva

Thanked: Listers for the continued discussions, once again I would request those within these institutions that can shed some more light or share information, to kindly do so.

Noted: one of the key things that I can pick from this discussion is that there is lack of awareness, i.e because within your network you are aware of e.g the standards, tools etc we assume that everyone knows.

Asked: How do we create this awareness?  Who should create this awareness?  To whom?

Anticipated: to hearing from you, we still have another day to share, even as we continue to engage with our day 2 discussion.

Day 2: ICTs and the Upcoming Elections

Asked: Our elections are a few weeks to come, are we confident in the preparations by IEBC and other agencies involved in electoral management? If not, how best can these agencies be supported to prepare for the election? What role has social media played during this election? 

Asked: one, the IEBC normally responds by sticking to the law and the regulations as passed by Bunge. Does that mean parliament normally pass things that they do not understand? Two, is there a need to re-look at the same laws and perhaps look at what can be amended before the election year? This is where we normally get it wrong every electoral cycle, we make elections an event and not a process.

Noted: this is an important issue and I would like to thank you Wanjiru for leading this discussion. A research by Mozilla Fellow Odanga Madung revealed that there is disinformation being spread on TikTok and it violates the platform’s policies. This disinformation is similar in tone and quality to the Cambridge Analytica and Harris Media content that spread on Kenyan Facebook in 2017. In 2017 we did not have Tiktok but now we can see new platforms being used by politicians to push their agenda.

Link: https://foundation.mozilla.org/en/campaigns/kenya-tiktok/

Emphasized: the campaigns are still ongoing and the social media discourse is becoming more political by the day. We can only hope for sanity, maturity and patriotism by those online.

Agreed: with Francis, that recently SABC News interviewed digital strategies from two political parties in Kenya to understand how they are using social media during this campaign season. The interview highlighted that Political parties consider social media is very important to win elections as it provides avenues to speak to voters directly. Interesting was the role associated with Video content on all platforms but also TikTok, because of how the platform is designed.

Link:  https://www.youtube.com/watch?v=jIbiqyBdV4E  

Asked:  what steps have platforms taken to minimize misuse of their platforms to spread misinformation, disinformation, hate speech or Online Gender based violence related content? What more can be done to deal with this? 

Highlighted:  links/videos on the report have been removed.

Concerned: Is the research an ongoing exercise? Are the videos being collated and stored in a data pool/storage? I'm not sure about the platform's policies on the data. Is it a situation like Facebook where you cannot scrape or even screenshot posts legally? I'm not acquainted with the platform but how easy is it to get/copy these videos and their respective metadata from the platform?

Observed: it would be an interesting resource afterwards or even act as a source of evidence.

Day 3:  Connecting all people and promoting cyber hygiene and emerging issues including youth, online work, inclusion and regulation.

Observed:  for the youthful population, what is their degree of awareness on existing regulations, as they engage online are they aware of how to enhance their privacy? On inclusion, is there existing data on persons with disabilities and their general consumption of the internet? 

Noted: especially for children, the Ministry of Public Service, Gender, Senior Citizens Affairs and Special Programmes developed a national plan of action to tackle online child sexual exploitation and abuse. The plan is grounded in the ‘We Protect Model National Response’ and has five key areas — law, policy leadership and coordination, prevention, capacity strengthening, response and support services, and monitoring and evaluating progress. 

Emphasized: 12 million children in Kenya have access to adult content. How can we mitigate this? Currently, though not rolled out in Africa, in future one will need an ID to register on Instagram. How effective has Youtube for Kids, Facebook for Kids been like in our own households?

Link: https://nation.africa/kenya/news/study-reveals-scary-pitfalls-in-online-learning-3844030

Highlighted: a lot of work yet to be done on international transfer of data from Kenya which in turn infringes on our data privacy under protection laws. Over-reliance on foreign clouds and weak oversight mechanisms create a watershed for that. Further, the expensive litigation fees suing big tech gurus like Facebook and Twitter scares victims of data breaches through international transfer of data to foreign servers.

Underscored: for people to connect in a matter that benefits all, the digital divide must be done away with. At the moment we have two groups, one that is very high level of digital literacy and one with very low level of digital literacy.

Underlined: the question that government should address is, should we invest on the low divide which has low or no digital literacy or should we invest on the higher digital knowledge divide to ensure they advance even further? Where should the government put its money? Where will there be a greater return?

Underscored: on regulation, the legal framework is always behind the technological advancements. Technology is an area that advances and changes very fast but the law is very rigid and not ready to change that fast. How can this be addressed? Should there be digital law reforms and introduction of new study areas in the area of digital law?

End