By Shadrack Muyesu
On January 22, 2019, the President assented to a miscellaneous law which inter alia sought to amend the Registration of Persons Act, CAP 107 of 1947. The amendments were to allow the State powers to collect personal information for purposes of creating a National Integrated Identity Management System (NIIMS). In its words, NIIMS is a central master population register that will be the “authentic single source of truth on a person’s identity.” Everyone from the age of six, including those living broad, was to be registered.
In order to constitute the NIIMS database, the Government ordered Kenyans and foreign nationals to provide authorities with sensitive personal information purportedly to establish verify and authenticate their identities and subsequently receive a unique identity number dubbed the Huduma Number, through a 30 day nationwide mass biometric registration exercise which began on less than a month later, on February 15.
The database is to be linked with other official registries to form a single, government-mandated identity system linked to the delivery of an undefined sphere of government services, including access to identification documents, universal healthcare, cash transfers, affordable housing, fertilizer subsidies and education. The amendments also support the centralization of all identity credentials – national identity cards, work permits, passports as well as birth and death certificates.
Proponents argue that centralisation is what Kenyans haven been looking for. Not only is it an idea whose time has come but “it’s also a key complement of digitalization which the Jubilee Government promised Kenyans.” They point to other places where similar systems have been implemented as proof that, done properly, centralisation saves time and resources and averts disaster.
But even they are sceptical of government’s capacity to handle such data in good faith. In a country where elections are big things, where the electoral body is yet to answer questions as to how, as all evidence points, electronic data was tampered with in the last election, significant sections are convinced that what is currently underway is a scheme to rig elections in someone’s favour. Others still point to the unreliability of technology.
“Systems fail all the time. Does government have the capacity to prevent such malfunction or loss of the information to hackers? Cyber terrorism is the new frontier for war and if developed countries such as the Unites States can be affected and their sovereignty interfered with, imagine what can be achieved in a country as clumsy and dishonest as ours!” points out Clinton Obura, an IT expert based at Google in Dublin.
Others still argue that the new directive is an affront to Wanjiku’s right to privacy. Commentators such as Dr David Ndii and Dr Miguna Miguna point to the ill-intentioned hand of corporates and thieves of government as being the masters behind the puppet show.
With the amendments, among the information sought by the register of persons are a person’s biometrics, their precise location and their DNA. Biometrics and DNA are also used during voting, in banks for the verification of the identity of cardholders, and at crime scenes. Placed in the wrong hands, not only is Wanjiku’s right to privacy at risk but also her security and freedom may very well be compromised. As it is, the relevant portions of the amendment Act are silent as to whether the citizen will be able to access the information gathered or whether they can ask for incorrect data to be deleted or rectified.
From Facebook to your local bank, companies are monitoring every aspect of your existence, to understand and manipulate your desires. In so far as it can, government will follow suit. Far from what is occasionally reported on the news, corporates share this information with government every day and largely to the detriment of the small man. Corporates also fund campaigns and determine government (MasterCard has even been cited as one of the funders and beneficiaries of the NIIMS projects). They don’t do it on account of benevolence but rather with the expectation of favourable policies and a profit motive. Some, such as Safaricom, have grown so big to the point of holding a God-like veto over its existence through direct funding and the amount of sensitive data and money it carries on its platforms.
Rolling out a programme of such magnitude through a miscellaneous amendment leaves a lot to be desired. The process, does not benefit from the constitutional demand of public participation…
With the Huduma number, lenders, online retailers and entities such as MasterCard will be able to monitor the creditworthiness of potential clientele. The information available can be used to manipulate markets by luring clients into debt, fully aware of their inability to pay, with real wealth as collateral thereby driving the cost of capital upwards and disenfranchising Kenyans. Lenders give virtually worthless paper and take back assets such land. At the end of the day, clients are left poor while the lenders recover their losses through government (taxpayer) bail outs or selling of capital at double the cost. The alliance has ushered in a new era of corporate government where companies literally determine life and death as the actual lawmakers.
A number of entities, including the Kenya Human Rights Commission, the Kenya National Commission on Human Rights and the Nubian Rights Forum have gone to court challenging the exercise. Among the issues they raise is the absence of proper public participation in the enactment of the enabling law; the absence of proper guidelines on the information that will be sought and how the exercise will be managed; the absence of laws and policies governing data protection; as already mentioned, threats to among others, the right to privacy, personal and national security and mystery and illegality surrounding the award of the tender to controversial French firm OT-Morpho – the same one that handles IEBC systems.
In suit papers seen by the Nairobi Law Monthly, the Petitioners argue that while Section 8 of the Registration of Persons Act grants registration officers broad authority to demand additional evidence until they are satisfied that an individual is eligible to be registered as a Kenyan national and receive a national identity card, the provision does not offer guidance on what objective criteria to use to justify these demands. No regulations have been promulgated until now, to guide the process. In simple terms, the process is being rolled out in the absence of clear policy guidelines, legally enforceable regulations and law to regulate the implementation of NIIMS.
“They are collecting biometrics of Kenyans and we do not have a data protection law. What we have is a Bill, the Data Protection Bill. In its 2016 country diagnostic report on Kenya, the World Bank’s Identity for Development (ID4D) initiative advised that Kenya’s national legal framework or registration and identification should be strengthened “around data protection and privacy”, and provided detailed comments on the pending legislation. Overall, those comments reveal that as it was, the Bill was “confusing, mixes concepts, lacks clear objectives and key definitions and otherwise leaves many loopholes.” In 2018, the ICT Committee of the Senate presented the Data Protection Bill, 2018; a second bill was introduced by the ICT Ministry Task Force. Neither bill has been presented in Parliament.
It is shocking that the media hasn’t said anything about this!” an expert from ICTNET-Kenya and familiar with the process told the Nairobi Law Monthly.
On the behalf of ICTNET, the Kenya Human Rights Commission contends that the impugned amendments do not provide for transitional mechanisms from the current registration. There currently exists a parallel Integrated Population Registration System (IPRS) under the Kenya citizens and Foreign National Management Services Act No 12 of 2012 that essentially duplicates the functions of the national NIIMS. The duplicity is not just costly for the taxpayer; it also exposes him to unnecessary inconvenience in providing the same information to multiple organs.
The Nubian Rights Forum and the Kenya Human Rights Commission further contend that the process is discriminatory to northern communities, many of who, though Kenyans by birth, have consistently suffered from Kenya’s discriminatory and registration and identity documentation practices. They cite a 2015 study by the Open Society Foundation which revealed that in Kenya, a national identity card issued at the age of 18, rather than a birth certificate, is the necessary document to access many services and exercise rights
How do we identify ourselves when we have never been identified? That is the question these communities grapple with. Many fear victimisation. They see this as an excuse to fish them out as refugees, sympathizers of extremist groups and illegal immigrants and send them back to their home countries. Tracing the history of Government’s reaction to terror attacks, theirs is a fear well-founded.
Laying the ground for trouble
The petitioners conclude with a detailed comparison of the effect of the amendments with other jurisdictions. The NIIMS programme is in connection with international trends. The process by which the system has been established and information revealed to date concerning the its design, implementation and administration strongly suggests that lessons from international experiences with digital identification systems – critical information for understanding the risks associated with the endeavour – have not been sufficiently reviewed.
The most developed and well- known such system is India’s Aadhar. According to the State of Aadhar Report 2017-18, the Aadhar system was introduced in India to provide identification to citizens and residents whose processes were relatively similar to the ones under the Statute Law Miscellaneous Act 2018.
The report states that the Aadhar system has more self-reported errors than the benefits it has brought. The report found that in just three Indian states, nearly two million people were excluded from access to food subsidies as a result of Aadhar-related factors. It’s plausible that sections of Kenyans could be equally excluded. In a country fraught with corruption, people controlling the data system or unauthorised people with ill motive who gain access can use one’s data to take their benefits. Due to errors with no procedure of rectifying, one could be left out for lack of matching data.
India has also struggled with ensuring data security. A report by Centre for Internet and Society (CIS) recently revealed that the Indian Government inadvertently published the biographic and demographic data linked with Aadhar numbers on 135 million Indians on the open internet. What’s more? Indians have encountered more challenges with the process of updating than they did enrolling. There is a great risk of Kenyans facing similar problems since the enabling law, the Miscellaneous Amendment Act does not provide for the process of amending the data that has been collected.
Because of its limitations, Aadhar is the subject of numerous lawsuits in Indian Courts. In September 2018, the Supreme Court of India delivered a 1500 page judgment in which it restricted private sector linkage of services to Aadhar enrolment, greatly limited the mandatory use of the system for delivery of government services, permitted children to opt out of the system entirely until they were 18; mandated an effective redress mechanism where data is misused and further limited the kind of data the government could collect and for how long it can store authentication logs (reducing the period from five years to six months). This is where we are headed with NIIMS.
Sometime ago, Ghana sought to create a national ID system with the support of World Bank. The Ghana programme was administered by the National Identification Authority (NIA) and – just like Kenya – aimed to implement a digital national ID. Again, just like Kenya, they contracted OT-Morpho (now IDEMIA) to carry out the process. When government failed to pay them, Morpho ceased work on the project and refused to release the sensitive registration data it had collected to government until payment was done.
That Kenya could fall into a similar trap also isn’t farfetched. The whole process of awarding the tender to Morpho reeks of corruption and overpricing. For starters, the company has been implicated regarding lack of proper service delivery in countries that include Kenya and Ghana. Secondly, no one seems to know when and how the company won the tender. There seems to be no public record of the tender being floated, the companies that applied, the selection criteria and process and the decision. There also isn’t any public record of due diligence conducted to ensure that the privacy of the information collected was guaranteed.
Rolling out a programme of such magnitude through a miscellaneous amendment also leaves a lot to be desired. Such a procedure, and indeed as the petitioners argue, does not benefit from the constitutional demand of public participation and as such, is wrong ab initio. (