The Installation of a Mobile Phone Spying Device by The Regulator

The Supreme Court has approved the installation of a device on mobile phone networks to detect counterfeits, despite concerns that it will give the watchdog access to other customer data, such as calls, messages, and financial transactions.

The Supreme Court has dismissed a second appeal seeking to prevent the Communications Authority of Kenya (CA) from implementing the Device Management System (DMS), which telcos believe will allow the State to spy on subscribers.

The regulator denies that the DMS can access subscribers’ phone records, location, and mobile money transaction details, claiming that the technology can only detect and record the unique identification number of mobile phones and assigned subscriber numbers.

However, Safaricom expressed worries that the regulator will have access to other customer information stored by the telecoms operators as a result of the monitoring devices.

The Law Society of Kenya (LSK), which filed the second appeal, was unable to persuade the Supreme Court to halt the installation of the DMS because of concerns that it would usher in a time when people’s private communications and mobile data would be recorded and intercepted by the government.

“In view of the above, we determine that this court does not have jurisdiction to hear and determine the instant petition of appeal,” a bench of five judges of the Supreme Court said.

The Court of Appeal had granted the CA permission to continue developing the DMS in 2020, but it had also stated that the installation rules or guidelines should be open to public input.

The LSK sought to have the decision overturned, and the plans put on hold until the concerns about phone snooping raised in the petition were addressed. The LSK was not a party to the case before the High Court or the Court of Appeal.

Additionally, the court denied an appeal submitted by Busia Senator Okiya Omtatah, stating that it “lacked legs to stand on.”

Justices Mohamed Ibrahim, Smokin Wanjala, Njoki Ndung’u, Isaac Lenaola, and Deputy Chief Justice Philomena Mwilu stated they could not provide relief to a party who had not brought those claims before the High Court and Court.

The lawyers criticized the Court of Appeal judges for allegedly failing to address the issue of the constitutionality of the DMS and the danger it poses to millions of mobile phone subscribers’ right to privacy.

Almost every mobile subscriber in Kenya has a right to privacy, according to the LSK, and this case involves that right.

The CA defended the installation of the device, asserting that it was intended to combat fakes by establishing an Equipment Identification Register (EIR), which will identify all devices, isolate the illegal ones, and refuse services to fake ones.

The battle against fake devices has moved on to the next front in SIM boxing, which the CA described as a challenge in addition to the cloning of real IMEIs.

The CA claimed that it had no desire to snoop on customer information and that the monitoring tools would be used to stop illegal mobile devices from being sold on the market without violating the privacy of customers.

The rollout was stopped in 2018, but the Court of Appeal reversed the decision in 2020 on the grounds that the judge had narrowly interpreted the term “access” to mean interfering with communications’ privacy.

The CA had written to Safaricom, Airtel, and Orange (Telkom) in January 2017 to request that a contractor it had hired be permitted.

The organization in charge of regulating the local telecoms market had defended the action by arguing that it would help weed out fake phones from the marketplace.

Safaricom, which was added to the case as an interested party, disclosed that it had raised concerns with the regulator regarding the security measures and privacy of the data that the device would collect, but none of its concerns had been addressed.

The Anti-Counterfeit Authority has been given legal authority by the law to combat the use of counterfeit goods in the Kenyan market, according to the High Court’s ruling.

Additionally, it ruled that the CA’s action was unconstitutional because there was no guarantee that it wouldn’t be abused by outside parties to gain access to personal data.