So, there I am, like a good boy, reading my morning paper. I come across this story in the Business Daily. And upon reading it come across this, that triggered the following reaction
The section in particular was this one
Yes, friends. The Kenya Revenue Authority is / wants to data mine your transactional information.
Personally, this offended my sensibilities. And it should offend yours too.
Of course the question arises, what’s the big deal?
Well to understand, perhaps a shotgun data mining primer.
Data mining, to cut a long story short, is a fascinating discipline that I have spent a few years studying and designing solutions around. It is basically using transactional data to detect patterns and trends.
The technical details of how this is done are fascinating but I need not go into detail. But it is used by serious companies to derive insights from data. Have you ever wondered why your mobile phone tariff is what it is? Or why there are promotions with strange twists like free calls that on paper make no sense?
Data mining.
If you find, for example, a promotion where they tell you that free calls begin from minute 3, that is because call logs were mined and it was found that most telephone calls are shorter than 3 minutes. Ergo those that make 3 minute calls will pay for those what make longer than 3 minute calls.
Examples abound.
Let me be blunt – given enough of your data, I OWN YOU.
Back to the point.
KRA wants to mine our transactional records.
An mobile money transaction contains the following
- Date
- Time
- Sender
- Recepient
- Amount
- MPesa outlet
If you give me a large dataset with ONLY this information over say 4 months I can tell you the following with a pretty large confidence level. Which is not to say it is 100% gospel truth, but can be pretty accurate.
- Where you live
- Where you work
- When you are paid
- How old you are
- Your gender
- An idea of how well of you are financially
- Whether you are married or not
- Whether you have children or not
- Etc
And no, this is not magic. It is a simple co-relation of data.
For instance, the MPesa outlets you go to are usually the ones nearby.
For instance we notice that John goes to the same 3 or so MPesa outlets between 8 AM and 5 PM, and then a 3 different ones between 5PM and 10 PM.
BTW am using MPesa because the numbers of Orange Money, Airtel Money, Yu Cash etc. are of nuisance value. But the principals still apply.
We know where these outlets are.
We can therefore infer that the outlets John visits during the day are those near where he works and those in the evening are those near his home. Given enough outlets we can triangulate with great probability where exactly he lives.
If we notice a sudden spike of transactions (payments) around 3rd we can infer he has received inflows of cash fairly recently. If the same patterns repeats every month we can infer that the income is regular.
Analyzing the recipients can tell us a lot about John.
If his payments are mostly to bars, utility bills and ticketing to event websites we can postulate John is probably a young bachelor.
If his payments include school fees, salons, supermarkets – we can infer John probably is either married or has a significant other, and probably either has a child or is supporting one.
I can go on about how you can infer a lot from this data (believe me this is just scratching the surface) but you get the drift.
It offends me that KRA want do this all the time. Not because I have anything to hide, but I resent that government feels like it has the right to scrutinize me in this fashion as if I am already guilty of something.
So I of course asked our friends at @SafaricomLtd
Ay @SafaricomLtd how exactly is KRA going to mine out MPesa transactions? Will you simply give them that data?
— Cnut The Great (@roomthinker) July 18, 2013
And asked them again
So — @SafaricomLtd – that query … how will KRA mine our Mpesa transactions? You simply handing over our data? We’re many interested parties
— Cnut The Great (@roomthinker) July 18, 2013
Their original response was they didn’t have any information about it, and I forgot to take a screenshot as that tweet has since vanished.
Next was this
@SafaricomLtd because that article says “… our officers ARE TRACKING …” which implies it is already in progress. Who can I ask about this?
— Cnut The Great (@roomthinker) July 18, 2013
And then I asked
@SafaricomLtd kindly speak to someone from legal. You can email me their response. It won’t fit in 140 characters
— Cnut The Great (@roomthinker) July 18, 2013
Last I’ve heard from them. And by the way that response is bana oil. Transaction infromation without send and recepient is ABSOLUTELY useless to the KRA
So there are two queries
- Is it legal for Safaricom to hand over our data for mining?
- Is it within their terms of service to allow this?
Let us begin with the second.
Since most of you I feel sure never read a word of the terms of agreement, here it is in its entirety [PDF]. In case it is accidentally lost in a site update, I have saved a local copy.
The relevant sections are two.
One is under Privacy, Section 4
The other is under Disclosure & Data Retention, Section 16
Now, I am no lawyer but handing our data to KRA to data mine does not strike me as being within “genuine inquiry or investigation”.
In fact, the only way genuine inquiry can be stretched to allow what KRA wants would be if KRA says “we suspect EVERYONE of tax evasion so hand over everyone’s data”.
Is Safaricom handing over our data in breach of their own agreement?
Lawyer types, please assist.
It should bother you that KRA wants to just mine your information, never mind that you’re not actually guilty of anything.
The other issue is the larger issue of what Government can do / does with our data. Our data protection bill has been stuck in parliament for stages but it simply cannot be that government can willy nilly mine citizen data for its own ends in a civilized society.
This simply cannot be.