Editor's note: Read the full letter here.

KHRC and MUHURI are concerned that Safaricom PLC is alleged to have, for years, given security agents virtually unfettered access to its customers’ data, assisting in the tracking and capture of suspects, despite Kenyan security forces’ reputation for using unlawful tactics, including enforced disappearances, renditions, and extrajudicial killings of suspects.

An investigation conducted by Namir Shabibi, Claire Lauterbach, and Kenya’s Daily Nation newspaper, published on October 29, 2024, revealed criminal and unconstitutional practices Safaricom PLC is alleged to have engaged in for several years.

Although Safaricom PLC attempted to address these malfeasances in a public statement released on October 31, 2024, we recognize that this statement:

  1. Conveniently ignored to respond to key findings presented in the investigation.

As a result of the telco’s selective response to grave human rights violations captured in the  investigation, KHRC and MUHURI urge Safaricom PLC to adequately and comprehensively address the following disturbing allegations:

  1. That, when presented with a court order authorizing the release of call data records (CDRs) that could implicate Kenyan security forces in crimes of murder or enforced disappearance, Safaricom PLC routinely passes responsibility for extraction and handling of that data to police attached to its Law Enforcement Liaison Office. This poses a serious conflict of interest by offering officers of the accused security forces an opportunity to handle the data and conceal evidence of state crime, as well as the fate of the victim.
  2. That Safaricom PLC released CDRs it certified as authentic, despite bearing signs of manipulation and falsification. Safaricom PLC released these records in response to court orders arising from legal cases involving suspected state-enforced disappearances.
  3. That Safaricom PLC failed to hand over data potentially vital to the investigation of state crime in Kenya, by habitually declining to provide full CDRs despite court orders to do so. In doing so, Safaricom PLC may have frustrated the course of justice.
  4. That Safaricom PLC allowed security agencies routine access to consumer data (including but not limited to CDRs and other location data) without a court order, assisting in the tracking and capturing suspects. This is despite Kenyan security forces’ reputation for using unlawful tactics, including enforced disappearances, renditions, and extrajudicial killings of suspects.
  5. That Safaricom PLC retained ‘old’ consumer data it claimed had been deleted, including data that could potentially aid the investigation of state crime. In doing so, Safaricom PLC may have frustrated the course of justice.
  6. That Safaricom PLC, in concert with Neural Technologies Limited, developed software granting security agencies in Kenya virtually unfettered access to private consumer data, which assisted in the tracking and capture of suspects in operations, despite Kenyan security forces’ reputation for conducting enforced disappearances, renditions, and extrajudicial killings of suspects.
  7. That, in concert with Neural Technologies Limited, police attached to Safaricom PLC used such software to predictively and preemptively profile Kenyan citizens, which would constitute invasive breaches of customers’ private data rights.

The alleged weighty and disturbing issues highlighted above make Safaricom PLC potentially liable for violating Chapter 4, Part 2, Sections 26, 27, 28, 29, 31, 37, 46, 47, 48, 49, 50, and 51 of the Constitution of Kenya, and Part 4, Sections 25, 26, 27, 28, and 29 of the Data Protection Act, 2019.

KHRC and MUHURI urge you to address the substance of the allegations with haste and clarify what steps Safaricom PLC will take to ensure that its data is not used unlawfully, whether by Safaricom staff, Kenyan security forces, or any other third party.

KHRC and MUHURI await Safaricom PLC's response within seven days of this correspondence.