The data revolution: Why online spaces are slippery

A revolution is unfolding, and it may be impossible to avoid. New data shows that a number of companies are gathering your data without providing you with explicit notice, and some of them are even selling it to marketers.

Why should I care?
It goes without saying that most data is gathered with a purpose—to revolutionise everything from retail to medical procedures, state policy-making, traffic monitoring, and much more. While technology creates new opportunities, the massive flow of personal data necessitates a strong barrier—data privacy—as stated by Mr Elison Twinomugisha, an expert in cyber security and Information Technology auditing, in a January 18 LinkedIn post.

According to him, the 2019 Personal Data Protection and Privacy Act (PDPA) established the necessary legal framework, but there is still much work to be done before there is full compliance. 

So it is possible that someone, somewhere, is after your data. Advertisers, for one, want information about your interests so they can sell you things; law enforcement officials want your texts and location data when you are suspected of a crime; hackers want it for money; and fraudsters want to impersonate you for malicious purposes. 

“We are increasingly receiving complaints from individuals having concerns about how their personal data is handled, the most common complaints we have so far received are related to – interested marketing messages from digital money lending, gaming and betting companies,” Mr Baker Birikujja, the Personal Data Protection and Privacy (PDPO)’s manager of compliance and investigations told Saturday Monitor. 

How does data mining play out on the Internet?
There are tiny software robots called cookies that are installed on your computer or smartphone by every webpage you read or news site you visit, mostly at your own convenience. Their purpose is to learn about your interests and display advertisements to you. 

Now, this type of tracking is becoming more prevalent in the offline world from credit card swipes, free Wi-Fi, street cameras, reception books, and financial situations where personal data is used as collateral to get digital loans. 

Uganda is home to an estimated 45.5 million people, of whom 76 percent are under 30 and 53 percent are under the age of 18. The country is distinguished by a rapidly expanding digital economy and rising internet usage. 

In today’s data-driven economy, you are the product. According to data scientists, this data is collected to profile you as a consumer, and when it is distributed to multiple third parties, it is difficult to track where it ends up. 

“The problem that comes with that is when it goes into the wrong hands,” Mr Birikujja said. 

How bad is the problem of ‘predatory’ loan adverts?
It is very bad indeed not least because we are in the midst of a cost of living crisis. The vast bulk of adverts offering quick loans on online platforms appear to deliberately target those in financial distress. As a virtual interface between you and the digital app in question, what happens if you do

not follow the terms of the loan agreement? Most likely a violation of data privacy. 

Some have recently observed that the spread of loan apps in Uganda has taken a negative turn, moving from being a practical financial aid to a real risk to people’s personal safety. 

Digital enthusiast James Musinguzi stated that some Applications have come to be associated with unprofessionalism, harassment, and invasion of privacy. 

He added: “The situation has escalated to the point where borrowers, already struggling with financial challenges, find themselves at the mercy of ruthless lenders. These loan sharks go beyond the bounds of decency, resorting to threats and exposure tactics at the slightest delay in payment.”

Numerous victims have experienced fear and desperation as a result of this invasion of privacy, which has also prompted government action. 

The PDPO stated that it was aware of the complaints and was looking into several that the public had made, and it would notify the country of the investigation’s findings when they became available. 

What are the consequences of these ‘predatory’ actions?
In a recent privacy report, The Unwanted Witness (UW)—a free Internet and data safety lobby—cites that some of the data collected from you can leak if mishandled, causing devastating consequences. These include Safeboda, a ride-sharing app that was discovered to have improperly disclosed personal data to third parties without the knowledge or consent of data subjects in 2021, as well as the 2023 security data breach at the Uganda Securities Exchange (USE) after an incorrectly configured firewall exposed personal data for 12 days. 

“This information was accessed by persons who were ordinarily not authorised to access personal data. They accessed information that included National Identification Numbers (NINs), names, dates of birth, email addresses, and telephone numbers of individuals who present information from which an individual can be identified,” PDPO noted in a seven-page investigation document on USE. 

The matter was handed to the police. 

Recently, many of the companies that gather your data have developed a variety of data privacy indicators, but they have neglected to address mechanisms related to data collection, accountability, breaches, and transfers to third parties, UW said, noting specific entities. 

In its 2023 Privacy Scorecard report, published last month, UW observes that “MTN’s policy does not clarify whether data can be shared with advertisers and does not list all third-party entities,” adding that this occurs despite the telco having observable privacy policies in place. 

Does this mean that a number of entities Ugandans interface with online treat the issue of informed consent lightly?

It certainly appears so. According to the personal data rights protector, Lycamobile typically discloses the personal data that is collected, explains why the data is being collected, and mentions data storage as mandated by law. 

In addition to giving data subjects access to contact information, it also gives them the ability to access, correct, restrict, or object to data processing—although these rights are only applicable to specific kinds of processing.

“Unfortunately, data subjects can only access their personal information at a cost of Shs43,000 (about $12), which raises profound concerns about the intersection of data privacy, individual rights, and corporate practices,” UW reveals about Lycamobile. 

UW has previously challenged this practice, as privacy should not come at a price, noting that Lycamobile has not released a transparency report since 2022. 

“UW has previously challenged this practice, as privacy should not come at a price. It also doesn’t allow permanent deletion of personal data and does not provide for data breach notifications,” UW stated in the report. 

On the contrary, MTN Uganda has released one transparency report during the same time-frame. 

The report noted that MTN’s policy outlines the objectives and generally includes a list of the data collected; however, it is silent on the length of time the data is stored or on specific contact information. 

“It grants data subjects unconditional rights to access and correct data but does not mention the right to restrict or object to data processing or consent withdrawal. Like Lycamobile, MTN does not provide a straightforward process for permanent data deletion, and its policy does not provide for data breach notifications,” UW noted in a report. 

So what’s one to do? 
Mr Baker Birikujja, the Personal Data Protection and Privacy (PDPO)’s manager of compliance and investigations, said in a separate interview:”If someone gets your personal data without your consent, they can do identity theft and pretend to be you so that they can access your money and log into your account. If it is exposed as a breach and that person gets that information, they can actually steal your valuations.” 

Data from the UW indicates that the online retailer Jiji Uganda’s policy allows for the sharing of personal information with advertisers and offers a detailed list of third-party companies. 

Regarding informed consent, Jiji’s privacy policy typically enumerates the personal information that is gathered, offers comprehensible justifications for the information’s collection, and bestows rights to access, rectify, restrict, or object to data processing, revoke consent, and permanently delete personal information through an automated process. 

On the contrary, Jumia Uganda does not provide a detailed list of third-party organisations and does not indicate in its policy whether it allows data sharing with advertisers. 

Although these rights are subject to certain restrictions, Jumia’s policy generally enumerates the personal data collected, specifies its purposes, and mentions the right to access and correct personal data. 

It does, however, give users the ability to limit or object to data processing and to revoke consent; however, there is no explicit procedure for permanently deleting data.

Issue
Uganda is home to an estimated 45.5 million people, of whom 76 percent are under 30 and 53 percent are under the age of 18. The country is distinguished by a rapidly expanding digital economy and rising Internet usage. 

Sub-Editor: Richards Adde