in

Why plan to tap phones raises eyebrows

Suspicious implementation approach, the introduction of a third party and the timing that comes months before a General Election have heightened concerns over the Communication Authority’s device management system allegedly meant to fight counterfeit phones only.

The system is set to be plugged on the core network systems of all the mobile service providers in the country from Tuesday.

In 2012, the authority switched off 1.5 million counterfeit phones without using the system.

Communication Authority Director General Francis Wangusi who denied the possibility of the system being used to spy on subscribers’ privacy did not also give full disclosure on how exactly the system works, further raising eyebrows on what exactly is set to happen.

“Who will have the time to go and listen and mine the SMS information and for what purpose? CA itself have a paltry staff of 247 people dealing with various aspects of ICT, where are we going to get those millions or thousands of staff to do that?” Mr Wangusi posed during Friday press conference.

He also faulted the mobile telephone firms for being malicious by raising concerns now about the system despite having been fully engaged since last year.

Sunday Nation has since obtained a correspondence between the regulator and one of the Telcos which dispute the notion that there was no previous opposition to the system. 

The letter written a few weeks after the authority made clears its intention to install the system protested citing concerns of privacy breach for consumers especially with the involvement of a third party contractor.

The Telco also cited need for further investments in equipment to host the system as well as avoid a possible strain on her systems when the device is installed.

The authority had earlier written to the chief executives of the three telcos informing them of the plan to install the system to “combat the proliferation of illegal communication end-user terminals including Sim Boxes”.

ILLEGAL END USER TERMINALS

In the letter, the regulator specified what the system would access in the operator’s system through the contracted third party firm complete with a block diagram and an integration requirements, some of which leave more questions than answers.

The letter says the system will enable the identification of illegal end-user terminals.

The aim is to ensure services are provided only to genuine end user terminals, which will be listed on the system white list.

Further, the system will require direct connection to your HLR and EIR and this link will be set up and maintained by the Authority.

The Authority will also require rack space to install the system’s node at your premises and clean power supply,” the authority wrote in the October 2016 letter that also directly linked the system to enhancing the security within the country as it relates to the use of communication services.

Technical experts say while there would be no concern over the access to, the International Mobile Subscriber Identity which is a unique number identifying a mobile phone subscriber, other access like to the Home Location Register raise concerns. 

The register stores relevant location and other information for each mobile phone leaving the question why a fake phone whose identity in the register will be promptly denied access to the network should be located.

The block diagram provided also show that the third party service provider (Brodband Communications Networks Limited) will be hooked to the call records database, mobile operator locations while the authority will have a direct link on the SMS data base. The two have a mutual link through a virtual private network. 

The link then allows the third party full access to virtually all the other data of the mobile user over and above the handset identity which is meant to tell fake phones from genuine ones.

The telcos believe that the same mission can be achieved through a direct link to the regulator without the third party so that when there is need to query a particular subscriber data then the licensees (telcos) have a role to play so as to stay responsible with their customer confidentiality.

This way any breach on customer confidentiality will be traceable rather than leaving subscribers in a triangle where three entities have access to their data set.

There are also fears that the authority may not have robust system security having suffered breaches by hackers last month. The regulator on Friday floated a tender for a re-design, development and maintenance of its website.

The fact that the system that affects close to 40 million Kenyans had left out public participation and may have been kept a secret were it not for the Friday media revelations about it also raises eyebrows.

The authority said it had done extensive consultation with industry and other stakeholders including the Consumer Federation Of Kenya. But the federation has since denied any such consultations and termed the system as unconstitutional. 

Mr Wangusi also said the authority had planned to carry out awareness campaigns at the “last stage”, meaning after the system is fully installed and operational and when Kenyans would have little say about it.

Why ghosts of post-election violence could return

Cohesion team questions Dr Oluga on social media posts