The ongoing Facebook-Cambridge Analytica saga involves a cast that is mainly American and British. But it is still a highly personal story for internet users and governments across Africa, but particularly in Nigeria and Kenya.
In Nigeria’s 2007 and 2015 elections, Cambridge Analytica worked alongside the then ruling party, People’s Democratic Party (PDP). Now, Nigeria’s current government—which was the opposition in 2015—is investigating whether that collaboration was illegal. “Among those whose personal data was hacked into in 2015 was the then opposition candidate, Muhammadu Buhari,” Vanguard reported earlier this month. This investigation has in turn kicked off a political tempest: After the announcement, PDP called the investigation “desperate.”
In Kenya, the political landscape is roiled after news that Cambridge Analytica was a key player in the country’s 2013 and 2017 elections. President Uhuru Kenyatta’s 2017 opponent, Raila Odinga, is now mulling lawsuits against both Facebook and Cambridge Analytica.
At a minimum, this ongoing data scandal has fueled fierce political battles in West and East Africa. At worst, it has influenced millions of voters—and more than one election—across the continent.
It’s time for African policymakers to draft common-sense data protection laws. Facebook has become an intractable part of the pan-African internet and, as a result, society. As Quartz presciently reported in 2015, for millions of users, Facebook is the internet. Further, use of Facebook’s Free Basics platform has spread across the African continent.
It is clear that in Kenya and Nigeria — and anywhere in the world, really — #DeleteFacebook simply isn’t a practical solution. “If you want to delete Facebook, go ahead. Just know that’s a privilege,” New York Times reporter Sheera Frenkel recently tweeted. “For much of the world, Facebook is the internet and only way to connect to family/friend/business. That’s why it’s important to have a real discussion re Facebook’s security/privacy issues.”
Disconnecting isn’t realistic. And so we need to talk about systemic solutions, like better laws and web literacy.
The internet is a fast-growing ecosystem, and in all parts of the world, laws are struggling to keep up. In Europe, the upcoming General Data Protection Regulation (GDPR) is a bright spot. But it’s the exception, not the rule.
In much of the global south, data protection laws do not exist. Consider this chilling sentence from the New York Times’ initial story on Cambridge Analytica: “The [Cambridge Analytica team] experimented abroad, including in the Caribbean and Africa, where privacy rules were lax or nonexistent and politicians… were happy to provide government-held data.”
In the words of Kenyan lawyer and internet rights activist Mugambi Laibuta: “Corporates have an effect on our lives almost the same way politics impacts on our lives.” This rings more true each day — like the aforementioned news that Cambridge Analytica played a role in the Kenyan elections.
Even more cause to act: In those same 2017 Kenyan elections, the Independent Electoral and Boundaries Commission was a notoriously poor custodiann of voters’ data. The initial voter verification system had no captcha, and just about anyone could access the entirety of the voter register. There was no framework in place to prevent this kind of behavior.
We can’t expect technology companies to introduce a panacea. Mark Zuckerberg himself noted that Facebook will need “years” to fix its flawed tools. And truly minimizing and safeguarding Africans’ personal data clashes with many technology companies’ core business model: targeted advertising.
Cambridge Analytica did what countless other third-party apps do. It gathered private data from Facebook for strategic messaging. For this reason, it’s time for African policymakers to draft common-sense data protection laws. In Kenya, the government has been discussing a data protection bill since 2013. Its aim is noble: “To regulate the collection, retrieval, processing, storage, use and disclosure of personal data.” The bill also defines “personal data” in clear terms: “Information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin…” The list continues admirably.
And yet the bill has made no real progress. Perhaps this current scandal—and the European Union’s laudable GDPR — will impel Africa policymakers to dust off the bill.
Investing in web literacy
Let’s be candid: For the most part, Cambridge Analytica did not do anything that countless other third-party apps do. It gathered private information from Facebook and used it for strategic messaging—a pervasive practice. Consider the familiar screen you see when you log into Facebook via any third-party app: It informs you that you’re sharing your public profile information. That means your name, photo, age, gender, languages, geography, and other information are all up for grabs.
On today’s internet, data is the currency we use to access “free” products or services. “Most apps infringe on people’s privacy,” a Twitter user in Kenya recently pointed out. But not everyone understands this.
Consider TrueCaller, an app that identifies unknown callers and is hugely popular in most African countries and especially in Nigeria. Users love TrueCaller for its functionality. But it also accesses users’ entire phone books — including friends’ numbers and names — without those friends’ consent.
“Truecaller thrives in #Nigeria because of a low knowledge and appreciation of #Privacy and the potential power and danger of information in the wrong hands,” Femi Olarinoye, an Abuja-based web developer, recently tweeted. “Imagine what is possible to a crooked social engineer mixing the information from Truecaller with Facebook and Whatsapp.”
“Imagine what is possible to a crooked social engineer mixing the information from Truecaller with Facebook and Whatsapp.” We already see plenty of crooked behavior. I recently carried out identity theft research in Kenya, and explored how one individual had cloned himself six times, creating a half-dozen fraudulent national identity cards. Each card featured data stolen from registered voters of Kenya:
When I conducted a survey earlier this year in Kenya about data privacy, nearly a quarter of respondents said their personal information had been obtained and used against them without their consent. Many respondents also said they find products’ terms and conditions too complex or time consuming, and often feel helpless.
This all means it’s time to start having a serious, educational conversation about how today’s data fueled web really works — and whether our data should be protected by default.
Poor data practices are nothing new here in Africa. The Cambridge Analytica saga simply provided a spotlight. But perhaps there is a silver lining: With tens of millions of Africans using Facebook, this saga might spark better laws, and a better understanding of how the web really works. And in the meantime: Please read the terms and conditions, no matter how difficult that may be.
Sign up for the Quartz Africa Weekly Brief — the most important and interesting news from across the continent, in your inbox.