Use of Skin SIM Technology and Data Privacy in Kenya

Following our previous update on the Thin Sim debate in Kenya, the High Court made its ruling in the case of Legal Advice Centre aka Kituo Cha Sheria v Communication Authority of Kenya. In this case, Kituo Sheria had sought the leave of the court to file a judicial review application to challenge the decision by Communications Authority of Kenya (CA) to authorize the use of the thin SIM technology by Finserve in the mobile money telephony communication sector in Kenya.
Kituo claimed that prior to the permission to Finserve to roll out the use of the thin SIM technology, a number of concerns had been raised by technical service providers in the mobile telephone sector among them being that the thin SIM has the capability to intercept communication between the user’s phone and the primary SIM card on the phone.

Kituo also alleged that another concern raised was that the thin SIM works by intercepting and modifying the information passing through it as it passes from the phone to the primary SIM and vice versa. Kituo further averred that since the thin SIM sits between the primary SIM and the phone, all SIM toolkit traffic passes through it and these include the mobile money PINs and as such this exposes all mobile money transfer systems such as MPESA, YU cash, Orange Money and Airtel Money.

Kituo was also concerned that USSD codes which are short codes starting with “*” and ending with “#” and which are frequently used to access bank to mobile money systems and vice versa, can be intercepted and stored by the thin SIM since it sits between the primary SIM and the phone and as such it can thus view and modify all USSD transactions. According to Kituo, since all SMS messages are stored on the primary SIM, the thin SIM can capture and intercept all SMS communication and that where a thin SIM is in place, all information, PIN numbers, USSD codes, bank account numbers and internet sites visible are first visible to the thin SIM before delivery to the primary SIM which constitutes a breach of privacy. Since it sits between the primary SIM and the phone, a party in control of the thin SIM may choose whether to pass traffic to the primary SIM or not thereby compromising the quality of services and exposing the user to denial of service threats.
As some will recall, it was based on the above grounds that the High Court granted leave to Kituo on 17th December 2014 to apply for judicial review orders sought and directed that the grant of the said leave would operate as a stay of the rolling out of thin sim technology by Finserve.
Aggrieved by the orders of December 2014, Finserve filed a Notice of Motion seeking that the orders be set aside. Finserve accused Kituo of failing to to make full frank and fair disclosure of all the material facts surrounding the proposed roll-out of the thin sim technology. According to Finserve, it did not intend to roll out the Thin SIM technology to the mass market as alleged by Kituo as the thin SIM technology was still in the development phase. The authorization granted by CA to Finserve was for a one year trial period during which period the technology would be strictly under the observation of CA to test its strength and vulnerabilities.
Further, Finserve referred to all the facts on this matter clarified in the earlier case of Bernard Murage vs. Finserve Africa Limited & 3 Others High Court Nairobi Petition Number 503 of 2014. In this regard, Finserve’s view was that the mobile banking services sought to be rolled out using the thin SIM technology is optional and available only to customers who sign up for the service hence the intended service was not going to be imposed on any member of the public as the relationship between the customer and Finserve is purely contractual and as such there is no public interest element in this case.
Finserve told the the court that since the decision by CA to allow it to use the thin SIM technology on the 22nd of September 2014, Finserve had made a lot of investments and preparations in a bid to comply with the conditions imposed by CA and had gone to great lengths to ensure the robustness of the technology and compliance with CA’s requirements.
In the meantime, CA filed its Notice of Motion application asking the Kituo matter to be stayed pending the outcome of the earlier Murage case referred to above. CA also asked the court to set aside the December 2014 orders. CA submitted that both Kituo suit and the earlier Murage suit were based on the grounds that there is real possibility of legitimate concern of data contamination/security of data resulting in data transmission to third parties. Further as both suits relied on the same exhibits, CA argued it was clear that the matter substantially in issue both in the present suit and the earlier suit was the decision to allow the roll out of the thin SIM card albeit on a one year trial period.
In light of the above, the court took a balanced view and ruled as follows:

…doing the best I can in the circumstances the order which commends itself to me and which I hereby grant is that this Court ought not to take the drastic step of setting aside leave with the consequences that these proceedings would be automatically terminated. I however vacate the directions given herein that the grant of leave herein operates as a stay of the proceedings in question.

Leave a Comment

Your email address will not be published. Required fields are marked