REVEALED: HOW FACEBOOK HAS BEEN SPYING ON KENYANS WITH ‘FIRMWARE’
Global social networking giant Facebook, which is facing a storm of international protest over its data mining and consumer data protection, is collecting additional citizen data beyond its users through the Wi-Fi Express programme it launched last year in Kenya, Tanzania, Nigeria, India, and Indonesia, the Business Daily has learned.
It has emerged that the company, which has in recent weeks suffered a mass user withdrawal following exposés that it has been acting as a gateway to those who want to collect data on millions of users, such as data firm Cambridge Analytica, may be mining even deeper into consumer data in the developing world where laws are weak or non-existent and regulators are lacking the knowledge and technology to monitor its activities.
With eyes now focused on the scale of Facebook’s data gathering and data selling through its own platform, the company’s Express Internet service, which has been rolled out in thousands of hotspots, including more than 1,000 in Kenya, is thought to have deepened the company’s data gathering capacity with unknown consequences to consumers.
Facebook Express falls within the suite of services that Facebook launched under the Internet.org initiative – starting with Facebook Basics, a service that gives free access to Facebook and some extras, such as weather forecasts.
Facebook Basics was later banned in India as a Facebook-selected microcosm of the Internet that raised the spectre of up to half the country’s population sitting solely within a commercially controlled Internet space.
By end of last year, Facebook had rolled out a new service again, initially solely in Kenya and Nigeria, but subsequently in India, Tanzania and Indonesia, called Facebook Express.
The new service is a standard paid-for Wi-Fi service, launched as a ‘feel-good’ peoples’ Internet.
It is not the cheapest in Kenya, but is at the cheaper end of the country’s fiercely competitive data market, offering, for instance, 3GB of monthly data for Sh500.
In launching Wi-Fi Express, Facebook did not want to get into the ISP business itself, and instead offered to supply ISP partners the equipment for their Wi-Fi access points.
Each access point costs around $250 (Sh25,000) and around another $200 (Sh20,000) to install.
In return for these free access points, the local ISPs permanently branded their Wi-Fi as ‘powered by Facebook.’
But it is the software in the access points that has raised eyebrows among many in the ISP community.
Nearly all of the world’s Wi-Fi access points are sourced from one of two market leaders: Microtiq and Ubiquiti, and come with an operating system, called firmware.
When Facebook set out to source the equipment for thousands of access points, it made a purchase from Ubiquiti on condition that it would be allowed to insert its own software, or, as one industry insider described it, ‘little black box’, into each access point.
Facebook did not divulge the nature or purpose of the insertion, and Ubiquiti refused to insert it. Facebook then went to the lesser known supplier Cambrian, which agreed to insert the black box into the access points.
The potential loss of sales then forced Ubiquiti to follow suit and agree to the insertion.
Thus, the Wi-Fi Express access points — paid for, but not operated by Facebook — have now been rolled out to thousands of hotspots, at bus stations, markets, and meeting areas.Ordinarily, ISPs must always have the capacity to extract data from any Internet access point on a court order.
For this reason, the standard firmware enables website blocking and access to user browsing records and to substantial user data.
In Kenya, many, but not all, ISPs supply this user data to the authorities on request, although some refuse to pass on users’ data unless served by a court order.
Facebook normally only receives all the data entered by Facebook members via Facebook, which accounts for around 20 per cent of most ISP’s data.
Thus, the additional purpose of Facebook’s black boxes in the access points it has provided is being viewed by some as deeply worrying.
“It is impossible to conceive the purpose of the added software except as a way of accessing additional data, and yet Facebook already gets all its own data from every kind of ISP.
‘Middle point monitor’
There is even a possibility that Facebook is acting as a kind of ‘middle-point monitor’, potentially even de-encryting and re-encrypting data streams from sources such as Google,” an industry insider said.
Telecoms market regulator the Communications Authority of Kenya (CA) said it was not aware of Facebook’s installation of any special data mining devices in the Wi-Fi Express programme.
The CA said there are no comprehensive regulations on data gathering and use by third parties without users’ permission in Kenya, even as it noted that the Kenya Information and Communications (Consumer Protection) Regulations, 2010 provide for the right to personal privacy and protection against unauthorized use of personal information.
“Licences issued by the Communications Authority of Kenya guarantee privacy and confidentiality of consumers and prohibits unauthorised use of apparatus, which is capable of recording, silently monitoring, or intruding into consumer’s communications.
“It should be noted, however, that the advent of social media applications in the recent past, most of which are provided from outside Kenya’s jurisdiction, but are accessible by users in Kenya has resulted in serious challenges in enforcing the provisions that exist in Kenya,” the CA said.
It added that it is for this reason that a draft Bill on data protection/privacy is being prepared to strengthen data protection and privacy.
Kenya’s Wi-Fi Express partner in Kenya, Surf, on Monday did not reply to questions on the matter.