The mad rush by Kenyans to sign up for Worldcoin, a cryptocurrency, has sparked a major split in the Cabinet over privacy issues.
Questions are now emerging over data security, amid concerns that most of the people who had their irises scanned were ignorant of what the process entailed.
On Wednesday (August 2), Information, Communications and the Digital Economy Cabinet Secretary Eliud Owalo said his office, alongside that of the Data Protection Commissioner, would issue a statement later in the day on the measures they had put in place to protect the privacy of Kenyans.
“What this company is saying is that they are getting this data voluntarily from Kenyans, but [the government’s concern] is that Kenyans [shouldn’t] be exploited,” Mr Owalo said during an interview with NTV.
His Interior counterpart Professor Kithure Kindiki, however, issued a statement suspending Worldcoin registration pending a probe into the authenticity and legality of the cryptocurrency and the security and protection of data collected by Worldcoin.
“The government has suspended the activities of Worldcoin ... until the relevant public authorities certify that there is no risk to the general public,” he said.
This comes a day after it emerged that thousands of Kenyans had signed up for the cyber cash. Prof Kindiki warned that action would be taken those who will continue to promote, aid, abet or participate in Worldcoin registration.
He added that the collection of data through orb systems, which scan a person’s iris to verify that they are human, could compromise data security if adequate measures are not taken to forestall data breaches.
The CS further called on the firm behind Worldcoin to provide assurances regarding public safety and the integrity of financial transactions involving such a large number of citizens in advance. Foreign Affairs CS Alfred Mutua said Kenyans should not be used as guinea pigs by foreign companies.
“Let us all support the stoppage of Kenyans being used as guinea pigs and their data being harvested. Getting paid is important, but you have to ask yourself why your eyes are being scanned and information is being collected. What does it mean and what will it mean for you and your descendants?” Dr Mutua said.
Yesterday, Communications Authority of Kenya (CA) and the Office of the Data Protection Commissioner (ODPC) said they had undertaken a preliminary review and noted a number of legitimate regulatory concerns that require urgent attention.
“The issues we noted included; lack of clarity on the security and storage of sensitive data; obtaining consumer consent in exchange for money, which borders on inducement; and uncertainty regarding consumer protection on cryptocurrency and related ICT services,” the two agencies said in a joint statement.
They further said that they had noted inadequate information on cybersecurity safeguards and standards, saying, access to citizens’ data by private actors requires an inquiry to enable regulators to advise stakeholders on appropriate measures to protect public interest.
Controversies around Worldcoin are not new. Similar concerns have been raised in other jurisdictions such as Germany, France, the United Kingdom, and India. Arising from these preliminary observations, a multi-agency investigation is underway.
“Consequently, and as directed by the government, Worldcoin must cease its data collection activities in Kenya until further notice. The public is advised to take caution when providing personal data to private actors,” the two agencies said.
Earlier, lawyer Harrison Kinyanjui had raised concerns about the security of Kenyans’ data, saying, he had taken his concerns to the Office of the Data Commissioner.
The lawyer argued that Section 31 of the Data Protection Act was not being complied with, which states that where a processing operation is likely to result in a high risk to the rights and freedoms of a data subject, by virtue of its nature, scope, context and purposes, a data controller or data processor shall carry out a data protection impact assessment prior to processing.
The Act also requires the controller or processor to consult the commissioner before processing data if a privacy impact assessment indicates that this would jeopardise the rights and freedoms of a data subject.