Safe Boda sharing clients’ data with Facebook wasn’t a mistake or innocent –  It’s their business model


It’s time people stopped viewing Safe Boda as an innocent transportation company. It’s in the global business of aggressive data mining. Under the laws of Uganda, Safe Boda is incorporated as Guinness Transporters Company Limited by shares and in 2018, it raised over 1.2 million dollars. There is this public relations narrative from Safe Boda itself that this company was started by a senior four drop out.

For some us who have tried making a pitch to sophisticated venture capital funds in the U.S, South Africa or the U.K for venture capital, given the level of racist bias against blacks in the venture capital industry, you can never convince me that a black man without a high level of education or even exposure in the tech industry made a pitch to sophisticated venture capital funds for money to the extent that Safe Boda is now an early stage “Series A” venture capital funded company. It’s the whites at Safe Boda that form the brain of this company. Their co-founder who happens to be black is just a public relations stage prop.

When the Data Protection and Privacy Act, 2019 was passed last year, a longtime friend currently auditing with PWC called me to consult about the impact of this law on certain business like banks and the Value Added Services (VAS) in the telecommunications industry. At the end of this long phone call, he tended to conclude that this was one of those laws that will lay redundant on the statute books because of the ignorance of Ugandans, due to the fact that Ugandans take their data collected by these big tech companies for granted.

Very many big data companies have data analytics tools for the sole purpose of building large data bases. For instance, Cambridge Analytica before 2015, was harvesting data off Facebook, which at the time was very easy to do. Facebook had started a program in 2010, where a developer could pay for access to any of the data of facebook users. This isn’t strange to what Safe Boda has been doing.

According to the findings of the unwanted witnesses report, the Safe Boda app used a Facebook business tool known as a Software Development Kit (SDK) to routinely collect information on Safe Boda’s users via the Safe Boda app. The SDK collected information on Safe Boda users and sent it to Facebook servers, regardless of whether they were Facebook users or not; this meant that even if the user didn’t have the Facebook app installed on their phone or a Facebook account, the Safe Boda app would still send data to Facebook. This is contrary to the data protection and privacy law.

When unwanted witnesses in the making of their report put this to SafeBoda, they removed Facebook trackers from the application. Safe Boda then proceeded to install a new tracker – CleverTap. This App provides mobile app analytics – this means that every time a user uses the Safe Boda app, it still sends users’ data to CleverTap, a third-party, without their consent. This can’t be innocent. It could be possible that Safe Boda might have been selling their client’s data without their consent, since after all, Safe Boda brands itself as a company that helps other companies to build valuable, long-term relationships with their customers by giving them two things: access to real time behavioral analytics so they know who they are, and a platform with which they can engage users on the right channels, at the right time, and with a message that resonates.

Interestingly, according to an old Safe Boda privacy policy clause, data was disclosed to third parties, only with users’ “advance notice” and not consent, which would be the required legal basis to disclose personal data to third parties. In other words, the older Safe Boda privacy policy suggested that as long as users knew that their personal data was to be transferred to third parties, this should be enough to render the transfer compliant with data protection law without the user actually consenting to such transfers.

Their new privacy policy shows that the data subject “will be informed before“ the data is shared with the third party under clause 12.1.2; however, this is still not consent because the moment the subject data objects to the collection or processing of personal data, the person who is collecting or processing personal data shall stop the collection or processing of personal data.

ALSO READ: Human rights violations increase during coronavirus lockdown – ULS Report

According to the data protection principles in Section 7 (3) of the Data Protection and Privacy Act, the data subject needs to know in advance what data is being processed as well as what data is being shared and who are the recipients of that data so as to make an informed decision to consent to the sharing of their data. Consent is a core principle of data protection which allows the data subject to be in control of when and how their personal data is being processed and it should be freely given, specific, informed, and unambiguous this can be in a written form or oral.

My view on these Safe Boda breaches is that it is their business model to share their customers’ data with 3rd parties and therefore, people that have this app installed on their phones should be careful. For those who don’t know, data is a multi-trillion industry, and it wouldn’t be a surprise if Safe Boda was tempted to join this bandwagon. Data is the world’s most valuable asset now. It runs all decision making, all user experience and communication for every organization.

Your data is important, it has contributed to one of the world’s biggest industries. In 2017, it surpassed oil and gas in value. Yet this entire time you have been producing data on digital devices, before the passing of this new data protection law, you never had any rights to it. In this new industrial revolution, which is doing so much data mining, if you are not well educated and you are using these devices, you are being taken advantage of.

Right now we have two problems to solving this information asymmetry in this tech business; first, tech companies like Safe Boda won’t make the ethical decision with our data without being forced by laws and regulations and on the other hand, we have a population, especially in Uganda that is still digitally illiterate. This population doesn’t understand what its data rights are and how to protect them, we don’t understand basic cyber security protocols and how to keep our data private if we wanted it that way. All these things need to be integrated into the education system because we have an under educated population that is over exposed to digital life.

Data and its usage method today, means that anybody in the world can buy your time, your attention and your privacy which goes to the highest bidder if the data protection and privacy laws aren’t followed.  Section 18(1) of the Data Protection And Privacy Act 2019 provides that an entity collecting personal data shall inform the data subject about the period for which the data will be retained to achieve the purpose for which it is retained. It’s quite interesting that the Safe Boda privacy policy does not specify the exact retention periods for every category of personal data of users. I agree with the Unwanted witness report which concludes that “this raises some important transparency questions and might potentially hinder users’ ability to properly be in control of their personal data by knowing for how long each data will be kept and under what legal basis.”

One of the biggest problems on the internet is that we don’t have many rights on the internet. The right to own your own data is greatly limited. By this I just don’t mean consenting before your data is shared with 3rd parties, but actually to have the right to contract on your own data or to licence it. This is the greatest limitation of the Data protection and Privacy Act.

Data is a very weird commodity. Data of a single individual may not be of much use until it’s combined with the data of millions of other people in a kind of agglomeration and a clear pattern is drawn. Data is weird indeed unlike having a barrel of oil and knowing the price of it. The problem with data protection laws, generally, is that the internet is structured as a commons yet the big tech companies use the business models of scarce markets in order to figure out who owns what and who gets what for what. The model we need to use is less of who owns what and who is compensated for what but more of the “data commons.”

The question should be how could we share all our data and devalue all the data that the data companies have because if we are sharing it in a commons, it becomes a collective property rather than something that is exploited as data and people who make money on it are people who create value by analyzing the data not the sale value through sharing data. As it stands, it looks like on the internet, we are in the business of exchanging data for services, allegedly “to get google maps for free,” or to “talk to our friends on facebook for free.” Through this we have inadvertently created a surveillance society. I don’t think Tim Berners-Lee intended this when he created the World Wide Web in the early 1990s.

In today’s world, the technology that generates the data owns it. If you get a ride from Safe Boda, and Safe Boda generates your data, Safe Boda owns it. And if Safe Boda has a server, that stores that data, then Safe Boda owns it. There are many complexities of data ownership that I think the data protection and privacy law should explore, but the enactment of the data protection law is just the start.

Government should view these safeboda data breaches as a national security threat, if it’s to safeguard the territorial integrity of the country. Cyber security breaches can saw seeds of social disharmony as we saw with the Russians interfering in the 2016 U.S election. No state is safe if private companies know its citizens better than the government. It’s time you stopped looking at Safe Boda as an innocent transportation company. It’s an active player in this data game which is a multi-trillion dollar industry. Applying the Capitalist property rights models to data, yet this internet is structured as a commons is an inherent contradiction that needs to be solved.


Leave a reply