A State disregard for privacy laws as digital surveillance used to tame critics

Wambugu’s lawyer, Ian Mutiso, on Wednesday submitted a forensic report in a court in Nairobi, where findings from the Citizen Lab showed that a spyware named FlexiSPY was installed on Wambugu’s device on May 21, 2025. At the time, the Directorate of Criminal Investigations (DCI) had withheld the filmmaker’s phone as it “investigated” his role in the Blood Parliament documentary by the BBC. 

Police accused Wambugu, alongside Brian Adagala, MarkDenver Karubiu and Chris Wamae, of producing the documentary, which sparked public interest in the events of June 25, 2024, when anti-tax protesters stormed the Kenyan parliament. After their arrest on May 3, 2025, the BBC stated that the filmmakers were not involved in the production of BBC Africa Eye’s Blood Parliament documentary.

According to a report by the Citizen Lab, the spyware was put on Wambugu’s phone before it was returned to him on July 10, 2025. 

FlexiSPY, according to the University of Toronto-based laboratory, can record calls, capture and collect multimedia material, delete or modify data, and track the location of a device. 

While Wambugu’s counsel submitted the findings on Wednesday, a court in Nairobi also found that the state conducted an illegal search on the phone of another Kenyan citizen, one Michael Ndichu. 

The High Court ordered the government to pay Ndichu Ksh. 500,000 for an illegal search after his phone was confiscated and searched without a court order. 

Spy, track and silence 

Wambugu’s case is among instances where the state has used technology-enabled strategies to conduct surveillance on persons perceived to have dissenting voices. 

In 2024, Kenya witnessed a series of abductions, where influential youths on social media platforms went missing at different times. This specifically happened to government critics. 

Some of them were captured by their abductors in the glare of cameras, only for security bodies like the National Police Service (NPS) to deny involvement. 

“For clarity, the Constitutional mandate of the National Police Service is not to abduct, but arrest criminal offenders,” Police Inspector General Douglas Kanja said on December 26, as cartoonist Kibet Bull, his brother Rony Kiplangat, Bernard Kavuli, Peter Muteti and Billy Mwangi - all government critics were reported missing. 

Deny! Deny! Deny! This was similarly the language of top government officials led by President William Ruto. 

In all instances, abductees reported being tracked down, and some had taken precautions such as installing VPNs to mask their addresses. 

In June 2025, Rose Njeri, a software engineer, was also arrested after developing software to help Kenyans reject Finance Bill 2025. 

Held on cybercrime charges, Njeri’s devices, including her phone, computer, were confiscated, and she was detained without bail. The court would later dismiss the charges.  

Also, the Kenyan police are on the spot for seeking private information about government critics. 

Recently, the court heard that the police, without a court order, approached a mobile operator seeking information on David Mokaya, a student accused of defaming President Ruto. 

Earlier, the police had in June 2025, sought information from the Communications Authority regarding a social media account linked to slain teacher Albert Ojwang. IG Kanja told Senators that police made the request to the CA amid a probe into a case where Ojwang was accused of defaming police boss Eliud Lagat through a social media post. The CA would later deny sharing the location of Ojwang with the police, which led to his arrest in Homa Bay County and eventual murder in custody. 

Privacy and data protection 

As provided in the 2019 Data Protection Act, unregulated surveillance is against the law. The Act requires individuals to be notified before the collection of their personal data.

The DPA requires surveillance to meet legitimate interests and the necessity for public interest. 

According to Katiba Institute Executive Director Norah Mbagathi, the only surveillance and tracking allowed under the Constitution of Kenya must be by warrant. 

“As such, only a proper court order can warrant any form of surveillance and even then, it must be within the confines and limitations of the constitution and relevant human rights and international law standards,” Ms Mbagathi told Citizen Digital. 

As a regulator, the Communications Authority has been faulted for misuse of power, where it gave out data or requested platforms for data of certain individuals online.

This, Ms Mbagathi says, is against its role as a regulator, which should ensure the integrity and Constitutional compliance of the bodies it oversees. 

“CA must not act as an enforcement arm for government overreach but act within its constitutional mandate to ensure compliance with applicable laws and regulations,” she stated. 

Currently, the Office of the Data Protection Commissioner (ODPC) is tasked with regulating data processing activities, enforcing data protection laws, and safeguarding individuals' privacy rights. This is in adherence to the Data Protection Act, 2019.

However, a number of players in the public sector have noted that the office, under commissioner Immaculate Kassait has sometimes failed in its mandate.

The Kenya Institute of Public Policy Research and Analysis (KIPPRA) notes that ODPC, which is under the Ministry of ICT, lacks independence to enforce data protection laws and ensure efficient data handling practices.

KIPPRA also notes the challenges posed by emerging technologies, which bring about new ways of data collection and processing. 

East Africa’s spying behaviour 

A report by the Unwanted Witness details concerning use of surveillance tools and spyware in the East African region, where journalists, civil society groups and human rights defenders are targeted. 

The report details the growing use of spyware and other forms of digital surveillance to silence free expression and intimidate dissenting voices, hence threatening democracy in East African nations. 

Unwanted Witness notes that in these countries, surveillance has also manifested itself in the use of initiatives to maintain safe cities. 

These tools of repression infringe on rights to privacy and data protection laws and provide room for misuse of anti-terrorism laws. 

The body also notes that laws such as the Computer Misuse and Cybercrime Act have also been used to criminalise freedom of speech on social media platforms. It notes how such laws, enabling governments to monitor telecommunications and internet activity, have been misused due to a lack of judicial oversight.

It notes difficulties by the Office of the Data Protection Commissioner (ODPC) to enforce compliance, as security agencies operate with limited scrutiny, “especially when partnering with private surveillance contractors or foreign technology providers.”

These surveillance mechanisms could further be enabled through the Device Management System (DMS) in pretexts such as eliminating counterfeit devices in the market. 

For instance, an October 2024 notice by the Communications Authority stated that Kenyans would be required to declare and register their International Mobile Equipment Identity (IMEI) numbers with the Kenya Revenue Authority.

The CA said this would ensure tax compliance. 

However, the decree raised questions on legality, as it was seen to be in contravention of the Data Protection Act. 

In July 2025, the High Court in Nairobi issued orders quashing the notices after a petition by Katiba Institute. 

The civil society brought to light the implications of the directive on data privacy, government surveillance and the regulation of mobile devices in Kenya.

Elsewhere, governments have also shown disregard for privacy laws by making information requests to technology companies. 

A 2025 report by Meta showed an increase in the number of information requests made by the Kenyan government between July and December 2024. 

Meta notes that the state made twelve information requests, nine of which were for 'legal processes' and three made on grounds of 'emergency disclosure'. The government also made requests on 18 accounts.