When private information is leaked online

It is not strange to hear that  a celebrity’s or politician’s private information or sex tape has been released or is going viral online. 

For instance, last year blogger Edgar Obare found himself in hot soup after sharing confidential travel documents of YouTuber Natalie Tewa, which stirred up a debate as he linked her to a Dubai trip by Mombasa Governor, Ali Hassan Joho and Suna East MP Junet Mohammed, who were visiting former PM Raila Odinga in hospital.

While the vlogger denied she was part of the entourage, Obare was arrested for soiling her name and publishing her travel documents without her consent. 

She is not the only public figure whose private information has been published.

Others such as Terrence Creative, Wa Jesus family and politicians have found themselves in such positions when their private encounters and details have been leaked. 

 This is called doxxing or doxxing, the act of publicly revealing private information about a person, or an organisation through the internet.

In most instances, such information is received from public available database and social media.

The information can also be gained through social engineering and hacking with the main aim of extortion, online shaming and as vigilante aid to law enforcement. 

Public records 

“The term ‘doxxing’ is short for “dropping dox,” with ‘dox’ being slang for documents.

Typically, this is a malicious act used against people with whom the perpetrator disagrees or dislikes.

It is the publication of personally identifiable information with the intention to harass, threaten or facilitate violence against a victim usually done by revealing identifying information about someone online, such as their real name, home address, workplace, phone, financial, and other personal information.

That information is then circulated to the public — without the victim’s permission,” explains cyber security expert, Paul Kathambana. 

He adds that doxxing is a form of harassment on its own, sometimes used as retribution by internet vigilantes against perpetrators of outrage-inducing acts caught on video. He further distinguishes instances when this can be legal or illegal.

 “Doxxing isn’t illegal if the information exposed is part of public record. This includes arrest records, marriage certificates, traffic violations, and divorce records.

If someone publishes these records, even without your consent, they are not doing anything illegal.

It is, however, illegal when someone publishes information that isn’t in the public record, such as your bank account information, credit card numbers, or birth certificate.

Doxers are acting illegally when they access this information and publish it,” he continues. 

In Kenya, doxxing can be found under Computer Misuse and Cyber Crimes Act 2018, specifically section 27(1), which criminalises cyber harassment, identity theft or impersonation of any person. The offence carries penalties of up to Sh20 million or imprisonment of up to 10 years.

“Under the Data Protection Act 2019, no organisation (except for very limited exceptions) can process data of any data subject without the specific lawful basis set out under the Act – the lawful basis includes consent, contract, legitimate interest, vital interest and public interest,” explains advocate and solicitor Amit Gadhia, who has had extensive experience in advising organisations on privacy data and data protection laws ranging from telecommunication to e-commerce businesses.

He is also on a panel of experts of One Trust Data Retention Guidance for Kenya. 

Personal liability

Amit adds that any processing of data outside of the six lawful bases may amount to an offence, which carry fines of up to Sh20 million.

Directors of the organisation can be held personally liable, and an aggrieved data subject can claim damages in court.

He, however, notes that there are various gaps in the law, which must be fixed.

For instance, the lack of awareness by individuals of this law indicates that a robust public exercise on awareness must be undertaken, in various languages and dialects, for everyone to understand it.

“Lack of stringent enforcement procedures by the regulatory and statutory regulatory bodies are created under both the Acts.

However, these offices are not adequately resourced or funded by the relevant ministries.

There is also lack of support from executive level to fund cyber security and data protection training within an organisation and for its employees,” he observes. 

Amit argues that while data is the new oil, most people do not understand why it is wrong for them to have organisations’ data without lawful basis.

To safeguard themselves, he advises people not to give their usernames and passwords to anyone. 

“Individuals must not share usernames and passwords for e-citizen and iTax portal to anyone even if they are professionals. Most portals provide for admin access to other admin users,” he says.

He further adds that individuals should change their personal identification numbers and passwords regularly with a strong password that cannot be hacked.

They should also not click an email they do not recognise. If an organisation asks for data, an individual should ask how the data will be used, stored, with whom it will be shared, for how long and when it will be deleted as these are all protected under the Act. 

Kathambana argues that while it is not entirely possible to avoid being doxed, there are steps one can take to minimise the damage or make themselves a target of hackers. 

“Be aware of what information you are sharing and where it is in general and guard your privacy by limiting the amount of data you share.

Don’t use the same username across multiple platforms,” he advises, adding that if one is an active social media user and often discloses more personal information such as pictures, check-ins, and opinions, these are all breadcrumbs that can lead people with malicious intent right back. 

Lawful basis

“Sometimes, people you don’t even know can take your pictures and post them on social media.

Don’t overshare, don’t turn your social media accounts into detailed reports of your daily life or your holidays.

Once they’re online, it’s safe to assume you’ll never really be able to take them down anymore,” he says, adding that people should learn to use all the privacy settings available to them and restrict access to their information and feed as much as possible. 

“Facebook, Instagram, Twitter, and YouTube all have privacy guides to determine what information you’re sharing and who can see it,” he adds. 

And for personal data processed by an organisation? 

Amit says individuals should ask why the organisation is doing so and on what lawful basis. 

“If there is no proper explanation and lawful basis, the organisation may have no right to process that data.

If any organisation is unlawfully processing data, you can report them to the Office of the Data Protection Commissioner who has powers to investigate the matter,” he says.