By Ahmed M. Musa and Mahad Wasuge
In this information age, data is seen as a valuable commodity by a broad range of actors. This means that data are captured and used for multiple purposes, often related to security and commercial interests. Although a fragile country emerging from a prolonged civic war, Somalia has not been left out of the data revolution. Over the last two decades, the humanitarian, private, and public sectors have accelerated their efforts to capture digital data. The aid sector generates and collects personal data including fingerprints, voice recognition and household demographics to improve aid transparency and accountability. The private sector – particularly the telecommunications industry – has the largest range of client data at their disposal. Most recently, the state has also started capturing digital data for national ID systems (civil, voter, driving license IDs), service delivery through digital payments, and security-related functions such as biometric military IDs and counter-terrorism activities.
Despite the inexorable expansion of its extraction, data capture and usage in Somalia/Somaliland is (largely) unregulated. This blog post looks at the emerging Somali data ecosystem with specific focus on data capture, usage, and protection in a context of state fragility. In this exploratory blog post, we map out the broader issues and signpost areas for future research. We discuss digital data collection in the private, aid and public sectors, and then summarise issues shared across these sectors in relation to data use and the lack of (legal) protections for those whose data is captured.
De facto digitalized economy: private sector data
Today, Somalia/Somaliland is a part of the world that leads in the development of a cashless economy. For various reasons related to security, the spread of basic mobile phones and issues with state-printed currency, SMS-based mobile wallet systems have become omnipresent. In many urban centres, even minor transactions, such as buying chewing gum or paying shoe-shiners, are conducted through mobile money.
All telecommunication providers across the territories have mobile money systems, albeit with some differences in their data protection policies. For example, in Somaliland and Puntland, customer details including phone numbers, photos and full names are registered as a requirement to open a mobile money account. These may be shared by telecom companies with state authorities. When making transactions, digital wallet users themselves can see the full names of those they are transacting with. Customers can even initiate a transaction process without completing it in order to see the name details associated with a particular phone number. In the south (where Hormuud is the dominant company), customer details are registered but money senders cannot see the personal data of the recipients. One exception is when sending money from one telecommunication company to another. Senders from Hormuud, for example, cannot see the details of the person receiving the money using a different telecommunication company before sending the money.
Because of the prevalence of mobile money, telecommunications companies hold huge amounts of personal data relating to people’s financial transactions, photos, and full names. In theory, the private sector can use this data for economic and commercial purposes without tangible legal restrictions.
Improving accountability: the aid sector’s pursuit of digital data
In the last decade, the aid sector has joined the pursuit of data for increased transparency and accountability of both humanitarian and development aid. It has become a common practice that implementing partners and third-party monitors (TPMs) use tablets to capture geo-references, names, photos, and biometric data of beneficiaries. There are uncertainties in the ownership, protection and use of this data. Cash transfers are often facilitated through the mobile money systems, which, along with health and food distribution programmes are among the donor interventions that are increasingly capturing personal data. This data is used by individual agencies and humanitarian clusters. With ongoing contestation between Government authorities and Al Shabaab (and displacement of vulnerable populations between areas controlled by the different sides in this conflict), the unauthorised sharing of this data has various security implications. The adoption of digital, predominantly quantitative, data collection protocols allow for an increasingly remote monitoring and steering of aid interventions. TPMs have also set up call centre facilities that aid monitoring projects in remote and inaccessible places. While the TPMs and call centres have partly improved aid data quality, calling beneficiaries in risky areas raises ethical questions including issues around consent and protection. Al Shabaab has often banned mobile internet in areas which it controls and frequently executes those it accuses of spying for its enemies.
The aid sector in Somalia frequently partners with the local private sector for digital cash transfers. There are also efforts, albeit in a formative stage, to capture voice recognition of aid beneficiaries in order to identify them. In Europe, General Data Protection Regulation (GDPR) regulation specifies that any data that can be used to identify a person such as biometric, voice recognition, name, photos, gender are considered sensitive personal data and must be treated with extra protection. However, outside Europe, in settings where there are few legal frameworks for data protection, donors, implementing agencies and TPMs that partner with them are involved in capturing large quantities of these types of personal data in their daily activities.
Globally, concerns are being raised about how humanitarian data can be used by various actors in ways that are not in the interest of beneficiaries. More consideration is needed on how data protection policies could be extended to developing countries, and the responsibilities of international donors in this process. In Somalia, although digital identification has been presented as possible solution for various pressing development issues, significant challenges remain in regard to data ownership and privacy of data subjects. Overall, in the public and aid sectors, data collection is most strongly influenced by donor policies and requirements, as opposed to local concerns.
Digitalising public service delivery by capturing ‘sensitive personal data’
Due to the gradual strengthening of state capacity, the public sector in Somalia/Somaliland has started to capture sensitive personal data to improve service delivery and facilitate democratization. As part of its civil, voter and driving license ID systems, Somaliland, for example, has been capturing biometric and iris data, and has pioneered the use of this for voting purposes. Moreover, it has captured data on kinship affiliation for its civil ID system. Puntland has also started to collect biometric data for its voter registration IDs. To improve the payment system, the Federal Government of Somalia also recorded personal fingerprints and iris scans of federal soldiers in 2019 who are now paid using the biometric payment system.
The Federal Government of Somalia works closely with (and is often reliant on) international donor partners, who are demanding more accountability and transparency. To achieve this, the two sides are increasingly relying on data. A case in point is the World Bank-funded Baxnaano project, which targets poor vulnerable families for cash transfer after collecting their digital data. 200,000 households were targeted to be given cash payments, and so far over 111,000 households have been reached, according to the initiative’s website. The biometric data of an entire household must be digitized before cash is provided. Critics say that the programme is very much similar to emergency and humanitarian responses and the meagre monthly cash provided to vulnerable families will be unlikely to reduce poverty in Somalia. However, the programme illustrates how the humanitarian sector (and its modes of data collection and aid delivery) are influencing the embryonic development of state-based social welfare initiatives.
Due to increasing focus on democratization and state-building efforts, the digitization of the public sector is likely to sharply increase in the near future. The donor emphasis on transparency and accountability and the fact that Somalia heavily depends on donor money is probably the main driver of these initiatives in the public sector.
A lack of data regulation: emerging implications
Despite the emergence of huge datasets within the private, public and aid sectors, there are no national data policies and protection laws in Somalia/Somaliland. Data collection, processing, storage, and use remain largely unregulated. Even if regulations existed, enforcement would remain an issue given the weakness of many state institutions.
While the negative implications of this are yet to be fully realised, there are indications of exploitation and use of data without the consent of data subjects. For example, some businesses in Mogadishu, harvest mobile money transaction data from their customers, without their consent, and use this for marketing purposes. There are also increasing incidents involving digital scams. For example, scammers in Mogadishu target less digitally-literate wallet users by telling them that they wrongly sent money and ask them to return the sum. Scammers in Hargeisa use a similar trick where they generate fake transaction messages to mislead businesses and people who are not digital savvy. There are few legal guidelines for addressing these kinds of incident.
Our recent Somali Public Agenda (SPA) publication on ‘who owns data in Somalia’ reported that aid data is sometimes used for “commercial purposes such as fund raising by the donors or consulting firms to show their understanding and relevance in Somalia/Somaliland”. In the absence of functional business classification laws, it is very likely that mobile money providers use their big database to identify profitable sectors of the economy and can enter such sectors, monopolizing the economy. Big telecom companies in Somalia already have large investment portfolios across a wide spectrum of different sectors. Although major digital platforms leverage data for monopolistic purposes worldwide, this is an area that warrants further research in contexts affected by instability, and state/regulatory weakness.
Due to efforts to regulate the financial sector, central bank(s) in Somalia/Somaliland have been making efforts to ensure that private financial institutions share their data, including transactions and remittances with central banks. But due to the lack of data protection laws, private financial institutions have been reluctant to share their data as they do not have any guarantees of its security, or that unauthorized people will not access it. Senior management of some private financial institutions have complained about this. In an attempt to address the mistrust of the private financial institutions to share their data, some central banks require the staff of the departments dealing with the banks to take an oath of confidentiality, but this has not yet convinced private financial institutions.
Protecting data: Systematic problems require systematic solutions
In the digital era, institutionalisation and formalisation of data protection procedures could provide systematic solutions to the problems of data security. It is important to protect data subjects’ personal information, including sensitive private data. Having a legal framework that enhances data protection can help in safeguarding data usage, as well as individuals’ right to their own data. Digital data utilisation for economic and commercial reasons is sometimes referred as ‘surveillance capitalism’, and research here often focuses on the internet use citizens in the West (or China). Somalia/Somaliland present a different context, where states (with limited capacity), international aid organisations and powerful local telecom and remittance companies are gathering large amounts of data from different kinds of transactions. This occurs in a wider environment affected by humanitarian issues such as drought, displacement and conflict.
Although some evidence shows that data privacy and data security do not seem to be major concerns for citizens in the developing countries, there is a need to study the laws and institutional structures necessary to protect and secure data in Somalia/Somaliland and draw comparisons with other countries. An equally important area for research would be examining the extent and purposes of current data practices by the private, public and aid sectors in Somalia/Somaliland, and how these may violate the privacy and security of citizens
There are inexorably efforts towards datafication involving key sectors and actors in Somalia/Somaliland. Data subjects are increasingly becoming concerned about their data. It is the right time for deliberations on data protection among stakeholders. This is important to not only for the protection of the rights of data subjects but also in building trust in datafication. However, data regulations must be deliberated with the intention to improve data rights, access, use and protection for the wider public interest – in ways that give agency to data subjects to shape how data is created and used, beyond the priorities of donors.
Ahmed M. Musa is currently a postdoctoral researcher on the Diaspora Humanitarianism in Complex Crises project; Mahad Wasuge is the Executive Director of Somali Public Agenda.