Kampala, 15th/07/2020: Unwanted Witness Uganda has today released a report implicating SafeBoda – a motorcycle transport company that operates in Uganda, Kenya and Nigeria – in sharing their client’s personal data with third parties without their knowledge or permission as required by Section 7 of the Data Protection and Privacy Act of Uganda, raising legal issues as well as questions of trust.
We carried out research about SafeBoda’s privacy policy and its practice. When reviewing their privacy policy and comparing it to how the app actually operates, a number of discrepancies were identified.
We discovered that the SafeBoda app was sharing data with Facebook without the consent of the users. The app used a Facebook business tool known as a Software Development Kit (SDK). Through this SDK, Facebook routinely collected information on SafeBoda’s users via the SafeBoda app.
The SDK collected information on SafeBoda users and sent it to Facebook servers, regardless of whether they were Facebook users or not; this meant that even if the user didn’t have the Facebook app installed on their phone or a Facebook account, the SafeBoda app would still send data to Facebook.
Following our communication with SafeBoda asking for clarification, they removed Facebook trackers from the application.
Safeboda then proceeded to install a new tracker CleverTap. This Appprovides mobile app analytics – this means that every time a user uses the SafeBoda app, it still sends users’ data to CleverTap, a third-party, without their consent.
It is not the first time CleverTap has been involved in cases of sharing users’ data without their consent. Privacy International, a charity based in London that works at the intersection of modern technologies and rights, discovered this tracker in menstruation applications. The users’ data that’s shared include: the user’s phone type, phone contact number, email address, location, time-zone, user-names, and their carrier (Internet Service Provider).
“Companies like SafeBoda must abide by the law, and the law demands transparency. Users deserve to know what companies are doing with their data and companies are legally obliged to tell them” said Dorothy Mukasa the Executive Director of Unwanted Witness Uganda
We therefore implore SafeBoda and other data collectors to make adjustments to meet the required data protection standards and principles:
We urge companies, institutions, and government agencies to adhere to the existing legal frameworks. We call upon other companies to prioritize users’ data and desist from using technology that exploits it. Unwanted Witness will keep on exposing companies, institutions, and agencies that engage in data exploitation practices, and we will continue advocating for change of such practices and enforcement of existing safeguards to protect people and their data.
Read the full report here: https://www.unwantedwitness.org/download/uploads/Trading-Privacy.pdf
Notes to Editors
SDK
An SDK is a set of development tools that helps developers to build apps for a specific operating system; Facebook’s allows developers to integrate their apps with Facebook’s platform and contains a number of other components such as analytics, Ads, Log in, Account Kit, Share, Graph API, App Events and App Links.
Clevertap
Clevertap was formerly known as WizRocket, and is a SaaS-based customer lifecycle management and mobile marketing company headquartered in Mountain View, California founded in May 2013.
About Unwanted Witness
The Unwanted Witness is a civil society organization (CSO) that was established to respond to the gap in effective communication using various online expression platforms.