Kampala, 15^th/07/2020: Unwanted Witness Uganda has today released a report implicating SafeBoda – a motorcycle transport company that operates in Uganda, Kenya and Nigeria – in sharing their client’s personal data with third parties without their knowledge or permission as required by Section 7 of the Data Protection and Privacy Act of Uganda, raising legal issues as well as questions of trust.

We carried out research about SafeBoda’s privacy policy and its practice. When reviewing their privacy policy and comparing it to how the app actually operates, a number of discrepancies were identified.

We discovered that the SafeBoda app was sharing data with Facebook without the consent of the users. The app used a Facebook business tool known as a Software Development Kit (SDK). Through this SDK, Facebook routinely collected information on SafeBoda’s users via the SafeBoda app.

The SDK collected information on SafeBoda users and sent it to Facebook servers, regardless of whether they were Facebook users or not; this meant that even if the user didn’t have the Facebook app installed on their phone or a Facebook account, the SafeBoda app would still send data to Facebook.

Following our communication with SafeBoda asking for clarification, they removed Facebook trackers from the application.

Safeboda then proceeded to install a new tracker CleverTap. This Appprovides mobile app analytics – this means that every time a user uses the SafeBoda app, it still sends users’ data to CleverTap, a third-party, without their consent.

It is not the first time CleverTap has been involved in cases of sharing users’ data without their consent. Privacy International, a charity based in London that works at the intersection of modern technologies and rights, discovered this tracker in menstruation applications. The users’ data that’s shared include: the user’s phone type, phone contact number, email address, location, time-zone, user-names, and their carrier (Internet Service Provider).

“Companies like SafeBoda must abide by the law, and the law demands transparency. Users deserve to know what companies are doing with their data and companies are legally obliged to tell them” said Dorothy Mukasa the Executive Director of Unwanted Witness Uganda

We therefore implore SafeBoda and other data collectors to make adjustments to meet the required data protection standards and principles: 

1. Safeboda should offer users a genuine choice to consent to the processing of their data for marketing and analytics purposes, including via third parties like Clevertap that may act as processors. Bundling consent negates users choice
2. Safeboda should have clear comprehensive privacy policies and these should be strictly enforced.
3. The company should exhaustively specify the third-parties and the exact personal data it shares with them in its privacy policy.
4. It is recommended that efforts be taken to establish “pathways” that can be followed by data subjects to allow them, if interested, to understand how their personal data may be being processed by the company and any third parties.

We urge companies, institutions, and government agencies to adhere to the existing legal frameworks. We call upon other companies to prioritize users’ data and desist from using technology that exploits it. Unwanted Witness will keep on exposing companies, institutions, and agencies that engage in data exploitation practices, and we will continue advocating for change of such practices and enforcement of existing safeguards to protect people and their data. 

Read the full report here: https://www.unwantedwitness.org/download/uploads/Trading-Privacy.pdf

Notes to Editors

SDK

An SDK is a set of development tools that helps developers to build apps for a specific operating system; Facebook’s allows developers to integrate their apps with Facebook’s platform and contains a number of other components such as analytics, Ads, Log in, Account Kit, Share, Graph API, App Events and App Links.

Clevertap

Clevertap was formerly known as WizRocket, and is a SaaS-based customer lifecycle management and mobile marketing company headquartered in Mountain View, California founded in May 2013.

About Unwanted Witness

The Unwanted Witness is a civil society organization (CSO) that was established to respond to the gap in effective communication using various online expression platforms.