A big scandal has rocked SafeBoda, a motorcycle transport company that operates in Uganda, Kenya and Nigeria through an app that connects riders to customers. According to a report released by Unwanted Witness Uganda today, SafeBoda is sharing their client’s personal data with third parties without their permission contrary to Section 7 of the Data Protection and Privacy Act of Uganda.
The scandal has raised eyebrows of many Ugandans who feel betrayed and their privacy tapped into by the money-minting company.
“We carried out research about SafeBoda’s privacy policy and its practice. When reviewing their privacy policy and comparing it to how the app actually operates, a number of discrepancies were identified. We discovered that the SafeBoda app was sharing data with Facebook without the consent of the users. The app used a Facebook business tool known as a Software Development Kit (SDK). Through this SDK, Facebook routinely collected information on SafeBoda’s users via the SafeBoda app.” Part of the report reads.
More details in the report indicate that the SDK collected information on SafeBoda users and sent it to Facebook servers, regardless of whether they were Facebook users or not; this meant that even if the user didn’t have the Facebook app installed on their phone or a Facebook account, the SafeBoda app would still send data to Facebook.
When Unwanted Witness Uganda communicated with SafeBoda asking for clarification, they instead removed Facebook trackers from the application.
“Safeboda then proceeded to install a new tracker CleverTap. This Appprovides mobile app analytics – this means that every time a user uses the SafeBoda app, it still sends users’ data to CleverTap, a third-party, without their consent.” The report adds.
According to tech analysts, it is not the first time CleverTap has been involved in cases of sharing users’ data without their consent. Recently, Privacy International, a charity based in London that works at the intersection of modern technologies and rights, discovered this tracker in menstruation applications.
SafeBoda is minting money by sharing users’ data like; the user’s phone type, phone contact number, email address, location, time-zone, user-names, and their carrier (Internet Service Provider).
“Companies like SafeBoda must abide by the law, and the law demands transparency. Users deserve to know what companies are doing with their data and companies are legally obliged to tell them” Dorothy Mukasa the Executive Director of Unwanted Witness Uganda said.
Unwanted Witness Uganda implored SafeBoda and other data collectors to make adjustments to meet the required data protection standards and principles. Among other suggestions, SafeBoda was urged to improve on the following;
- Safeboda should offer users a genuine choice to consent to the processing of their data for marketing and analytics purposes, including via third parties like Clevertap that may act as processors. Bundling consent negates users choice
- Safeboda should have clear comprehensive privacy policies and these should be strictly enforced.
- The company should exhaustively specify the third-parties and the exact personal data it shares with them in its privacy policy.
- It is recommended that efforts be taken to establish “pathways” that can be followed by data subjects to allow them, if interested, to understand how their personal data may be being processed by the company and any third parties.
While concluding the report, Unwanted Witness Uganda urged companies, institutions, and government agencies to adhere to the existing legal frameworks. They further called upon other companies to prioritize users’ data and desist from using technology that exploits it. Unwanted Witness vowed to keep on exposing companies, institutions, and agencies that engage in data exploitation practices, adding that they will continue advocating for change of such practices and enforcement of existing safeguards to protect people and their data.