When Kenyan entrepreneur Mugethi Gitau started a business making all-natural hair and skin products in 2016, she didn’t worry about how to manage orders and customers. She went to the messaging platform she uses for nearly all her communication: Facebook Inc.’s WhatsApp.
“WhatsApp is already there,” Gitau says. “So it's the easiest way to reach somebody.”
WhatsApp’s ubiquity means it is intertwined with every aspect of business and personal life in Kenya. But for entrepreneurs like Gitau, the symbiotic relationship could be about to get a lot more complicated.
In November, Kenya became the latest of more than 20 African countries to pass a law to protect the privacy of citizens’ digital information. Kenya’s Data Protection Act and other new African laws would look familiar to many in Europe, whose privacy regulations greatly informed them.
There may be unforeseen consequences for African businesses. European regulators already argue that WhatsApp violates their data protection laws because of the way it collects users’ information.
Africa is a new battleground for attempts to balance these desires to protect privacy, foster business and prevent the spread of false or hateful content on WhatsApp. Digital privacy laws being adopted in countries ranging from Kenya to Ghana to Tunisia to Zambia now add a new dimension to the question of what type of privacy is the most important to protect.
The new African laws do not intend to target WhatsApp – and no one is rushing to delete the platform. But their similarity to European data privacy laws raises the possibility of a complicated fight over how WhatsApp should – or shouldn’t – be regulated on the continent.
“It's extremely difficult to keep communication lines open with Africa. You can't keep on calling with normal lines. It's a relief that we can just put people on WhatsApp groups.”
“There is a real question as to how platforms like Facebook and WhatsApp will have to be modified,” says Bhaskar Chakravorti, the dean of global business at The Fletcher School of Law and Diplomacy and a researcher on digital economies. “People use these platforms for all kinds of purposes, consumer use and business use. So I'm not quite sure how they're going to address those issues.”
African governments and civil society groups are already deep in other debates about privacy on WhatsApp that go far past business usage. The secure-from-prying-eyes messaging that has made the platform a boon for political dissidents and journalists has also made it a target of repressive regimes, who block or hack it. Meanwhile, the fact that those outside a WhatsApp group cannot monitor its conversation also has allowed hate speech and misinformation to spread easily.
A Perfect Match
In February, WhatsApp – already the world’s most popular messaging app – topped 2 billion users. The platform is particularly ubiquitous in the Global South, especially in countries with unreliable internet and low average incomes.
WhatsApp boasts features that make it essential in these regions. The app adjusts to spotty internet service by sending messages as soon as the signal returns. It works on inexpensive feature phones, which have more limited capabilities than smartphones. It can transmit anything from photos to videos to documents to spreadsheets. It allows people to communicate between countries for free – which is important in regions where family ties often cross borders. It lets people send audio messages — key in countries with high illiteracy rates. And it’s simple: you only need to know a contact’s mobile phone number.
This ease and flexibility of use makes WhatsApp the most popular messaging app in the majority of African countries, as measured by We Are Social and Hootsuite. And that boom comes on a continent where the same research shows overall social media use grew 12 percent in the nine months from April 2019 to January 2020.
“If I'm to take a farmer from the most rural part of Ghana and put him on a platform where I know he can effectively communicate with anyone in Ghana, that platform is WhatsApp,” says Ashwin Ravichandran, the managing director of Accra-based MEST Africa, a pan-African tech incubator and seed fund. He says it has made it easier for businesses to reach customers like these far from urban centers.
People use WhatsApp to chat and send memes, but also to dispute a bill with their electric company or book an appointment with a hairdresser. It has become a default method of office communication as well, carrying everything from watercooler-gossip to major planning decisions.
“It's almost like people make decisions on WhatsApp and then formalize them on email,” says Grace Mutung’u, who works on policy and legal advocacy at the Kenya ICT Action Network, or KICTANet, a digital rights advocacy group.
Multinational companies based in the U.S. or Europe also find WhatsApp to be a much more efficient way of communicating with African subsidiaries and clients.
“It's extremely difficult to keep communication lines open with Africa,” says Solange Domaye, the general director of Afric, an Amsterdam-based association of European businesses that do work in Africa. She says many of the organization’s members opt for WhatsApp texts and phone calls over email when communicating with African partners.
“You can't keep on calling with normal lines,” she says. “It's a relief that we can just put people on WhatsApp groups.”
Europe Chimes In
Facebook already faces investigations in Europe related to whether WhatsApp has violated the General Data Protection Regulation, or GDPR. How does the platform process personal data? Does the company adequately inform users about how data is shared?
Daragh O’Brien, managing director of Dublin-based data privacy consultancy Castlebridge, identifies two major stumbling blocks for WhatsApp in Europe. First, the platform exposes users’ phone numbers in chat groups. Second, the app collects and stores its users’ contacts lists.
O’Brien says it is a far-from-trivial amount of information. “That builds a very rich metadata map of you, your personal and social network, and who you're interacting with,” he observes.
If WhatsApp in its present form is violating GDPR, that also means companies using the platform are in violation as well. Some companies and organizations in Europe are abandoning the app out of fear of breaching GDPR rules.
German auto parts maker Continental AG has banned its employees from using both WhatsApp and Snapchat on company-issued phones. In January, Ireland’s association of amateur sporting clubs, the Gaelic Athletic Association, banned its members from using WhatsApp, which had been a major way that clubs communicated. Both cited GDPR for the decision.
African governments and civil society groups are already deep in other debates about privacy on WhatsApp that go far past business usage.
Facebook Inc. did not respond to requests for comment for this story. The company has maintained that WhatsApp is GDPR-compliant. It also emphasizes the privacy provided by the platform’s end-to-end encryption, which means messages are only stored on the phones of the recipient and the sender.
“For even more protection, we work with top security experts, employ industry leading technology to stop misuse as well as provide controls and ways to report issues — without sacrificing privacy,” Facebook said about WhatsApp in a recent statement.
The subsidiaries of Europe-based companies in other parts of the world already must abide by GDPR rules. So European companies could be forced to block the tool’s use with their African subsidiaries or clients.
Before 2018, Facebook covered all its users outside the U.S. under terms of service set by the company’s international headquarters in Dublin. But shortly before GDPR came into force, Facebook changed that policy, and said its 1.5 billion users outside Europe would now be covered by the less-restrictive U.S. privacy laws.
The new African laws – which are closely modeled on EU laws and share key privacy provisions with them – might re-open this privacy question for Facebook across an entire continent.
Revolution and Repression
WhatsApp’s strong encryption – unlike many other popular platforms, including Facebook’s own Messenger – has sparked raging debates at the other end of the spectrum in Africa and elsewhere: How private should secure-from-prying-eyes encrypted messages actually be?
While encryption wasn’t the main reason for the rise of WhatsApp in Africa, the widespread adoption of an encrypted platform means that in Africa — in contrast to the U.S. – the actual content of people’s texted conversations is less hackable and harder to monitor.
Over the past decade, this strong encryption has been a gift to political dissidents, human rights activists and journalists in countries with repressive regimes. Having an account on WhatsApp doesn’t flag a person as suspicious. Simply deleting a message from a phone erases its record. Activists have used WhatsApp to organize in countries ranging from Syria to Rwanda.
That sense of protection fell away last year, when it was revealed that an Israeli company helped a number of governments use spyware to hack the WhatsApp messages of activists and journalists.
Facebook says it has fixed the vulnerability, but the idea of WhatsApp as a “safe” tool has been tarnished. Paris-based digital rights organization Internet Sans Frontières says it has received a report of at least one dissident having their WhatsApp account hacked well after the fix was released.
Africa is a new battleground for attempts to balance these desires to protect privacy, foster business and prevent the spread of false or hateful content on WhatsApp.
The strength of WhatsApp encryption has raised concerns in the opposite direction as well. Many civil society groups have turned their focus to finding a way to let in just enough sunlight into WhatsApp to tackle the rampant spread of hate speech and disinformation among its users.
In recent years, viral posts on the platform have sparked mob violence in countries including Mexico, Sri Lanka and India – where the attacks have been dubbed “WhatsApp lynchings.”
In South Africa last year, a wave of anti-immigrant violence was linked to the wide circulation of a “pamphlet” on social media that urged South Africans to chase out foreigners. Mobs attacked multiple foreign-owned businesses, killing more than 10 people in the span of a few weeks.
In the middle of that crisis, graphic videos that purportedly showed the violence went viral on WhatsApp in South Africa and other African countries. The videos turned out to be months-old footage, some of it from as far away as India.
Such stories also spread on platforms like Facebook and Twitter, but the closed nature of WhatsApp means there’s no public component to the conversation. Messages can be forwarded only as posts to individuals or private groups. Information still gets shared with a large number of people, but only those inside the groups can see it.
Spreading hate speech without attracting the notice of outsiders is “quite easy, given the various languages you can use on WhatsApp, given the ways in which you can keep your information private and target certain populations,” says Anamitra Deb, who works on issues around encrypted messaging as senior director of beneficial technology at Omidyar Network, the philanthropic investment firm started by eBay’s founder.
This spread of information in a silo has made it harder to debunk false reports circulating before elections – a particularly volatile time. Ahead of Nigerian elections last year, President Muhammadu Buhari felt the need to publicly deny a story circulating on WhatsApp and other social media that he had died and been replaced by an impersonator.
Falsified news reports are a global phenomenon, but research by a Fletcher School team (including Chakravorti) suggests people in the developing world have a higher willingness to trust online content. These citizens also usually get more of their news from social media platforms and have access to fewer sources of independent reporting.
Companies, governments and activists all want to find a way to halt the spread of dangerous posts. The conflict is over how to do so.
Many African governments regularly resort to the bluntest tool possible: shutting down social media apps or the internet as a whole. In 2019, there were at least 25 incidents of African governments instituting some sort of shut down – up 47 percent from the previous year, according to AccessNow, a New York-based digital rights advocacy group. Chad cut access to all social media platforms for 472 days between 2018 and 2019.
And there are, of course, questions about the true motivation behind these shutdowns. Some of the same governments that shut off internet service are those that were found to have hacked the accounts of dissidents or human rights activists.
Facebook has taken some steps to address this issue. In early 2019, WhatsApp capped the number of times any one user can forward a message to five. That includes messages to groups — limited to 256 members — so one user could theoretically forward a message to a bit more than 1,000 people.
Omidyar’s Deb wants Facebook to do much more. For example, he says, it could use the metadata it collects – including the same sort of information that is under investigation in the European Union – to flag these viral posts and introduce other ways to slow their progress.
This spread of information in a silo has made it harder to debunk false reports circulating before elections – a particularly volatile time.
“WhatsApp actually collects a ton of metadata and they know a ton about how information goes viral,” Deb says. “You can look at who's spreading the information. You can look at how quickly it spreads.”
At the moment, the effort that appears to have gained the most traction is having users forward suspicious messages for voluntary factchecking by independent organizations. Facebook has been backing some of these efforts.
Getting the Message
The need to address those more immediate issues of dangerous viral content has often put concerns about personal data metrics lower on the priority list for African countries.
But these positions are slowly changing, and the wave of digital privacy laws is an indicator of the seriousness with which countries are now considering the issue.
Laws around digital privacy have been adopted by more than 20 countries, mostly those with the most developed technology ecosystems. As in the case of Europe’s GDPR, many provisions are based on the idea that people should have control over their data and who can use it.
Many laws, like the Kenyan legislation, are still in the process of being implemented. In other countries like Ghana and Morocco, data commissions are already issuing fines.
“There is a progressive change that is happening,” says Julie Owono, the executive director of Internet Sans Frontières. “And that's not because of the GDPR itself. It's because of organizations on the ground who are sensitive to the message that the GDPR is bringing.” She says groups that work in the technology sector in multiple African countries have been pushing for these sorts of protections for years.
But even supporters of the digital privacy laws worry that they could become just another tool to legitimize crackdowns on political opponents or activists.
“If I'm to take a farmer from the most rural part of Ghana and put him on a platform where I know he can effectively communicate with anyone in Ghana, that platform is WhatsApp.”
As in Europe, the Kenyan law provides an exemption for law enforcement investigations. But there's a history of Kenyan police pushing the limits of their authority. Owono and others in the digital rights space are concerned about how the law will be used.
“Everybody is a bit apprehensive about the motive of the government,” Owono says.
Kenyan officials say that their first priority is making sure that citizen data stays secure as they implement their new national identification system – a program that has raised controversy because of the extent of data it will centralize in one system.
Even if businesses are not the first priority, those working in the technology sector already feel pressed for time to comply with requirements. Owono is working with small businesses, some as small as one owner-operator, to get them up to speed.
“They will have to quickly learn, and learn very fast, what data protection is,” she says.
Mutung’u, of Kenya’s KICTANet, says while it is unlikely the government would put small businesses on the top of its priority list, there is risk if a powerful person has an issue with a particular company, or if complaints start popping up in public forums.
Will Kenyan regulations raise issues about the use of WhatsApp in that country? Government spokesman Cyrus Oguna said large multinational companies like Facebook were not a concern because they already have privacy protection policies in place.
“I trust that these companies have already had some level of framework that ensures that they don't necessarily give out data without authorization of the owner of such data,” Oguna says.
Yet assumptions like these are the problem, says Isaac Rutenberg, director of the Center for Intellectual Property and Information Technology Law at Kenya’s Strathmore Law School in Nairobi.
“People have this perception that because it's encrypted, the data protection law wouldn't apply and/or because it's a foreign-owned company, the data protection act wouldn't apply. Of course, none of those are true,” Rutenberg says.
Heidi Vogt is a freelance journalist based in Washington, DC. She spent six years reporting in Africa for The Associated Press and The Wall Street Journal, including three years based in Nairobi.
Cover image by Ink Drop vis Shutterstock.