When the FinFisher suite of spy software first came to light in Uganda after activists were targeted with it between 2011 and 2013, the find threw a spotlight on how biometrics typically act as a foundational infrastructure for mainstreaming digital surveillance. It was at the backend of 2011–in December—when an order was placed to Gamma International GmbH for the malware.
The Chieftaincy of Military Intelligence (CMI), the intelligence arm of Uganda’s army that has since rebranded to the Defence Intelligence and Security (DIS), swiftly made the purchase. That same month, four Ugandans tasked with military intelligence gathering in the country travelled to Germany where they learnt the ropes of what at any rate was and still is a sophisticated surveillance software suite.
After gaining a mastery of the spyware, a surveillance operation dubbed “Fungua Macho” (Swahili for “open your eyes”) was born. During the next couple of years, malware deployment would culminate in fake Wi-Fi access points popping up at hotels in Kampala, Uganda’s capital, and other major towns to intercept communications and infect computers. The software suite, also known as FinSpy, was doing what it has since gained widespread notoriety for—acting as a live surveillance tool to monitor targets.
With Uganda in the grip of the walk-to-work protests, following the inflationary pressures that came after an expensive electioneering period before the 2011 poll, there was no shortage of targets. The main agency for domestic counterintelligence and covert activities in the country, unsurprisingly, made Dr. Kizza Besigye, the opposition leader, a focal point person. The CMI, per Privacy International, used spyware infiltration to monitor Dr. Besigye’s calls, messages, and locations without his knowledge.
There was a grim determination to take the sting out of the walk to work protests that had been emboldened by the resounding success of the Arab Spring. Keen not to be caught flat footed, and ultimately reproduce an embarrassing spectacle similar to what the intelligence in Arab countries like Egypt and Tunisia contended with, the CMI sought to make the most of FinFisher’s intrusive capabilities. This included: live webcam and microphone surveillance of gadgets belonging to walk-to-work activists; keylogging and credential capture; live remote access; target identification; and mobile tracking.
All things biometrics
Biometrics were central to the malware abuse in question. They were essentially used as an intrusive, live surveillance tool to monitor activists like Dr. Besigye, rather than for authenticating the user of the infected device. By the time the walk-to-work protests grabbed by the root, Uganda’s cache of biometrics was not nearly as expansive as state actors assumed, but also not nearly as shallow as critics that mockingly reference the country’s twentieth century mindset presumed. It had been a decade since collection of biometric data was first introduced in the country. This was courtesy of the Photographic Voter Registration and Identification Systems (PVRIS) project.
The PVRIS project was, by any measure, a modest effort. Using a paper-based registration form, biometrics of voters were captured. More was to come. The architecture firmed up in 2016, following the adoption of the Biometric Voter Verification System (BVVS) with fingerprints, found more intrusive purpose when mass registration for biometric national identity cards was launched. That was in 2014. The irony was not lost on many that barely a couple of years after officials in the top echelons of CMI took a crash course in FinFisher, under the auspices of Gamma International GmbH, Uganda paid German company Mühlbauer ID Services GmbH EUR 64 million to run point on the biometric national identity cards (ID).
Even before this, with the aid of laws such as the Regulation of Interception of Communications Act (RICA), introduced in 2010, the Government of Uganda (GoU) was able to use intermediaries such as telcos and Internet Service Providers (ISPs) to enable real-time tracking of its citizens. The national biometric ID programme and mandatory SIM card registration only served to create what observers call a “unified database.” This has facilitated the digital surveillance of political critics, with a well calibrated mix of social media monitoring and biometric data climaxing in some high-profile arrests.
It was not until 2019 that Uganda enacted the Data Protection and Privacy Act. The legislation, much like the accompanying Data Protection and Privacy Regulations, 2021, is said to have weak safeguards, despite, or in fact because, it purports to regulate how public and private entities collect, process, use, and store personal data, enforced by the Personal Data Protection Office (PDPO). The powerlessness, when descriptive terms—couched in vagueness and ambiguities such as national security and public interest—are used, is there for all to see. It certainly has not been lost upon observers that view Biometric Digital Identity (BDI) programmes with a deep apprehension that suggests a level of disdain.
East African picture
If the lens is to be broadened, with a zoom out capturing East Africa, it can be surmised that what BDIs have achieved is a victory, but no triumph. An articulation of their merits was there to lose—and they almost did. Despite BDIs being a prerequisite for mundane practices such as opening a bank account as well as processing or renewing driving licenses or travel documents, they are deemed to fall short of proportionality principles grounded in human rights. Uganda’s Registration of Persons Act (ROPA), 2015 has got a bad rap amidst claims of state-facilitated mass surveillance, exclusion, data breaches, and identity theft.
Kenya’s Registration of Persons Act (RPA), which was amended in 2019 to establish the National Integrated Identity Management System (NIIMS) has become the object of withering criticism. The NIIMS has kept running into one speed bump after another after being framed as the foundational base upon which Kenyans would receive a unique identity number christened Huduma Namba (“service number” in Swahili). Human rights defenders (HRDs) in the country contend that the Huduma Namba prioritises security over data privacy.
“In one court case of January 2020 (Government of Kenya 2020), The High Court found that the collection of DNA and GPS for the NIIMS database was unjustified and ordered the government to adopt an appropriate and comprehensive regulatory framework for the implementation of NIIMS,” Melody Musoni, Innate Domingo and Elvish Ogah write in a discussion paper entitled Digital ID Systems in Africa: Challenges, Risks and Opportunities.
“In another court case of October 2021, (Government of Kenya 2021), The High Court found that the KDPA applied retrospectively as it is a law which gives effect to the constitutional right to privacy,” the discussion paper adds.
The KDPA or Kenyan Data Protection Act sets the ground rules insofar as the process of Kenya developing its own national ID system is concerned. It, for one, establishes the Office of the Data Protection Commissioner (ODPC), with Section 31 of the legislation mandating that a Data Protection Impact Assessment (DPIA) be conducted before rolling out an e-ID system.
Consequently, as of early 2026, the Kenyan government supplanted the Huduma Namba project or NIIMS with a new digital identity initiative (i.e. Maisha Namba or “lifetime number” in Swahili). Databases from civil registration and national registration have been integrated to create a Unique Personal Identifier (UPI). But it remains to be seen if a fiendish puzzle which Kenyans have been presented with for what seems like eternity will be solved. While Kenya has a long, if troubled, history of issuing ID documents, with the British colonial state introducing the kipande in 1915, its reinforcement of racial and power dynamics that have scarred the country cannot be wished away.
This brings to the fore an existential malaise and crystallises fears of the ruling elite weaponising BDIs much like the British did during the colonial era. Similar fears over weaponisation of BDIs exist in Tanzania where a national digital ID system, the Jamii Namba (Swahili for “community number”), has perpetually tried to find another gear. The National Identification Authority (NIDA), working with the Personal Data Protection Act (2022), has with modest success failed to assuage fears.