Unwanted Witness Uganda a civil society organization — has today released a detailed report exposing Uganda’s leading motorbike ride-sharing company SafeBoda – for sharing user’s data with 3rd-parties without their permission. The company that operates in Uganda, Kenya, and Nigeria was reportedly giving out’s client’s personal data to other companies without their knowledge or permission as required. In Uganda, this is contrary to Section 7 of the Data Protection and Privacy Act,– thus exposing its self to legal battles and raising questions in regards to trust and transparency.
ALSO READ: Showmax Pro is now live in Uganda. Check out pricing and more
The detailed research compared SafeBoda’s privacy policy versus its actual practice and a number of issues discrepancies were identified. Between October 2019 and March 2020, Unwanted Witness carried out a technological analysis on the Safeboda app, it was discovered that the Safeboda app was sharing data with Facebook without the consent of the users.
The reports indicated that the app used a Facebook business tool known as a Software Development Kit (SDK). Through this SDK, Facebook routinely collected information on Safeboda’s clients via the Safeboda app. The SDK is a set of development tools that helps developers to build apps for a specific operating system; it allows developers to integrate their apps with Facebook’s platform and contains a number of other components such as analytics, Ads, login, Account Kit, Share, Graph API, App Events and App Links.
The SDK collected information on Safeboda users and sent it to Facebook servers, regardless of whether they were Facebook users or not; this meant that even if the user didn’t have the Facebook app installed on their phone or a Facebook account, the Safeboda app would still send data to Facebook.
Safeboda resolves Facebook tracking but adds another tracker
Unwanted Witness Uganda wrote a letter to Safeboda asking for clarification. The company removed Facebook trackers from its application. Although Safeboda removed Facebook trackers, it added two new trackers; CleverTap and Amplitude.
The report explained that this means that every time a user uses the Safeboda app, it still sends users’ data to third-parties like CleverTap without user consent as soon as the app is launched. CleverTap which is formerly known as WizRocket is a Software as a Service-based customer lifecycle management and mobile marketing company headquartered in Mountain View, California.
Before this report was published, Unwanted Witness Uganda submitted their new findings to Safeboda and this was the response from the Chief Financial Officer on the use of CleverTap.
I have spoken to the tech team about our use of Clevertap. Clevertap is an analytics tool that is used for tracking marketing communication and identifying product issues. It does not have the right to use that data for any purposes and as such is akin to the storage of data on AWS or any other storage/analytics tool. If you believe that it would be appropriate then we can amend our Customer Terms of Use that some data is stored on servers operated by third party data processors. The Data policies already make reference to ‘third-party data processors.
It is clear that Safeboda never denied the fact that it uses CleverTap Tracker in its application and the Privacy Policy does indicate that third parties may be given access to the data for analytics purposes.
Unwanted Witness Uganda went ahead to make the following recommendation to safeboda and how they can improve and be more transparent.
- Safeboda was advised to offer users a genuine choice to consent to the processing of their data for marketing and analytics purposes, including via third parties like CleverTapthat may act as processors. Bundling consent negates users’ choice.
- The privacy policy should show the date it was last modified to allow individuals to track any changes made by the company.
- The final recommendation to the Safeboda was to exhaustively specify the third-parties and the exact personal data it shares with them in its privacy policy.
