In 2013, reports surfaced about FinFisher (FinSpy), an invasive spyware tool developed by the Anglo-German company Gamma International for surveillance purposes. The system was later hacked, leading to a leak of its customer data, which showed Kenya’s NIS as a client 🧵

FinFisher had the capability to record Skype calls, steal social media log in credentials, and remotely activate a device’s webcam & microphone to capture conversations. The spyware was reportedly used to target human rights defenders in countries like Bahrain, Ethiopia, & UAE.

While surveillance has played a role in preventing terrorist activities in Kenya over the past decade, it has also created opportunities for abuse, enabling the targeting of activists, bloggers, journalists, and members of the political opposition. #InvisibleEyes

Rose Tunguru (@rtunguru) is a software developer based in Nairobi. Using her programming skills, she built a platform that enabled Kenyans to participate in the public debate surrounding the 2025 Finance Bill.

Her work, however, led to her arrest on May 30th while attending a professional event at @BarazaLab in Industrial Area.
Without asking for directions, the police drove straight to Njeri’s house after her request to pick up her child, though they never went to the child’s school.

In an interview with @CitizenTV on June 4th, 2025, Rose recounted that the officers told her they already knew where she lived and proceeded to lead her there. She reported noticing unusual spam messages on her phone from a popular digital lender just hours before her arrest.

According to cybersecurity expert Tyrus Kamau @tyrus_, the police may have exploited social engineering, using the fact that many young Kenyans receive calls from digital lenders as a potential vector to track her.

Another method allegedly used in state surveillance involves backdoor access facilitated by telecommunication companies. According to investigative journalist Namir Shabibi @nshabibi, who uncovered the links between state surveillance in Kenya and telecom operators,

the police and intelligence services have reportedly had access to the @Safaricom network and its headquarters since 2012. #InvisibleEyes

Namir noted that a law enforcement liaison office was established within @SafaricomPLC, a move that, on the surface, appeared to be within the law. However, through interviews with officers working in that department and others connected to it,

Shabibi discovered that these officials routinely accessed data belonging to Safaricom subscribers without court orders or judicial warrants, granting them unchecked access to sensitive data

As of 2024, @SafaricomPLC had 44.67 million customers across Kenya, essentially covering nearly every adult in the country. Every interaction with the network generates a data point, which Safaricom collects.

Each of these points, recorded in a Call Data Record (CDR), includes information such as the specific cell tower (mast) a user is connected to at any given time. #InvisibleEyes

When we ran a poll asking our audience whether they felt surveilled, an overwhelming majority expressed concern that their online activities and personal data were not safe.
Most believed that their phones or social media accounts were being monitored. #InvisibleEyes