Taxing Innovation: Wehdone Africa

First of all, I feel like I would be a prodigal African if I don’t clearly state that Africa is not a country. So guys, Africa is not a country. It’s a continent in which 54 recognised states exist and it accounts for 16% of this world’s population. It’s also the world’s second largest and second most populous continent. Thanks.

 

Sometimes, however, I can understand when some people (save from colonisers and those who are just being ridiculous), regard the continent as a country.  This is because there’s a lot of copying going round this continent that’s making us look alike. And you know, if it was good copying, I wouldn’t mind. But it just seems like it’s cooler for some African nations to copy weird and unreasonable things from their brother/sister nations. It bothers me. What with self-sabotaging, non-visionary moves against the future of the nation, unbelievable corrupt practices, old and aged mortals retaining power for as long as their ragged breath will allow – I mean, Equatorial Guinea has the world’s longest serving president, Teodoro Obiang Nguema, followed by Cameroun, the republic of Congo, and you have Uganda and Chad on that list as well.  

 

Anyway, my point is that  there’s always something weird to copy and this article is focusing on the latest trend skipping through Africa – the taxation of OTT services and social media.

 

I will assume you know what social media is, but OTT services can sound strange so I’ll explain. OTT simply stands for Over-the-Top, and so OTT services are services provided via the internet, and over traditional networks. It therefore means that consumers (you) can take advantage of these services without having to subscribe to traditional cable or satellite. We have tons of examples like the calls you make via skype or WhatsApp; the texts you can now send via Facebook; the movies you can now watch on NetFlix, and so on.

 

Yes, surely, if you were running an MTN or an AIT, you’d be scared a little bit. You’d ask yourself, ‘Gosh! Who are these technology people coming to disrupt my work and take all my money?’ but then, because you’re reasonable, what will you do? You’ll purpose in your heart to compete and  leverage on this new tech. You’ll understand that this is business – disrupt or die. You’ll understand that the OTT people are only building on your existing framework and so it means you’re not  that useless. You might even venture into OTT services as well in order to meet your consumers on both ends. You can invest or partner with your OTT competitors maybe? If you’re an ISP, you may strengthen your broadband and focus your energy on providing the best internet services (80/20 principle, shebi?). You can offer consultation to these tech people on the “psychology of the market” (or any other fake deep marketer thing). My point is that, what you and your government don’t do is what these African countries have done:

 

a. Uganda: Uganda was our leader-man. The government of Uganda formulated a policy which took off from the 1st of July 2018. The policy provides that subscribers in Uganda will have to pay an excise duty Ugx 200 ($0.053, N20) per day, to use OTT services. The President had earlier mentioned that he hated how Ugandans use social media for gossiping. He noted that he will not tax internet use for education or research, but he will tax the use of the internet for gossiping – and in the width of his knowledge, only gossiping is done on social media. Hence, while you might not need to pay a tax to browse Wikipedia, you will need to pay one in order to open your twitter. This is all levels of funny, but I’m not even laughing. I spoke to some Ugandan colleagues about how this works and here’s it: You click on your twitter icon to do some gossiping (per usual), but you can’t gain access into the application. A pop-up will show up telling you to pay your tax, and until you pay it, you cannot access social media in Uganda. According to President Museveni, “… we need resources to cope with the consequences of their lugambo (gossip),” Over 50 apps are affected including, Instagram, Telegram, WhatsApp, Twitter, Skype. Some organizations have however sued the Ugandan government  in its constitutional court.

 

b. Zambia: A month after this, Zambia followed by taxing its residents a 30 Ngwe ($0.1, N36) levy on internet calls over platforms like WhatsApp, Skype and Viber. According to their president, Edger Lungu, the new tariff was designed to protect the telecommunications industry and jobs in such companies, following the ‘rise in the use of internet phone calls at the expense of traditional phone calls.’ (awww. So kind and thoughtful! *sniffs* ugh!)

 

c. Benin Republic: So Benin Republic, in August, too was like, ‘Wait! You guys are having all this fun without me. I hate you!’ And so in late August, it decided to tax its citizens for accessing the internet and social media. It proposed a 5CFA Francs ($0.008, N3.17) per megabyte tax on Facebook, WhatsApp and Twitter.  But the citizens of Benin Republic are sharp and they were like, ‘Yo! We’re not even mad, but you are!’ And so they started this campaign on the same social media (touché) with the hashtag, #TaxePaMesMo (meaning, “Don’t tax my megabytes”). They are cool.  The tax went into force mid-september, but three days after, it was repealed by the government. Yay for the people!

 

d. Perhaps, Nigeria?: Well we aren’t there yet, but it looks like its streaming (pun intended) down to us. I have been seeing some strategic news articles, and press statements by Telcos and Telco representatives in Nigeria, nagging about how OTT services are killing them – basically pity stories. And this article says that we are witnessing the “umpteenth time” telecommunications operators in Nigeria have registered their displeasure with the activities of OTT services in the industry.

I mean, The Chairman of the Association of Licensed Telecoms Operators of Nigeria (ALTON) said, “…social network operators do not invest in infrastructure, but ride on the infrastructure of MNOs to provide free services to customers at the detriment of MNOs who have invested so much to build their infrastructure and are still investing in the maintenance of such telecoms infrastructure.

 

I have also seen a similar kind of article in the Zimbabwe press on how OTT services are cutting mobile revenue. So maybe we should be expecting news from these quarters soonest?

 

Are telcos really making a loss as a result of OTT? Uh, yes. But is this the best way to tackle this. Uh, no. We should embrace innovation and the development of technology, and not stifle it. Don’t make consumers pay for the shift in business models. It’s ironic, really, because these services are evolving to cater to the consumers and yet the government is bent on them suffering for it. These policies are widening the digital divide in Africa which is already too wide for the 21st century.


But what I do know?

Oh. And just as side gist. Did you hear what also happened in Tanzania? In March 2018, their government ordered that all Bloggers, Vloggers, Podcasters, Online radio personalities and other online forum owners must register with the government and pay about $900 (N327,150.00) for a licence and are also obligated to pay some annual fees.  My friend, Sarah, suggested that everyone affected by this should also charge fees for readership – since everybody wants to be mad.

 

Whew! Mama Africa!

 

Piggy, Bank?

I like to think of myself as one of the early adopters of PiggyBank. I remember two distinct thoughts in my head the very first time I read about it. The first was ‘this is pretty super awesome’ and the second was, ‘Wait. what is the legal/regulatory position of such a solution?

 

The second thought was largely informed by my oddly vivid recollection of a section in the Banks and Other Financial Institutions Act (BOFIA) which says, ‘No person other than a bank or any other person authorised to take deposits shall  issue any advertisement inviting the public to deposit money with it.’

 

I ‘penned’ this thought in my ‘thought spreadsheet’ and moved on. And by ‘moved on’, I mean, I opened an account with PiggyBank and instantly started saving with and evangelising it. But not for once, did this second question leave my mind. It kept gnawing at me and requesting for an answer.

 

Recently, I revisited my thought spreadsheet and picked this one up. First thing was to check the BOFIA for real this time.

Here’s the gist of relevant sections in the BOFIA: no one is allowed to carry on banking business unless with a license (issued by the CBN). And to clarify, the Act defines banking business as, “the business of receiving deposits or current account, savings  account or other similar account…”

 

(At this point, I’ll like to pause and say that this has nothing to do with PiggyBank as a brand; but with the set of solutions it offers – “microsavings”. And bearing that in mind, it also means that a solution like CowryWise is fully envisaged under this article as well, as it equally provides same solutions as PiggyBank. I’ll try to alternate between both companies, but I may use PiggyBank more often because I’m more familiar with it).

 

Now, the provisions of the BOFIA made me think (perhaps, too much) about the word ‘deposit’ as it is  a specifically significant feature of PiggyBank and CowryWise; perhaps the only feature that allows us connect these solutions to the banking business. I didn’t have to go too far to understand what the lawmakers meant by “deposit” though because the Interpretation section of the BOFIA defines it to mean money lodged with any person whether or not for the purpose of any  interest or dividend and whether or not such money is repayable upon demand upon a  given period of notice or upon a fixed date” (emphasis, mine)

 

From the foregoing, I made my conclusion that the company may be said to be functioning as a bank/conducting banking business, and hence would need a license, so naturally, I waltzed to the CBN site to see whether it has a list of its licensees. It does, but I wrongly focused on this list of financial institutions in Nigeria looking for a ‘PiggyTech Global Limited RC: 1405222’ because I had stalked them reach CAC public search. But there was nothing there. So I went to the PiggyBank site thinking ‘surely, there must be some form of documentation on this- terms of use, privacy policy… something must give.’ And I finally found the answer! Yippeee!

 

My answer was neatly wrapped in their FAQ, and it basically explained that since inception in 2016,  they have shared banking licenses with 2 Micro Finance Banks, but recently, they acquired (like bosses) a Microfinance bank and its license. So that makes a lot of sense actually. PiggyBank will simply operate as a ‘product’ of the licensed bank and would not be in anyway breaking our banking laws. Check out (not-so-) deets on the acquired bank; Gold Microfinance Bank ltd

 

While I was pretty relieved at their compliance and legal adeptness, I wished it were way simpler for them. I think it isn’t a bad time it’s a good time for financial regulation in Nigeria to actively and proactively consider FinTech startups and their special-ness.

 

So, let’s say a FinTech startup (say, some innovative local money transfer solution for indigents) requires a banking license to carry out its duties. Do you know that the smallest paid up capital required is about N20Million(for a Unit MFB).

 

LOL. That is deep, plis. And also not very encouraging for  innovation.

 

PiggyBank is doing well from the look of things.  I mean, it’s promoting the personal savings culture of Nigerians, it raised a seed funding of $1.1Million recently, and you can actually follow its organic growth overtime. If that’s not helping the economy, I don’t know what is. But it couldn’t possibly start up on its own because… N20Million.  

 

God knows…that I know… that regulation is super important especially for things involving other people’s money. I mean, the financial sector is one of the heavily regulated – and for good reasons. But it’s also one of those sectors that would do so so so so much better with modern technology (and more hands?). Hence, I’ll encourage the Nigerian government to find a way to incentivize FinTech startups; encourage innovation and do away with over-regulation for them. For instance, you don’t want to demand the MOST; just enough to ensure that customers are protected. The legislature should also pitch in and make their contribution, but I believe that the CBN would bear a large part of the burden to develop favorable and forward-thinking regulations in this fast-paced times (P.S. Take a dizzy pill, it’s only going to get faster).

 

Anyway, so that y’all won’t say I didn’t do anything but criticize, here are some wise quotable quotes from ME that every government regulator may print and paste in their offices as a sort of encouragement:

“To regulate is good. To stifle is bad.”  – Adeboro(2018)

 

“Innovation is the source of our running ocean. Plug it and we all, die, float and stink” – Adeboro (2018)

 

“Again, Innovation is the source of our running ocean. Let’s make waves while the sun shines” – Adeboro (2018)

 

“Confuse not technology with electricity. You’d be shocked that you may actually embrace it” – Adeboro (2018)

 

                        ~yooooo I’m so wise and witty and full of puns. thanks~

Anyway. If after all my sweat and blood, the government is like ‘LOL. No thanks, child. We’re set on our archaical perspectives’, well, hello…venture capitalists and investors and funders, I have something to tell y’all! I promise, just two minutes of your read….

What WILL You Do About Your Digital Assets?

Death is a certain inevitability. And yes, I know that is tautology but, instead, think of it as ‘emphasis’. After living, we leave… or the world ends. Either way, no one is going to be around forever. The topic of Wills and Final Testaments sits one or two ways with people. For some (especially we Africans), the act of writing a will is seen as an invitation to sudden death via sudden accident, food poisoning, cardiac arrest and so on and so forth. For others, the topic of writing a Will is regarded in a nonchalant manner especially if said regarder is young and has no property to boast of.

 

But Wills are important and might be the difference between the well being of one’s dependents and their hustle, especially if the deceased was a caretaker. Even if the deceased was taking care of no one before he/she died, a property bequeathed to a person by a dead person can be a communication of love, or pass a much needed message.
There is a point to be made in encouraging young people to write their Will. First, it helps you create an awareness of the necessity to make arrangements for everything you’re working for / things that matter to you and how they’ll go to people who matter to you, in the event that you (inevitably) die. Secondly (and I may be wrong), but there’s something about being able to see your assets and liabilities at a glance. Maybe it propels you to work smarter, maybe it guides you on what to do, but it definitely helps for some needful reflection.

 

Generally, if you’re 18 years and above, you can make a Will. It doesn’t matter that you’re blind or deaf or disabled. Just have a sound mind and be an adult according to law.

There are modalities which the concept of Will-making is encumbered with (and I say ‘encumbered’ in an exaggerated way as it’s not such a difficult thing to make. It’s like Noodles; get the principles right and it’s a thumbs-up!)

Anyway, this article is not really about all of that but about the contemplation of Digital Assets as property to be bequeathed in a Will.

 

What is an Asset?

An asset is any valuable thing belonging to a person. It can be tangible or intangible. Tangible assets are things such as buildings, machinery, lands, vehicles, laptops and so on. While intangible assets are non-physical; like copyright, goodwill, brand recognition and so on.

 

What are Digital Assets?

Simply put, a digital asset is any digital file, digital content, digital account, digital license which you own/have the right to use.

I’ll give examples to help you paint a good picture:

Bitcoin, Your social media accounts (Facebook, Twitter), Your OkadaBooks Account (maybe funded, maybe stocked with books), Your Kindle Library, Your Apple Music Account, Travel Miles, Your email account, your emails, domain names, logos, presentations, spreadsheets, Internet subscription, your gaming accounts, and so on.

However, whether or not AND how these can be passed down to another in your Will is subjective to both national laws on Wills and  platform-specific rules.

For Instance, Facebook has options for what will happen to your account in the event of your death. It provides that you may either choose to appoint a legacy contact to look after your memorialized account or have your account permanently deleted from Facebook.

Google also has an option for an  inactive account manager.

Furthermore, the laws regarding the transferability of these assets are not very clear in many parts of the world including Nigeria.

However, here’s my 2 Kobo on what you can do with your digital assets

  1. Make a list of all the Digital Assets you believe you have. Don’t laugh at yourself or think they are ridiculous. Just do it.
  2. Do a research on each one to see if the digital platforms which support them already make provisions for transfer upon death (re: Google, Facebook…)
  3. If satisfied with these provisions, then you should follow their instructions and reflect your wishes, both on the platform and on paper, in your Will.
  4. If not satisfied with what they have provided, then use a password manager or a digital asset manager to manage the accounts and/or the assets so that you can just pass that down by giving instruction to your executor to give access to whoever you want.

 

That’s my opinion on the matter. But while we’re at it, I really look forward (and would honestly love to contribute) to the development of the Nigerian laws of estates administration vis-à-vis Digital Assets.

Meanwhile, have you subscribed to this blog? 
No?

Please do! ( there’s a subscription box on the top right if you use a desktop/laptop. It’s just at the bottom of the page if you use a mobile device).

Merci

The Interesting Case of Femi Fani-Kayode and His Beloved Country

…a.k.a FRN v. Femi Fani-Kayode 2010 14 NWLR (pt. 1214)…

 

In 2008, the Retail DNA test kit was pushed into the market. It even won TIME’s Invention of the Year. In that same year, the Svalbard Global Seed Vault, entirely funded by the Norwegian government,  was finally completed to store/ preserve different native seed samples from across the world as a sort of insurance against seed loss.

While all these awesomeness was going on in the world, that same year in December, the Economic and Financial Crimes Commission (EFCC) arrested and took Mr. Femi Fani Kayode to the High Court. His offence? Money Laundering, but in like 47 different forms. When they read the charge to him, his reply was that he wasn’t guilty.

While this isn’t entirely important to this article, who is Femi Fani-Kayode and why on earth could he possibly have had a 47 count charge on him for Money Laundering???

Well FFK as he is known, is wikipedia-ed to be a Nigerian politician, an essayist, a poet and a lawyer. Let’s focus on the part we all know: Nigerian politician. He served as the Special Assistant to the Nigerian president from 2003 -2006 after which he was appointed as Minister of Culture and Tourism for a bit. Finally, from 2006 – 2007 he was the Minister of Aviation. So he was in government pretty much.

Anyway, flowing from this plea of not guilty, there had to be a proper trial. This trial would witness both sides (especially the prosecution) present evidence. The prosecution was also to convince the court beyond reasonable doubt that FFK really did what he was accused of.

In discharging this burden and in the course of trial, the prosecution invited its second witness, an officer of the First Inland Bank Plc to give evidence as to the statement of FFK’s account. And in the course of this evidence, they sought to tender a certified true copy of a computer generated statement of FFK’s account.

‘Objection, my Lord!’ / ‘My Lord, I’ll have to object to that!’ / ‘Haha! My Lord, I’m sure the prosecution is pulling the legs of this honorable court by seeking to tender that piece of paper. Learned counsel should know better’.

These are my imaginations of FFK’s lawyer’s reaction to this application by the prosecution.  The lawyer’s argument was basically this: that a computer generated statement of account is inadmissible.

Are you thinking: Wait what? How? Did FFK’s lawyer expect the prosecution to produce a handwritten statement of account?

Well, yes, maybe, kinda. And so did the judge, because after the argument before him, he said,

‘Based on all the above analysis, the objection… is hereby sustained. The computer print-out of the statement of account sought to be tendered is hereby rejected as being inadmissible and the said document should be marked tendered and rejected’

The judgement, though sounds weird, was only a product of the Evidence Act we had then.  Before the National Assembly envisaged that there would ever be anything useful stored in a computer system, there was no provision for same in the Evidence Act and so there wasn’t a clear category for what evidence gotten from a computer could be called. Primary? Secondary? If secondary then where’s the primary? If primary, how? why? 

Furthermore, the Evidence Act contained and contains rules guiding the admissibility of contents of Bankers’ books (e.g. statements of accounts). For these ones, secondary evidence is allowed – e.g. the Certified True Copy of the records. Hence, the contention of  FFK’s lawyer and the judge was basically that the computer generated record was not explicitly stated as a proper form of Banker’s book. Upon appeal, however, the Court of Appeal said that ‘The word ‘include’ used in the definition presupposes that there are other means of keeping records of the bank which have not being disclosed in the definition. [The responsibility of investigating the truth] cannot be abandoned simply because the enabling law has failed to name the medium upon which those facts are stated…’. The court further said that  ‘Computer printout are copies of bank record and [although they are not original, they have, in this case, been certified as required in the Evidence Act by an officer of the bank giving evidence].

 

Me reading the judgment:

That was a close one! The Court of Appeal deserves gbosas for that forward-thinking interpretation.

Anyway, the National Assembly has now (in 2011) enacted a new Evidence Act to expressly accommodate computer generated evidence (See Section 84). Although I have my reservations about it (which I NEVER EVER fail to express in presentations or common discussion), I still understand that it is, at least, a step forward.

But I’ll just quickly say (because I NEVER EVER fail to point this out): the provision is vague and too bogus abeg. I mean, computer use in Nigeria is less foreign than it’s a part of our culture. I think it’s ridiculous for the law to say that the source computer has to have regularly been receiving similar kind of information as that which is sought to be presented. I mean, what if the evidence I seek to produce from the computer was first of its kind on that computer? Does that make my evidence inadmissible? There’s also a funny requirement for a certificate that not many people, even lawyers and judges quite understand.

So yes, now our laws are embracing the reality of technology, but are they embracing them so tight as to stifle their development?

Selah!

 

_______

Please don’t forget to subscribe to get articles in your mail box as they are posted!

Internet Privacy, Hardware Security and some Rage

I’ve got a riddle for you:

What did frustration say when she saw this article published?

ʇsnqoɹ ʞool no⅄ ˙plᴉɥɔ pǝʌolǝq ʎW ¡H∀

(turn your device upside down for the answer)

 

Yes! This article was birthed out of frustration; although that was not the initial intention. So first, I will speak without vitriol and then I will speak with.

As we know, online privacy is a thing; a huge thing. Although privacy is not all that internet rights are about, it definitely stands out. This is because the internet framework can be fragile and easily compromised and it takes a certain level of intentionality to keep information on the internet secure. It is therefore from a sense of that duty that a lot of internet service providers or online businesses structure security measures to ensure that their users are protected.

Before I go on, I’d just like to point out that Privacy and Security are two different things. They seem like they are the same but they aren’t. I’ll admit though, both concepts seek to meet the same end; protect data. Data privacy, however, protects data by controlling its collection, use and transfer and all that while Data security is more about creating tools and structures that keep your data away from hackers and the bad guys on the internet.

So it’s very possible for a company or a website or an individual to create or utilize great security tools to help users/visitors protect their data against hackers but at the same time be employing the worst privacy standards in how data is collected or used. 

That said, there are some common data security tools you probably know.

For instance, ‘Passwords’. Basic yeah? Yeah, you have passwords to keep inexperienced and undetermined hackers away. We also have ‘Encryption’. Encryption does not necessarily prevent hacking, it just uses an algorithm to make hacked content unintelligible. Furthermore, we have ‘Firewalls’. Think of Firewalls as that gate-man or security officer manning a prison. He’s been pre-set with rules on who can come in and who can go out. And he obeys those rules to the letter; or at least he’s meant to. 🙂

More relatable is the Multi-factor Authentication or 2-Step Verification. This is like a more paranoid password thingy. It basically seeks to verify whether you’re really the person trying to access the account by asking for something you have and then something you know (e.g Your Fingerprint + Your Password OR Your Password + An OTP sent to your phone). It’s like when you and your roommate have a secret knocking system, a secret word and a secret cough rhythm before you either of you can gain access into the room. So for instance, if you only provide the knocking rhythm like ‘Dum dum dum ka’, she’ll be like, ‘Okay?’ And then you have to be like, ‘Covfefe’ and she’ll be like ‘Okay?’ And then you’ll be like, ‘*cough* *cough* *coooooouuuughhhhhh* And she’ll be like, ‘AWESOME! I’m coming to get you’.

While all of these security tools and measures are fantastic, the problem of hacking and data interference is still a thing and security options are not really being optimized as our laws demand (I just had to chip Law into this. This is afterall a law blog. LOL) Our security is still volatile as long as the tools for protecting it remain software related. Hackers gon’ hack. Always. It might not be your data, but it’s definitely someone else’s data somewhere. Whether remotely or by stealing your computer and doing their (black) magic.

So this is where a hardware security key comes in. It steps in as a solid (literally) hero.

As beautifully said by Stina Ehrensvärd (an innovator and the co-inventor of YubiKey, a standard hardware authentication device), in this awesome podcast, a16z  “The more factors you have, the more likely it is to be secure, but it also adds complexity to the user (sic). Something that you have… or you know, with something that you are… should ideally be combined with a hardware authenticator (sic) that’s in your pocket, that’s not connected to the internet and has a very small attack vector’

She also explained that unlike your fingerprint which can be copied because it is available to anyone who can get access, sending strong unique numbers is difficult to beat or to guess. 

A hardware authentication token or key basically works as the other part of a multi-authentication or a 2-step verification process. Say you have one of these keys and set it up for your google account. When you input your password to  sign into that account on a computer, you’ll be asked for your security key and at that prompt, you may insert your physical key into your USB and either press the button on the key (if yours has a button or a touch-responsive area) or just leave it at inserting. 

Super cool yeah? Yes, I think so too. There are strong arguments to be made for it and I think it’s the same concept with Bank Tokens, as we know. Google in its effort to protect data, has incorporated this as one of the security options for its user. I think many more companies should make this option available for users’ online security. 

 

HERE COMES THE VITIROL!!!!!

So remember I promised to vent?

Well, Google GAVE ME , a Nigerian this FIDO U2F Security Key in Nigeria. It came with its own cute packaging and reusable wallet and all Google branded litness. So I’m like, ‘Yes yes yes. YAS!’.

I decided I was going to review it at the perfect time; which for me, was yesterday.

It was a mind-opening process for me; leaving me exasperated at the end.

So here’s a run-down:

 

#Vitriol1

Following the google instructions, I made my attempt to set up my security key but to no avail! I kept getting stuck at Step 4 because guess what, there was no ‘add security key’ in MY OWN 2SV page.

#Vitriol2

I searched and searched on support forums for why my page was conspicuously missing a security key option. I was like, ‘Okay, this isn’t like my boo, Google. I’m going to try to find customer support to clear this.”  Guess what guys??? I found out that you don’t get to chat with a Google customer support agent unless you’re a GSuite Paid user. I was going to seethe but I remembered that I have GSuite for one of my websites. ‘In ya faceeeee’. But still, can you imagine?

#Vitriol3


Okay, this didn’t make me angry. I chatted with one of Google Support agents, Mari-Syle, and she was really cool. She told me that I had to first turn on my 2 Step Verification and then I’d see the link. In my mind I was like, ‘Um.. That wasn’t in the process thingy but okay’. But in real life I was like, ‘You’re a gem! Thanksss! I’ll do that tomorrow. I have to run’

#Vitriol4

I actually tried to do it tomorrow (today), and turns out that 2-Step Verification is not available for Nigerians. *DJ screech and rewind*  *oops!* No. Not *oops!* more like ‘WHAT THE ACTUAL HECK???’ I had kept seeing that my phone number was invalid and I couldn’t authenticate with it and I was like ‘Okay, what’s wrong with me? Cause it has to be me, right?’ I even bought airtime just in case. LOL

I finally went on a Forum Support Group and I figured that A LOT of Nigerians have been ranting about this same situation. (Oh, mind you, these complaints have been since 2016). Just check this Forum Group filled with Nigerian ranters. It’s almost funny. 

 

So yeah, I get it. It isn’t about Google. It’s about Nigerian Telcos not being able to negotiate properly with Google or vice versa to arrive at a pleasing service rate. Or, the Telcos just can’t deal with all the 2SV traffic. But this partnership is so needed. It’s ridiculous that I cannot access the 2SV feature for my google account in the 21st century. 9Mobile and Co, please fix up abeg.

Meanwhile, y’all check out my dentition.

Ce COOKIE n’est pas comestible

In the spirit of weird naming, I decided to title this article in a language you probably don't understand. But it basically means 'This COOKIE is not edible'. :)

Bon! Let’s get into the article.

At the risk of sounding like an unserious person, one of the things that intrigue me the most in the tech space is the art of weird-naming. For instance, check out this TechCrunch Article that discusses how startups make weird name choices. I mean, a good example in Nigeria is ‘JiJi’. If you’re Yoruba, you probably understand better why this is a weird name selection for an Online marketplace.

But, then, even apart from companies, some technologies do have funny and unrelated names.

For instance, ‘Bluetooth’.

Here’s a question: What does a tooth, so dirty, it’s blue, have to do with file sharing and communication between devices?  (P.S. The only thing a real blue tooth is sharing is oral thrush -_-). Anyway, Bluetooth was the name of a king in Norway who introduced Christianity to Denmark and Norway and united different regions and allowed for better flow of communication. Read about him here.  

Also,check out Phil Belanger (founding member of the WiFi Alliance) saying that the word ‘WiFi’ stands for nothing. Nope. Not ‘Wireless Fidelity’ According to him, “It is not an acronym. There is no meaning” Buhahahaha.

And now, in this article, we’re looking at ‘Cookie’ as an internet word. I have heard that the term may have been coined from ‘leaving crumbs of data on the internet’ or from the fortune cookie which usually has an embedded message (this might be a reach though).  Anyway, Cookie, in this regard, is also referred to as ‘HTTP Cookie’ or ‘Internet Cookie’ or ‘Web Cookie’. But or this article, we’ll just stick to ‘Cookie’.

 

What, in the web, is a cookie?!

A cookie is simply data/information sent from a website to your computer to help store your preferences or choices in order to make your future experience on the site more seamless or better tailored.

For instance, a couple of days ago, I was seriously desiring a Vinyl Player and I was like ‘Okay, Boro, you’re doing this. You’re getting yourself one’. So I went on my go-to site for weird stuff, and searched for ‘Vinyl Player’. I saw the one I wanted and then saw the price and then laughed and continued eating from hand to mouth. I, however, visited the site again today and there on the landing page and without having to search for it, I was welcomed with:

Issa Temptation
Issa Temptation

 

I’ll paint a scenario to help you better understand: You want to buy a shoe so you visit www.bestshoeseverliveth.com  You search for sneakers and scan through and finally find one that you like. You add it to your cart and proceed to payment. At payment you select ‘Naira’ as your preferred currency and then you pay. If the website uses cookie (which it’ll most likely do), a piece of information will be sent to your computer.  The website creator is the one who determines the type of information a cookie collects. In this scenario, it may just be your currency preference, but it may also be other details like:  your preference of sneakers, your Name, your card details, items you favorited but didn’t purchase. 

 

Why? Why? Why? Why? Oh Lord, Why are they saving information about me?

Well, like I said earlier, it’s generally to help you enjoy your visit to the website next time. For instance, the next time you come, you’ll probably be served with an array of sneakers and won’t be asked what currency you want to pay in anymore. Furthermore, it’s stored on your computer so that when you use that same computer to browse for stuff, the website server communicates with the cookie it has kept on your computer and tailors your experience.

Cookies are also used to present more relevant advertising (for sites that embed ads). See the notice on this site I visited today as well:

Speaking about sites that display ads, has it ever happened to you that you tried shopping for an item on a site, or you searched for something somewhere and then every other site you went in the world, kept offerings ads of those items?

Well, the general rule is first that only the same website that saved your information can read your cookie. So normally, if you visit bestdresseseverliveth.com and search for ‘red bodycon dress’, you shouldn’t expect to visit greatdresseseverliveth.com and have a flood of red bodycon dresses thrown at you in a very unsubtle manner.

However, here’s a clause. One website can actually have embedded pieces of another website.

Let’s imagine again: You visit myfirsttimehere.com for the first time. And as you scroll through the site you begin to see ads of ‘red bodycon dresses’ all over the place. Don’t be shocked, it could either be that myfirsttimehere.com embeds ads from bestdresseseverliveth.com OR, it embeds ads from a site that also gets its ads from bestdresseseverliveth.com. And so what happens in that scenario is that since bestdressesseverliveth.com already has a cookie stored in your computer, although you’re currently on myfirsttimehere.com, it’ll still be able to extract information about your preferences through that site because a bit of it is embedded on the FirstTimeHere website.

Also, it might be important to know that some websites don’t bother with the basic cookies. The idea of cookies is to store small pieces of data, but if the website intends to store more than small pieces of data, they may choose the alternative of using an ID (like a username). So what happens is that instead of storing a cookie in your computer, the website saves a unique ID in your computer and so whenever you interact with that website, the unique ID stored aligns and thus the cookie/information is saved on the website’s system and not your computer anymore. These are called ‘Third Party Cookies’.

 

This sounds like several levels of risk and invasion? Please scare me further!

LOL. Well, like all technology tools, Cookies are to be used to make stuff better; for you, to make your browsing experience better and help you use your brain less. For the website, it is to help them deliver more stellar services and help with more precise targeting of ads. But also like all technology tools (especially invasive ones like this), it can be misused.

For instance, imagine I am able to get a hold of your cookies and then communicate with the website as you. It means that I may have access to details such as your passwords, credit card details, address and so on. It’s supposed to be almost impossible for this to happen but apparently, there’s something called cross-site scripting which basically happens by inserting a script into an unsecure website and then sending the session cookie of visitors back to the insertor of the script. So when building your website or when visiting websites, it’s important to be conscious of the security of the site.

 

So what does this have to do with Law?

Well it’s simple, every discussion on data and information collection, processing and use should envisage the watchful stare of the Law. As I have said a couple of times, the right to privacy is real and information about people in your custody should be treated with diligence, intentionality and care.

The very popular guiding principles of data protection say:

personal data or information must be processed fairly and lawfully; personal data or information must be obtained only for one or more specified and lawful purposes; personal data or information must not be excessive in relation to the purpose or purposes for which they are processed; and personal data or information must be deleted when no longer necessary for the purposes for which it is collected” – Culled from the African Declaration on Internet Rights and Freedom.

That quote up there is super important so I’m going to copy and paste it down here again.

“personal data or information must be processed fairly and lawfully; personal data or information must be obtained only for one or more specified and lawful purposes; personal data or information must not be excessive in relation to the purpose or purposes for which they are processed; and personal data or information must be deleted when no longer necessary for the purposes for which it is collected”

In addition to this, it’s very important to let visitors know about the existence and use of cookies on your site.

“The collection, retention, use and disclosure of personal data or information must
comply with a transparent privacy policy which allows people to find out what data
or information is collected about them, to correct inaccurate information, and to
protect such data or information from disclosure that they have not authorised.
The public should be warned about the potential for misuse of data that they supply
Online.” – Culled from same source above.

 

In conclusion, Cookies can be used for good and for bad; web developers should ensure to use it only for good. Don’t overtly share data with third parties, don’t lie in your privacy policy, try to use the best technologies to protect data, don’t steal anyone’s data…e.t.c.

Also, because your data is yours, if you’re uncomfortable with this whole Cookie thing, learn how to disable your cookies here. You may also delete existing cookies here. 

And if you’re not sure whether your browser allows cookies, just open this tab here and you’ll know.

Fin!

*serves cold Berry Blast to go with the Cookies y’all just had*

Happy GDPR Day!

Congratulations!

If you’ve been receiving warning or anticipatory mails about the GDPR coming into force, well, congrats because you lived to see that day and it’s today.

If you’re like, ‘Okay, calm. What is GDHR or GDPH or what now?’, well congratulations as well, you’re in the right place to lessen your cluelessness.

So, on the 14th day of April 2016, a day which was an anniversary of the day the Soviet Union agreed to withdraw from Afghanistan (1988); when the heaviest hailstones ever recorded visited Bangladesh with a bang (1986); when President Abraham Lincoln was shot (1865); when the Titanic hit an iceberg in the North Atlantic (1912)… on this very day in 2016, the GDPR was approved by the European Parliament.

The GDPR is short for General Data Protection Regulation, but its long title sounds like this: Regulation on the protection of natural persons with regard to the processing of personal data on the free movement of such data and repealing Directive 95/46/EC (Data Protection Directive).

Let’s start with the phrase ‘…repealing Directive 95/46/EC Data Protection Directive’. I’d like you to imagine a Kingdom in which a technology-backward monarch is reigning. He should continue his reign but his lack of knowledge about this new technology way of life is slowing the progress of his Kingdom. The king makers have two options. They can decide to enlighten him on what technology is and how it affects his kingdom, but then that’s just so much stress.  Or they may just decide to unseat him and put in a more tech-savvy individual to take their Kingdom to glory. And that’s what that phrase has done. It has repealed a formerly existing EU Directive (which had been implemented since 1998)  and now says that once the GDPR is enforced; it will be the new monarch in charge. You can check out the old monarch here

Now what does this new king; the GDPR, have to offer us.

First, we know that although monarchs are super powerful and ought to be respected, their power, no matter how great it is, only exists over the people which they rule. So an important question would be to find out who the GDPR applies to. I mean, it was adopted and approved by The Council and European Parliament, so why is it now a ‘world thing’.

The answer is simple: The GDPR is focused on protecting the data of EU residents – that’s its focus. But now, technology has made it so that EU residents can have their data in the hands of non-EU residents. So whether or not you stay in any of the member states of the EU, as long as you process the data of one or more EU residents, you should pay close attention to what the GDPR says. 

Now, I cannot possibly write on everything in the GDPR. It’s actually an entire package of data protection regulations, so you can imagine its length and the variety of subjects it covers. I’ll however discuss some salient/interesting points I came across.

  • Did you know that in the EU, the right to protection of a person’s data is a fundamental right? Like a basic human right? Like the right to life and freedom of expression? And I think this makes sense because if you can guarantee privacy as a fundamental right, it follows that personal data protection should also be explicitly captured.
  • Also, the GDPR both protects personal data AND ensures the free flow of data within the EU. THAT, brother and sister, is the idea of TechReg. Controlling and yet advancing. In its recital/justification, the GDPR states that: 

    The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Natural persons increasingly make personal information available publicly and globally. Technology has transformed both the economy and social life, and should further facilitate the free flow of personal data within the Union and the transfer to third countries and international organisations, while ensuring a high level of the protection of personal data”

  • Also, the GDPR only applies to the data of natural persons (human beings); not legal persons (like companies). Although if you’re a company collecting the data of a human being, you’re captured to submit. 
  • The GDPR does not apply when individuals are carrying out their normal personal or household activities but applies to controllers who provide the means for processing personal data for such personal or household activities. (jbwqwgvidyu. Lol).  Let me try to explain this. For instance, an EU resident goes to a store to buy some supplies for their house. The storekeeper knows everything they’ve purchased and that’s data. But the provisions in the GDPR do not apply here. The provisions will, however, apply in the situation where some technology or other mechanism is provided to store or process this harmless household and personal data. For instance, if the EU resident uses an app to create and store their grocery list; then yes, the app admin has to comply with the GDPR.
  • Remember I said that the GDPR is more concerned about the data of EU residents and would hunt you down even if you aren’t in the EU but handle the stipulated data? Well yes. You may be in some office in Ajegunle or in a corner in Ikoyi, as long as you or your business outfit is offering some goods or services to persons established in the EU (whether for a fee or for free), you must comply with the GDPR. The question then is how will they catch you? How will they know whether you’re servicing or offering goods to EU residents. Well, there are some indicators the GDPR proposes; like if your site or platform or entity uses/offers the option of certain language(s) or currencies used in one or more of the Member states of the EU, couple that with the possibility of ordering goods or services in that language or currency, or you mentioning customers/users in the EU, then there’s the presumption that the GDPR captures you.
  • A second way a non-EU resident can be subject to the provisions of the GDPR is if he’s monitoring the behavior of EU-residents. This is basically the use of data techniques to track people on the internet. And before you go, ‘Track?? Me? Pffft! Sounds like some CIA business. I can’t even track a song. LOL’. Well first of all, you can do all things (say ‘amen’). And second this just means that you’re profiling people in order to take a decision or to predict their preferences or behavior. And just in case you’re still thinking, ‘Profiling?? Ain’t nobody got time for that’, well, have you heard of ‘Cookies’ before. (I shall write about this very soon). But if you have a website that uses cookies, you’re pretty much monitoring the behavior and preferences of your visitors/users. If you want to carry out a cookie audit on your website or any website at all, visit Cookie Checker. It’s a beautiful tool.
I did one for this site
I did one for this site

So How Do I Comply with the GDPR?

Perhaps the first way to comply with the GDPR is to actually know what it says. It’s a really long read, so you might want to space yourself out and take relevant notes. You may download it here in different languages.

When you know what it says and you are armoured with its provisions, you must align yourself/your business entity/ your website to its provisions. Please note that you’re expected to be compliant by today, the 25th May 2018.

Practically, you may want to

  • Update your privacy policy so that you state in clear and unambiguous terms what data you’re processing and what you’ll be using the data for. Also, don’t just state it, let your site users give an affirmative consent (e.g. by ticking the box). Don’t use pre-ticked boxes. Also, don’t forget to include the bit about cookies, if your site is using. You may tell them that they can disable the cookies if they want. 
  • Check your mailing list and if there are persons who haven’t given affirmative consent, you may want to reach out to them to remind them and give them a deadline.
  • The GDPR requires that to collect the personal data of persons under the age of 16, you need parental consent. So you may also want to enable an age verification system just to be doubly sure. It doesn’t have to be them stating their ages, it can be ‘I affirm that I am 16 years and above’

And so on.

The GDPR is a lot! And it’s not optional especially if you fall within its scope of reach. So get two boxes of Pizza and some Zobo, get your team together, study the GDPR if you haven’t and align yourself (there’s a joke here about being aligned by the monarch ‘ruler’; the GDPR, but I can’t place my hands on it).

 

Thanks for reading!

Edit

My friend and commenter below; Kevwe, gave this awesome suggestion for self-assessment. 

If you’re a data controller (you have data in your control and care), take your self-assessment test here

If you’re a data processor (perhaps you receive data from other sources to use), take your self-assessment test here

Check here for other tests

 

I’d love to hear your comments, below!

 

 

I Bet I Wrote The Raddest Privacy Policy

WARNING: I’m about to sound weird.

For a long time, I have dreamed of the day I’d write a privacy policy.

Forces of limitation ensured that it didn’t occur to me that I could actually just write one, if I was so bent on the high that comes with privacy policies. And I have been stalling to put one together for my soon-to-be-launched social enterprise.

Yesterday, however, I decided to write one for this website and it was lit!

First, what is a privacy policy?

A privacy policy is basically a statement made by a website administrator informing visitors or users on what data will be collected from them, why and the extent of use of those data. That was the definition in my head. Now, this is the definition from Wikipedia (meanwhile, do you feel like there’s a love-hate relationship we have with Wikipedia. We go there for almost anything but it suddenly becomes unreliable when we’re writing a paper. Hypocrisy). Anyway, my boo Wiki, says: “A privacy policy is a statement or a legal document that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client’s data. It fulfills a legal requirement to protect a customer or client’s privacy.

 

Now, why is it important to have a privacy policy?

It’s important to have a privacy policy because privacy is important and technology can be invasive. But apart from this seemingly moral reason, you’d see in Wiki’s definition that it’s a fulfillment of a legal requirement.  There are laws, international agreements and generally accepted principles that will require, encourage or guide data controllers on things like this.

Starting at home, you have the Constitution of the Federal Republic of Nigeria which provides that “the privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected.” (Section 37). Suffice to say that the draftsman probably did not envisage this right to be applicable to websites, but I’m thankful that the language is not restrictive because it does apply to every conceivable platform.

Let’s move to the International Convention on Civil and Political Rights which Nigeria acceded est. 1993. Article 17 provides that no one shall be subject to arbitrary or unlawful interference with his privacy…. This also falls within this scope.

In fact, in 2013, the United Nations General Assembly (and yes, Nigeria is represented in the G.A. est. 1960) passed a resolution (resolutions are to non-living corporate entities what decisions are to human beings) noting that the rapid pace of technological improvements will enable the use of ICTs which might enhance the capacity of government, individuals and companies to engage in surveillance, data collection and other privacy-infringing activities. So in that resolution , the Assembly called on all states to respect the right to privacy in the context of digital communications, to review procedures, practices and legislation that may enable surveillance and to ensure transparency.

There’s also the African Declaration on Internet Rights and Freedom which pointedly states that

“The collection, retention, use and disclosure of personal data or information must comply with a transparent privacy policy which allows people to find out what data or information is collected about them, to correct inaccurate information, and to protect such data or information from disclosure that they have not authorized. The public should be warned about the potential for misuse of data that they supply online. Government bodies and non-state actors collecting, retaining, processing or disclosing data have a responsibility to notify the concerned party when the personal data or information collected about them has been abused, lost or stolen.”

And if you were still in doubt as to the importance of privacy or a privacy policy, shall I remind you of GDPR!  You’ve probably gotten at least one email about the GDPR but it may seem like it doesn’t concern you, Nigerian. Perhaps, perhapsn’t. I’ll do a post about GDPR hopefully, but here’s what you should know about it.

  • It’s short for General Data Protection Regulation;
  • It comes into force on the 25th of May 2018;
  • It basically regulates the use of personal data of its specific data subjects;
  • The data subjects it envisages are EU residents;
  • But don’t be deceived and think that because you run a Nigerian entity, you’re not captured;
  • It also applies to you, as long as you process the data of EU residents; whether or not you’re in the EU or the processing takes place in the EU. As long as you offer good or services to those data subjects OR you’re monitoring a behavior that takes place in the EU, you are captured.

 

OKAY, I get the point, How then do I write a privacy policy?

Great question. There are no strict rules for the language you should employ in drafting your privacy policy. You may be angry, emotional, whatever. The idea is to just get the message across. So what is the message to be passed across?

  1. What data you’ll be collecting
  2. What you will do with the data
  3. What you won’t do with the data
  4. Laws that you’re binding yourself to/obeying/letting guide you
  5. That you’ll be updating the privacy policy from time to time.

 

Uh… are there are cool privacy policies we can emulate?

Oh sure. I’ve heard of one really cool one and it’s the one I drafted yesterday!

Check it out here

(P.S. It’s not foolproof! It’s probably more fool than it’s proof 😀 )

 

Merci!

 

Takeout: Controlling Your Personal Data on Google

You know how we’d all like to leave footprints on the sands of time? Well, what if I told you that you’re already doing that! Congratulations 🙂

 

Sooo, privacy and personal data protection have been core areas of interest for me, for a bunch of reasons. The first being that privacy is a constitutionally guaranteed human right (duh.) And also that the principle of data protection is a very important one; one that should not only be recognized by awesome data custodians in Nigeria, but should be enshrined in our laws so that the un-awesome ones would be forced to abide by it.

 

Before I go on, let’s talk a little about Data Protection. What is it?

Data protection is simply the safekeeping of information. And personal data protection as it relates to the internet and to digital platforms generally entails data custodians (those with whom your data are), employing the best technologies to keep every information that has been gathered about you, safe. Remember when I said that you’re already leaving footprints in the sands of time? Well, there’s pretty much data stored up for everything you do online. From the basic ones you can imagine; pictures you’ve shared, personal information you’ve shared and so on. To the ones you don’t want to imagine; every app you’ve ever downloaded or opened, every website you’ve ever visited and so on.

 

Personally, I think one of the beautiful components of the principle of data protection is the principle of data ownership. How that apart from the requirement for data custodians to keep data in their care safe and only use it for legitimate reasons and in legitimate ways, these data also belong to the Data Subject. (The data subject is the person whom the data is about).

Therefore, the fact of my visiting so-and-so website on so-and-so day, and the record of it, should belong to me although it’s in the care of *insert data custodian*. The implication of this principle is that, if said data is mine, then I should have control over it. Further implication then is that data custodians should provide access to data in their care to the real owners of the data in order to give them the opportunity to make decisions over it.

And this is possible with a number of multi-national data custodians like Google, Facebook and LinkedIn

For Google, you may use this Google Tool: Google Takeout  (I’m late to the show in just discovering this because it was developed in 2011)

With Takeout you have access to all your google data (pretty much everything you’ve put out or done using Google). I mean, information from your Drive, Chrome, Hangout, Maps, Keep, Photos, Bookmarks, Youtube and so on.

You choose which category of data to download (It might take a while. Mine is 2GB heavy and  is currently still downloading), and then when you see the data, you can decide to purge out the cringe-worthy ones and keep the ones you are proud of.

Google, the company, is on record to have said that it’s better to be transparent about the information being collected as opposed to not showing it at all. And I agree with that.

I’ll do a follow-up article when my data is downloaded and I’ve looked through it and deleted some data. I should also do one for my Facebook data (*shivers*)

But yeah, netizens (I hate this word but it keeps coming to my lips), should not just feel like they are in control of their data but should really be in control of their data. Perhaps there’s the question of whether the deleted data are actually deleted for real real; or the deletion is just faux you to sleep well at night (ha! see what I did there?). I shall do another follow-up article on this. 

I can’t wait for a Data Custodian in Nigeria to take up this initiative. Imagine being given access by 9Mobile to all your calls and texts since you ever started using their network and being allowed to delete some stuff. Or are there already provisions like this in Nigeria? (please let me know in the comment box if there are).

So yeah, I’ll do a follow-up article, as promised.

Ciao!