Safaricom Shared Student Data with Police Without Court Order in Ruto Social Media Case
Quote from Lawyer on September 9, 2025, 9:50 amOn September 8, 2025, a significant breach of Kenya’s Data Protection Act came to light during a court hearing at Nairobi’s Milimani Law Courts. A Safaricom employee, identified as Mr. Daniaf, admitted to sharing a university student’s personal data with police investigators without obtaining a legally required court order. This revelation unfolded during the high-profile case against David Oaga Mokaya, a fourth-year student at Moi University, who was arrested in November 2024 and charged with posting misleading information about President William Ruto on the social media platform X.
The case centers on a post Mokaya allegedly made under the username @bozgabi, featuring an image of a casket draped in the Kenyan flag, accompanied by a caption referencing “President Ruto.” The prosecution claims the post, which depicted a funeral procession with military personnel, misled the public into believing it was related to the president’s death, causing public unrest. Mokaya, charged under the Computer Misuse and Cybercrimes Act for spreading false information, has denied the allegations and was released on a bond of Sh100,000 or a cash bail of Sh50,000, with the case ongoing.
Chief Inspector Bosco Kisau of the Directorate of Criminal Investigations (DCI) Serious Crimes Unit testified before Milimani Senior Principal Magistrate Benmark Ekhubi. Kisau revealed that his team of four officers traveled to Eldoret on November 15, 2024, to arrest Mokaya after obtaining his phone number and subscriber details from Safaricom. The data, which included details of two transactions on November 13—an incoming SMS at 4:24 p.m. and a 270-second phone call—was provided following a letter from senior police officer Michael K. Sang. During cross-examination by defense lawyers Danstan Omari, Ian Mutiso, and Shadrach Wambui, Kisau admitted that no court order was secured before accessing Mokaya’s data or seizing his Samsung phone, laptop, and ID. He further acknowledged being unaware of a High Court ruling requiring judicial approval for such actions.
Safaricom’s compliance officer, Daniel Hamisi, also testified, confirming that the company released Mokaya’s information without a judicial directive. This admission sparked outrage from the defense, who argued that the unauthorized data release violated Mokaya’s constitutional rights to privacy and freedom of expression. Defense attorney Mutiso pressed Kisau, asking, “Do you know that subscriber details can only be released with a court order?” Kisau responded that he was unaware of this requirement, further highlighting procedural lapses in the investigation.
The defense challenged the prosecution’s narrative, noting that the post did not explicitly mention President Ruto’s full name or include his image. They argued that the term “Ruto” could refer to any Kenyan with that name, as it is not exclusive to the president. Kisau conceded that the image showed only a flag-draped casket and did not depict a “dead body,” undermining the claim that it explicitly suggested the president’s death. The defense further contended that the post was a form of protected political expression, possibly satirical, and questioned whether it genuinely caused public panic, as Kisau could not confirm any public shock.
The case has ignited broader concerns about digital privacy and state overreach in Kenya. Legal experts and privacy advocates warn that Safaricom’s actions, bypassing judicial oversight, set a dangerous precedent for citizen data protection. The unauthorized release of subscriber information raises questions about compliance with Kenya’s Data Protection Act and the integrity of evidence obtained without due process. The court now faces the critical task of determining whether such evidence is admissible, a decision that could impact the case’s outcome and future digital rights in the country.
This incident follows earlier statements from Safaricom, issued on October 31, 2024, denying allegations of sharing customer data without court orders. The company emphasized its adherence to data protection laws and its ISO 27701 Privacy Information Management System certification, claiming that Call Data Records (CDRs) are used solely for billing and do not provide real-time location tracking. However, the courtroom admissions contradict these assurances, fueling public distrust in the telecom giant’s handling of sensitive user information.
The case also coincides with separate legal action involving Safaricom and investigative journalist Robert Wanjala Kituyi, who sought details on the number of court orders Safaricom received from police between June and October 2024 for personal data. Safaricom’s move to block this information has led to accusations of suppressing press freedom, further intensifying scrutiny of the company’s practices.
As the trial continues, it underscores the growing tension between state surveillance, corporate responsibility, and individual rights in Kenya’s digital landscape. The outcome could reshape how telecom companies and law enforcement handle personal data, with significant implications for privacy and freedom of expression in the country.
On September 8, 2025, a significant breach of Kenya’s Data Protection Act came to light during a court hearing at Nairobi’s Milimani Law Courts. A Safaricom employee, identified as Mr. Daniaf, admitted to sharing a university student’s personal data with police investigators without obtaining a legally required court order. This revelation unfolded during the high-profile case against David Oaga Mokaya, a fourth-year student at Moi University, who was arrested in November 2024 and charged with posting misleading information about President William Ruto on the social media platform X.
The case centers on a post Mokaya allegedly made under the username @bozgabi, featuring an image of a casket draped in the Kenyan flag, accompanied by a caption referencing “President Ruto.” The prosecution claims the post, which depicted a funeral procession with military personnel, misled the public into believing it was related to the president’s death, causing public unrest. Mokaya, charged under the Computer Misuse and Cybercrimes Act for spreading false information, has denied the allegations and was released on a bond of Sh100,000 or a cash bail of Sh50,000, with the case ongoing.
Chief Inspector Bosco Kisau of the Directorate of Criminal Investigations (DCI) Serious Crimes Unit testified before Milimani Senior Principal Magistrate Benmark Ekhubi. Kisau revealed that his team of four officers traveled to Eldoret on November 15, 2024, to arrest Mokaya after obtaining his phone number and subscriber details from Safaricom. The data, which included details of two transactions on November 13—an incoming SMS at 4:24 p.m. and a 270-second phone call—was provided following a letter from senior police officer Michael K. Sang. During cross-examination by defense lawyers Danstan Omari, Ian Mutiso, and Shadrach Wambui, Kisau admitted that no court order was secured before accessing Mokaya’s data or seizing his Samsung phone, laptop, and ID. He further acknowledged being unaware of a High Court ruling requiring judicial approval for such actions.
Safaricom’s compliance officer, Daniel Hamisi, also testified, confirming that the company released Mokaya’s information without a judicial directive. This admission sparked outrage from the defense, who argued that the unauthorized data release violated Mokaya’s constitutional rights to privacy and freedom of expression. Defense attorney Mutiso pressed Kisau, asking, “Do you know that subscriber details can only be released with a court order?” Kisau responded that he was unaware of this requirement, further highlighting procedural lapses in the investigation.
The defense challenged the prosecution’s narrative, noting that the post did not explicitly mention President Ruto’s full name or include his image. They argued that the term “Ruto” could refer to any Kenyan with that name, as it is not exclusive to the president. Kisau conceded that the image showed only a flag-draped casket and did not depict a “dead body,” undermining the claim that it explicitly suggested the president’s death. The defense further contended that the post was a form of protected political expression, possibly satirical, and questioned whether it genuinely caused public panic, as Kisau could not confirm any public shock.
The case has ignited broader concerns about digital privacy and state overreach in Kenya. Legal experts and privacy advocates warn that Safaricom’s actions, bypassing judicial oversight, set a dangerous precedent for citizen data protection. The unauthorized release of subscriber information raises questions about compliance with Kenya’s Data Protection Act and the integrity of evidence obtained without due process. The court now faces the critical task of determining whether such evidence is admissible, a decision that could impact the case’s outcome and future digital rights in the country.
This incident follows earlier statements from Safaricom, issued on October 31, 2024, denying allegations of sharing customer data without court orders. The company emphasized its adherence to data protection laws and its ISO 27701 Privacy Information Management System certification, claiming that Call Data Records (CDRs) are used solely for billing and do not provide real-time location tracking. However, the courtroom admissions contradict these assurances, fueling public distrust in the telecom giant’s handling of sensitive user information.
The case also coincides with separate legal action involving Safaricom and investigative journalist Robert Wanjala Kituyi, who sought details on the number of court orders Safaricom received from police between June and October 2024 for personal data. Safaricom’s move to block this information has led to accusations of suppressing press freedom, further intensifying scrutiny of the company’s practices.
As the trial continues, it underscores the growing tension between state surveillance, corporate responsibility, and individual rights in Kenya’s digital landscape. The outcome could reshape how telecom companies and law enforcement handle personal data, with significant implications for privacy and freedom of expression in the country.