Over the course of the past decade far too many African nations have continued to struggle, plagued by famine, disease, and conflict. However, there has been one consistently positive African story: the astounding diffusion of mobile phones across the continent. With current growth rates more than twice as fast as the rest of the world, Africans have embraced the cellular device to a degree once thought unimaginable. The world's second most populous continent now faces the very real possibility of capturing the potential of mobile telephony and launching a new era of economic and social development.
This is not a new story, but it is a story only partly considered. For all of the value these devices will deliver, a darker side of the wireless revolution remains rarely discussed. As the use and utility of mobile phones in Africa continues to rise, so too will security vulnerabilities. Unless properly addressed, security vulnerabilities endemic to the use of the information and communications technologies (ICTs) will be magnified by a number of factors unique to Africa, possibly leading to a tsunami of information insecurity across the continent.
Rapid Adoption Rate
It is important to note that the rapid growth of mobile phones stands in contrast to the much slower adoption of other ICTs. In fact, in 2009 Africa boasted 295 million mobile phone subscriptions for a penetration rate of 37.5 per 100 inhabitants, compared to just 8.8 per 100 Internet subscribers and less than two per 100 landline telephone users.5 Africa's annual growth rate of 47% between 20032008 far exceeds the worldwide rate of 21.5%, demonstrating the extraordinary continental adoption of mobile phones.4 A number of supply and demand factors have propelled this growth, such as the availability of prepaid airtime options, the existence of a competitive market in nearly every African nation, and the limited infrastructure requirements of establishing a cellular network. In contrast, market structure, user costs, and lack of infrastructure will continue to restrain the use of Internet and landlines. Meanwhile, the affordability and growing utility of mobile phones will make the device an increasingly essential tool for the average African.
Beyond assisting in the modernization of African economies, mobile phones have provided welcome security uses as well.
Africans have proven innovative with mobile phones by creating unique banking and security applications as well as adopting low-cost pricing schemes that allow greater access to poor populations. Perhaps the most compelling and fastest-growing African mobile application is mobile banking. Previously a continent of largely unbanked populations, service providers are rapidly adding low-cost mobile banking solutions for their customers. One of the leaders in this important area is Kenyan mobile service provider, Safaricom. Its M-PESA mobile banking service obviates the need for a physical branch, allowing users to conveniently save, transfer, and spend large and small amounts of cash no matter their physical location or economic status. Rather than simply offering a mobile portal for existing bank customers, as is common in Western nations, M-PESA has created new customers from a population previously denied banking services. The continued growth of mobile banking has the potential to rapidly modernize commerce and personal finance in Africa.
Beyond assisting in the modernization of African economies, mobile phones have provided welcome security uses as well. Following post-election violence in 2008, Kenyans were able to send SMS alerts regarding outbreaks of violence, thus allowing officials and activists to accurately track and respond to threatening situations (see http://www.ushahidi.com/). In Tanzania, police provided free mobile phones to albino citizens in response to targeted murders against that population. The phones were programmed with a special number to directly contact the police allowing users to report threats.1
In a continent where many house-holds have little discretionary spending, innovation in the payment of mobile services has been essential to rapid diffusion. Throughout the developing world, prepaid phone service has propelled mobile growth, while in Africa a number of steps have further assisted this growth. Rather than billing by the minute, many providers instead bill by the second. Provider MTN employs a system of dynamic tariff charges in which costs are adjusted each hour depending on typical usage. With the ability to check the cost of calls at any particular time, customers can choose the least expensive times to use their phones.7
These examples of low-cost access, security, and financial applications are part of a greater African trend that will only continue as the device becomes more powerful. There is then little doubt that mobile phones will become the primary personal and professional ICT vehicle for a large majority of Africans. This stands in stark contrast to the past when only a small minority of Africans had any regular personal ICT access at all.
Certainly the potential gains for Africa are great, but a growing dependence on mobile phones elicits cause for concern. Worldwide trends indicate significant security problems for mobile telephony in the coming years. Mobile devices and networks will become increasingly vulnerable in every way that networked desktops and laptops currently are. Particularly as mobile phones become more vital to personal commerce and finance, the devices will become more desirable targets for criminals. The botnets and malware that currently plague networked computers will soon become commonplace on our mobile devices, opening the door to data theft and denial-of-service attacks.3 Limitations of both battery and processing power make mobile phones less defensively capable than desktops and laptops, thus increasing the vulnerability of phones. Beyond cyber attacks, the size and manner of use of mobile phones makes them particularly susceptible to loss and theft. A lost or stolen phone can be mined for personal data or used in a number of malicious ways. This global trend of insecurity applies to African phones as well. Initially, African users will be protected by their relative disadvantages, such as less capable phones and use limitations due to electric power deficiencies. However, as both use and capability of African mobile phones increases, so will criminal activity. While all users of mobile phones should expect a surge of telephonic cyber crime, the state of African information security is likely to increase the vulnerability of African users.
With mobile phones vulnerable to cyber and physical attacks, African users can expect to experience the same set of headaches that are becoming more common in Western nations. Identity theft is typically not a great threat in a developing rural community. However, once individuals begin sharing personal information with service providers, that unique identity becomes vulnerable to theft and misuse. Further, for those participating in mobile banking, a perpetrator who has gained cyber or physical control of the mobile device can obtain complete access to financial records and the ability to conduct transactions. Such a violation could potentially wipe out the savings of a family, leading to years of financial hardship. Mobile phones also provide the potential for snooping, in which perpetrators can listen to conversations and track locations. These are new problems for Africans; never before could an individual's privacy, identity, or savings be compromised because of one device's vulnerabilities.
Three factors in particular portend the tide of insecurity. First, the vast majority of African nations suffer from a deficiency of appropriate laws and organizations needed to confront cyber crime. It is only recently the case that both Internet and mobile telephony have come to every African country. This fact coupled with inadequate resources has left most African nations without proper institutions needed to secure the cyber realm. While Tunisia stands out in its institutional readiness with an established national Computer Emergency Response Team (CERT) that has actively reached out to both businesses and the general population, only a few of the remainder of African states have information security teams, and those remain in embryonic stages. This has lead to a high rate of computers infected with malicious softwareperhaps as high as 80%.2 The inability to stop criminal activity now amidst an environment of few sophisticated Internet users speaks to the great problem ahead when many mobile phone users begin to apply their phones in increasingly sophisticated and sensitive ways.
Because the potential gains are so great for Africa, it is vital that malevolent forces do not spoil this moment of opportunity.
A second issue revolves around African notions of privacy. While the African states are certainly not monolithic in their thinking, there does exist a pervasive ethos of communitarianism that deemphasizes the individual right of privacy. In Europe and North America, the right of personal privacy is far more prevalent, leading to significant advocacy for the protection of personal information in the digital realm. Although there is arguably a great deal more that could and should be done, this advocacy has forced corporate gatherers of personal information to be mindful of protecting data from misuse or theft, leaving users more protected. Without such a strong notion of privacy rights in Africa, this advocacy is disturbingly absent in the nascent field of African information security. For instance, in 2004 the South African Post Office decided to sell the personal information of citizens in its database. Without any legal mechanism to protect personal information, individuals had no means of protecting their own privacy.6 Few protections of personal information mean that sensitive data can all too easily fall into the wrong hands.
Finally, too many African governments demonstrate a willingness to operate outside the rule of law and with little accountability. In such an environment, mobile phones become an unprecedented tool to track a citizen's activities. An unscrupulous government could easily use the cellular network to track an individual's movement, listen to conversations, and access financial records. While such behavior is not absent in Europe and North America, it is generally limited due to robust legal systems and privacy watchdogs. Where such systems are absent, as in many African states, government snooping can have a chilling effect on a population and negate the many gains provided by mobile service.
Because the potential gains are so great for Africa, it is vital that malevolent forces do not spoil this moment of opportunity. Further, we must not forget that in such an interconnected world, a problem for Africa is very much a problem for everyone else. Once a continent with very limited broadband connectivity, undersea fiber cables now span the length of each of Africa's coasts and the development of several new cables is under way. While desperately needed, this additional bandwidth can serve as a conduit to import and export mobile viruses and other forms of malware from and to the rest of the world. It is, therefore, imperative that this potential information security nightmare be addressed. Like so many security problems in the cyber world, however, the solutions are not evidently at hand.
The compelling rise of mobile telephony across Africa is not a passing phenomenon.
Of particular concern is the current lack of information security professionals in Africa. What is a significant problem in developing countries is compounded in Africa where few countries have the resources to educate and train the work force needed to protect the cellular networks. Along the same lines, governmental capacity to develop the necessary institutions is largely missing. Western assistance, when offered, is rarely given in a sustainable manner that would allow for true security work to persist. Finally, political sensitivities tend to limit the amount of assistance home nations are willing to accept relating to security issues. All of this leaves Africa with an absence of internal capacity coupled with weak outside assistance. It is therefore difficult to imagine positive scenarios in which the onslaught can be avoided.
In considering possible solutions, it is clear that device manufacturers and service providers must contribute. Too often private interests place security low on the list of priorities, especially when not encouraged by government entities. Yet for African networks to be safe, it will be essential for manufacturers and providers to offer adequate security. Steps such as encrypting all sensitive data passed through the network and ensuring the privacy of personal information offer adequate user protection. African governments must also find ways to train information security professionals. While increasing this work force will certainly carry a high cost to governments that often have little money to spend, the costs otherwise will be far greater, although distributed more broadly among the population.
Beyond Africa, mobile phone security must be raised in the consciousness of Western professionals and the international bodies studying and working in the field of information security. By raising awareness across the globe, we have a far greater chance of motivating sustainable international assistance.
Finally, an African public awareness campaign is vital. As individuals begin to use more powerful devices in more powerful ways, it is essential that these users understand the potentially detrimental effects that lurk unseen.
The compelling rise of mobile telephony across Africa is not a passing phenomenon. While restraints for future growth do exist, the power, accessibility, and affordability of the devices make them an irresistible force in the coming decade. As stated, not only will subscriber numbers increase, but so too will the capability and utility of the devices. Very soon a majority of Africans will be using mobile phones for banking, accessing the Internet, facilitating commerce, and general communication. It is possible the prospect of a tsunami of information insecurity might recede, but this will only occur with early, concerted, and cooperative engagement on behalf of national governments, international donors, device manufacturers, and service providers.
3. Georgia Tech Information Security Center. Emerging Cyber Threats Report for 2009. (Oct. 15, 2008); http://www.gtisc.gatech.edu/pdf/CyberThreatsReport2009.pdf.
4. ITU. Information Society Statistical Profiles 2009: Africa; http://www.itu.int/dms_pub/itu-d/opb/ind/DIND-RPM.AF-2009-PDF-E.pdf.
5. ITU. Key Global Telecom Indicators for the World Telecommunication Service Sector; http://www.itu.int/ITU-D/ict/statistics/at_glance/KeyTelecom.html.
6. Olinger, H., Britz, J., and Olivier, M. Western privacy and/or Ubuntu? Some critical comments on the influences in the forthcoming data privacy bill in South Africa. The International Information & Library Review 39 (2007), 3143.
The Digital Library is published by the Association for Computing Machinery. Copyright © 2010 ACM, Inc.