A new privacy storm has landed in Nairobi. Filmmakers linked to the BBC Africa documentary Blood Parliament say their phones were fitted with spyware while the devices were in police custody. A forensic analysis by Citizen Lab found traces of FlexiSPY on at least one handset, and the revelation has reignited worries about secret surveillance and the safety of journalists in Kenya.
Imagine handing your phone to the police and getting it back with software that can read your messages, record calls, turn on the microphone, and follow your location. That is what the Citizen Lab report suggests: FlexiSPY was installed on a device while it was held by state agents, according to the forensic timeline. If true, the act would be more than a technical breach β it would be an invasion of privacy and a danger to sources and reporters.
The DCI has pushed back, calling the reports βfalseβ and βsensational,β and saying it acts within the law. The unit declined to answer detailed questions, noting the matter is active in court.
βWe want to assure the members of the public that the DCI operates strictly within the confines of the law. Our commitment to upholding the rights and privacy of all Kenyans is unwavering, and we do not engage in any activities that compromise these constitutional principles,β the DCI said.
That denial has done little to calm critics. Rights groups and press freedom advocates say the Citizen Lab findings demand an open, independent probe. The Committee to Protect Journalists called the discovery βoutrageousβ and said it shows devices are not safe in the hands of some law enforcement agencies. For journalists, the risk is real: a compromised phone can expose sources, endanger lives, and chill reporting.
This episode comes against a tense backdrop. Earlier this year the death in custody of blogger Albert Ojwang prompted questions about how police tracked his location and about the sharing of telecom data with security agencies. And a separate, high-profile legal fight involves Canadian-based developer Mary Wachuka Maina, who has sued the government over a collapsed surveillance contract and seeks large damages β all of which feeds public concern about how surveillance tools are bought, deployed and overseen.
Kenya does have rules meant to protect privacy. The Data Protection Act of 2019 created the Office of the Data Protection Commissioner to oversee data use and to investigate complaints. But experts say laws must be matched by transparent practices: clear logs of who ordered surveillance, independent forensic checks, and routine public reporting. Without that, legal powers can become secret tools with little accountability.
What should happen next is straightforward. Authorities must allow independent forensics, let the Data Protection office probe, and publish a public summary of findings that protects real secrets but honours the publicβs right to know. Courts should guard against evidence tampering and ensure the safety of journalists and sources. Civil society should be invited into oversight conversations so trust can start to rebuild.
This is not only a technical debate about software. It is about whether a democracy protects the private lives of its citizens and the safety of its newsrooms. If the allegations are true, Kenya needs to act fast. If they are false, clear evidence should end the doubts. Either way, the moment calls for transparency, not silence.
Featured image via screengrab.