You are going about your day when a text message comes in, an alert about the sale of an item by a shop you have never patronized. You ignore it at first, then another follows, an update of an offer sale, then another, a reminder. By the third or fourth, it’s clear that these aren’t just random messages, they are specific, personal and meant for you. A question quietly forms, “why are these messages being sent to me?”.
That question is no longer hypothetical. Today, many of us have received repeated alerts sent by unfamiliar vendors and service providers. They seem like spam messages hence why we quickly delete them from our phones but here is another reality: the phone number you have once belonged to someone else who freely subscribed to those vendors/service providers.
In Kenya today, a phone number is more than a contact, it is a digital identity. It underpins banking, M-Pesa, e-Citizen (government services), tax, land registration systems and even healthcare access. Every sign up and login access to these systems creates a permanent link between a person and their number, but that link can quietly be compromised.
When your SIM card remains inactive for a number of months, it is eventually reassigned by the mobile network operator you are on. The number moves on, but the data tied to it often does not. Alerts, records, verification codes and confirmations for various payments continue to flow, now reaching the new holder, who begins receiving fragments of transactions that are not theirs. This is not just an inconvenience; it is a structural risk.
The High Court confronted this reality in Erastus Ngura Odhiambo v State Law, where a Kenyan lost access to his number after it was reassigned, cutting him off from financial updates and communication, while his sensitive information continued to be sent elsewhere. The Court recognized a phone number as a protected digital identifier and exposed a deeper flaw, the reassignment/recycling of numbers operates without adequate consent, notice or technical safeguards to separate identity from data.
The High Court ordered reforms, requiring informed consent, proper notification, and technical protections to prevent data leakage failing which the practice itself would have to stop.
Systems continue to treat phone numbers as permanent identifiers, even as mobile network operators treat them as reusable resources. The result is a dangerous gap where identity lingers long after ownership has changed.
The real risk goes beyond stray messages. If a recycled number remains linked to banking or government platforms, verification codes may be sent to the wrong person, opening the door to serious data breaches with far reaching consequences.
The High Court’s decision is a welcome warning, a signal that the law is beginning to catch up with the realities of a phone-driven society. But it is not, on its own, a solution. Until systems are redesigned and identity is treated as something more than a reusable number, the risk of losing your personal data and receiving someone else’s personal data remains very real. Somewhere, even now, another message is being delivered to the wrong recipient, putting mobile network operators on the spot, a spot we are watching keenly following the High Court decision.
This publication is meant for general information only and does not constitute legal advice, nor does it create an advocate-client relationship between any reader and Mboya Wangong’u & Waiyaki Advocates. For particular expert advice on any matter dealt with above, please contact us on advocate@lexgroupafrica.com for tailored legal support.
Authored:
Mary Ndung’u and Serah Kamau
