The labyrinthine lanes of Eastleigh's Garissa Lodge, where Nairobi's vibrant Somali and Indian traders haggle over airtime bundles and smartphone accessories under a canopy of faded awnings, have long been the beating heart of Kenya's mobile revolution—a place where a Sh50 M-Pesa scratch card can bridge families across continents or fund a day's meals for a vendor's stall. Yet, as the sun beat down on the bustling market on November 17, 2025, whispers of a draconian shift rippled through the crowds, turning casual chats about the latest iPhone knockoffs into fervent debates over privacy and personal sovereignty. The catalyst was the Communications Authority of Kenya's (CA) proposed Kenya Information and Communications (Registration of Telecommunications Service Subscribers) Regulations, 2025, a draft policy that would compel new SIM card registrants to surrender not just IDs and fingerprints, but highly sensitive biological markers: DNA profiles, blood types, retinal scans, voiceprints, and even earlobe geometry. "This isn't registration; it's rendition—handing over your essence to a database that could outlive you," vented 35-year-old trader Hassan Mohamed, his phone clutched like a talisman as he scrolled the CA's public notice posted on its website the previous week. "Who needs my DNA to send money to my sister in Garissa? This is Big Brother in a barcode."
The regulations, gazetted for public consultation on October 30 and set to close submissions by January 31, 2026, mark a radical escalation from the 2015 SIM-card rules that required only basic ID and address verification. Under the new framework, telecommunications operators like Safaricom, Airtel, and Telkom must collect "biometric data" as defined in the Data Protection Act, 2019—encompassing "personal data resulting from specific technical processing based on physical, physiological or behavioural characterisation, including blood typing, fingerprinting, DNA analysis, earlobe geometry, retinal scanning, and voice recognition." For new SIM activations, applicants would undergo on-site DNA swabbing via cheek cells or saliva kits at agent outlets, blood type determination through finger pricks, and advanced biometrics like iris scans at CA-accredited centers. "Imagine queuing at a Safaricom shop, not just for airtime, but for a spit in a tube and a pinprick—your genetic blueprint swapped for signal bars," lamented digital rights advocate Mercy Mutua during a November 15 webinar hosted by the Kenya Human Rights Commission, her screen shared with 1,200 viewers tuning in from Mombasa to Malindi. "This isn't security; it's subjugation, a step toward a surveillance state where your phone knows your veins better than your doctor."
The CA's rationale, spelled out in a 45-page explanatory memorandum accompanying the draft, frames the measures as essential for combating cybercrime, terrorism financing, and identity fraud in a nation where 62 million SIM cards circulate among 56 million people. "With mobile money transactions hitting Sh4.5 trillion last year, and SIMs used in 90 percent of fraud cases per our 2024 report, robust verification is non-negotiable," explained CA Director General Ezra Chiloba in a November 16 interview on Citizen TV, his tone a blend of technocratic assurance and paternal warning. "DNA and biometrics create a tamper-proof link—irrefutable proof of ownership, reducing ghost SIMs that fuel kidnappings and money laundering." The regulations mandate operators to maintain "comprehensive subscriber databases" updated in real-time, submitting quarterly reports to the CA via secure APIs, including anonymized trends on usage patterns and anomaly alerts for suspicious activities like sudden spikes in international calls.
Critics, however, decry the overreach as a blatant violation of the Data Protection Act's data minimization principle, which stipulates collecting only what is "necessary and proportionate" for a specified purpose. "Blood type for a SIM? That's not proportionate; it's predatory—exposing 62 million Kenyans to breaches where hackers could sell your genetic data on the dark web for Sh5,000 a profile," fired back Grace Kamau, executive director of the Kenya ICT Action Network (KICTANet), during the webinar, her words sparking a chat frenzy of 500 messages. The draft's requirement for operators to grant CA "access to systems, premises, facilities, files, records and other data" for inspections without warrants has alarmed legal experts, who see it as a backdoor to mass surveillance. "This outsources your biometrics to private telcos—Safaricom's servers hold your DNA, vulnerable to the next Equifax hack," noted constitutional lawyer Nelson Havi in a November 17 op-ed for The Standard, invoking the 2017 US breach that exposed 147 million personal records.
The public consultation, extended to February 28 after 5,000 submissions flooded in the first week, has become a battleground for civil society. The Kenya Human Rights Commission (KHRC) filed a 20-page objection on November 18, arguing the regulations contravene Article 31 of the Constitution on privacy rights and the 2019 Data Protection Act's sensitive data prohibitions. "DNA is your blueprint—leaking it risks discrimination, from insurers denying coverage to criminals targeting families," KHRC's George Kegoro warned in a press conference at their Upper Hill offices, where 200 activists gathered under banners reading "My SIM, My Privacy—Not CA's Database." Privacy International, a London-based watchdog, echoed the alarm in a November 20 advisory: "Kenya risks joining India's Aadhaar debacle, where biometrics leaked for 1.1 billion, enabling identity theft on an epic scale." KICTANet's Mutua launched a petition on Change.org, garnering 15,000 signatures by November 21, demanding "opt-in biometrics only, no DNA mandates."
Telco operators, caught in the crossfire, tread cautiously. Safaricom, with 36 million subscribers, issued a November 19 statement: "We support secure registration but urge proportionality—biometrics yes, but blood and DNA raise ethical red flags." Airtel Kenya's CEO, Maria Kageni, at a Mombasa forum: "As custodians of 25 million SIMs, we'll comply, but safeguards must shield against breaches—end-to-end encryption, annual audits." The CA, in a November 22 clarification, defended the scope: "DNA and blood type are for ultimate verification in fraud cases—minimal collection, maximum protection." Yet, the draft's proxy registration clause—allowing family or agents to enroll minors or elders—has sparked fears of data commodification, with rural elders in Turkana potentially "registered" without consent for government payouts.
The regulations' timeline: mandatory for new SIMs from July 1, 2026, with 12-month grace for existing 62 million to re-verify biometrics at Huduma Centres. Non-compliance: SIM deactivation after 90 days, fines up to Sh1 million for operators. "We aim for 95 percent compliance by 2027—phased, with awareness drives in 47 counties," Chiloba assured, partnering with the National Registration Bureau for ID-biometric linkages.
For traders like Mohamed in Eastleigh, the proposal pinches: "Sh50 SIM now needs my spit? I'll stick to cash—privacy over ping." Hassan, a 28-year-old university student in Rongai, fears surveillance: "Apps track me; now DNA? Who's watching the watchers?" Kegoro's KHRC: "Article 31 demands consent; this draft demands compliance—repeal or refine."
The consultation closes February 28, with gazettement by April 2026. CA's Chiloba: "Input shapes it—submit, shape the future." Mutua's petition: 15,000 signatures. Privacy International advisory: 5,000 downloads. Safaricom statement: 100,000 views. For Mohamed, Hassan: "My data, my decision." In Kenya's digital dawn, the draft dawns divisive—a SIM saga where biometrics beckon big brother, and privacy pleads for parity.
The draft's 45 pages: biometric scope Article 2 DPA, quarterly reports API-secured. Grace: 12 months re-verify. Fines: Sh1 million operators. Partnerships: NRB linkages. Chiloba's drives: 47 counties. Kegoro's repeal: 20-page objection. Mutua's 15,000: Change.org. For Hassan: "Watchers watched." In the republic's resolute review, the regulations resonate—a biometric bridge where data demands deliberation, and Kenya codes consent.
