At 6:47 p.m. on June 11, as lawmakers filed out of Parliament under Nairobi’s amber dusk, the 2025–26 Supplementary Budget was quietly published on the official portal. A line item in the security annex caught the sharpest eyes.
"DCI budget increased by KES 150M for the purchase of OPTIMUS 3.0 SOCIAL MEDIA, a system to track social media users," the post detonated. "We're mourning Albert Ojwang and the killers (NPS) are being allocated more money to continue doing their thing.”
“DCI just bought Pegasus for Facebook,” one user posted. Another replied, “So we’re back to ghost arrests?”
By nightfall, WhatsApp groups had convened to question intent. What was Optimus 3.0? Who built it? What did ‘monitoring social media’ really mean in a country with a bloody history of political surveillance?
Origins of Fear
The Ksh. 150 million allocation appeared without fanfare. A line item under “social media forensics,” tucked deep in a supplementary budget. No vendor was named. No public tender posted on the Procurement Portal. Just silence.
But that silence raised alarm. Quest conversations with former intelligence contractors and digital rights advocates suggest Optimus 3.0 is spyware—foreign-built, Kenyan-commissioned—and believed to support…
- Silent infiltration of Android and iOS devices, often without user interaction
- Decryption of encrypted chats, including WhatsApp, Signal, and Telegram
- Real-time social media surveillance, powered by facial recognition and sentiment tracking
- Device fingerprinting, linking anonymous accounts to real identities
Though the Directorate of Criminal Investigations has not acknowledged these capabilities, the comparisons to Pegasus and Predator spyware feel increasingly plausible.
Kenya’s surveillance appetite is well documented. In 2017, officials reportedly entered direct talks with NSO Group, as revealed by Haaretz. Optimus 3.0 fits the same pattern. No oversight, no audit trail. Just a tool, buried in a budget, waiting to be used.
Architecture of Control
Surveillance isn’t deployed precariously; it is scaffolded. In Kenya, the legal armature of Optimus 3.0 is forming quietly around it. The proposed ICT Amendment Bill, 2025 would codify unprecedented state access to digital life, introducing…
- Mandatory national ID verification for all social media users
- Compulsory data retention by ISPs, with no need for a court order
- Real-time metadata sharing between telecoms and government agencies
Under the Data Protection Act, 2019, any system that handles personal data at this scale must undergo a Data Protection Impact Assessment (DPIA).
In the 2021 Ex parte Katiba Institute ruling, the High Court made clear. No surveillance system should be deployed without such a risk review.
And yet, by July 2025, no DPIA for Optimus 3.0 has been published. Nor does the ICT Amendment Bill include any judicial warrant protocol. Digital rights groups Tatua Digital calls the bill “a full-stack surveillance framework.”
“This isn’t just about oversight failure,” said a Nairobi-based constitutional lawyer. “It’s legal laundering of repression—drafted not to regulate power, but to protect it.”
Related Audiobooks
Permanent Record
By Edward Snowden
Snowden’s memoir provides a rare insider account of global surveillance programs. A critical listen for anyone exploring digital rights, mass data collection, and the rise of government overreach in the name of national security.
Listen NowThe Age of Surveillance Capitalism
By Shoshana Zuboff
Zuboff unpacks the economics of data extraction and its global consequences. A foundational guide to understanding how predictive analytics and behavioral profiling are reshaping governance, privacy, and democracy itself.
Listen NowInstitutional Capture
The road to Optimus 3.0 was paved in silence through the familiar corridors of Kenya’s bureaucratic apparatus. The system’s approval passed through three key institutions. The Directorate of Criminal Investigations (DCI), the Communications Authority of Kenya (CAK), and Parliament’s Budget and Appropriations Committee.
The latter, chaired by MP Marianne Kitany, quietly greenlit the Ksh 150 million request under the broad, unexamined label of digital forensics.” Civil society groups only deciphered the allocation’s true nature days after its passage.
At the operational core is the DCI’s Cyber Crime Unit, once limited to conventional fraud and online harassment. It has since morphed into a quasi-domestic intelligence unit lacking a statutory charter, bypassing judicial warrants, and increasingly reporting directly to the executive arm.
Its expansion mirrors a broader regional trend. Security architecture justified by counterterrorism but swiftly redirected inward.
In prior years, Kenya acquired systems from Cellebrite, Palantir, and other military-grade vendors, often under opaque agreements shielded by “national security” clauses.
Optimus 3.0 appears to be the latest iteration. Not a defensive tool, but a political stabilizer. Its architecture suggests not only threat monitoring but preemptive containment of opposition, activism, and online dissent.
The Public Cost
Defiance is not dying in Kenya—it is adapting. The country’s Gen Z, born with smartphones in their palms and satire in their syntax, are louder than any law anticipated. They mock power in Sheng, livestream street protests, remix policy briefs into viral TikToks.
Their politics is platformed, rhythmic, sharp-edged. And that is precisely what makes them dangerous to the state.
Surveillance hasn’t quieted them. But it has changed the terms of engagement. Every tweet, meme, and comment now carries a latent cost. In 2024, over 60 arrests were made under the vague charge of “misuse of a licensed communications device.” It is a charge crafted for flexibility, elastic enough to catch a joke, a GIF, a trending hashtag.
But the effect is not total silence. It is calibrated risk. Pages are deleted before they go viral. Telegram groups switch to “admin-only.” Memes circulate, but signatures vanish. The courage remains, but it is now dressed in caution.
Still, the bold persist. For every account deactivated, another is created. For every arrest made, another digital vigil is born. Kenya’s youth have not gone quiet. But they’ve learned what it means to speak in a country where voice is traceable and defiance is archived.
And the cost, increasingly, may not be censorship. It may be visibility.
Oversight Failure
The architecture of surveillance is expanding. The architecture of accountability is missing.
Kenya’s Office of the Data Protection Commissioner, the very institution tasked with safeguarding privacy, has published no technical guidance on Optimus 3.0. Its 2024 Annual Report, sprawling across more than 1,000 pages, makes no mention of data protection impact assessments for surveillance platforms. Not a line. Not a footnote.
Parliament, meanwhile, has called no public hearings. The Directorate of Criminal Investigations, the Communications Authority, and the Ministry of ICT have faced no formal scrutiny over deployment, scope, or legal safeguards.
There is no published warrant process. No audit log. No internal checks. The few institutions designed to ask questions have been resourced into irrelevance—or kept outside the room entirely.
The ODPC itself appears sidelined by design. Underfunded, overtasked, and stripped of enforcement teeth. It can file reports, but it cannot stop the machine.
And globally? No independent forensic team. Not Citizen Lab, not Amnesty International’s Security Lab has confirmed an ongoing investigation into Kenyan device compromise. There are no alerts. No advisories. No tools to tell if your phone has already been opened.
The only watchdogs left are citizens. And they’re the ones being watched.
How Optimus 3.0 Sees and Silences
Optimus 3.0 is a carefully budgeted phantom. Authorized yet unaccountable. The state holds both the match and the blindfold, wielding surveillance without a trace, without a witness.
Technically, it is a master of silent invasion. It exploits unknown flaws—zero-days—in the very software designed to protect us. Delivered through invisible channels, malicious links, disguised system updates, and compromised networks, it installs a ghost in the machine, granting access to microphones, cameras, locations, encrypted conversations, even files thought deleted.
Along with the device, it reaches into the arteries of the internet itself, partnering with ISPs to intercept data midstream, a modern-day man-in-the-middle unseen and unheard. It bears resemblance to notorious tools like Pegasus spyware but with a local guise and global implications.
Resistance is layered but fragile. Keeping systems patched, steering clear of suspicious links, favoring secure platforms like Signal, and deploying firewalls such as NetGuard form a fragile shield.
Tools like the Mobile Verification Toolkit allow activists to probe their devices for infection, but these are defensive measures, reactive and partial. Against a state actor armed with near-limitless resources, even these may only delay the inevitable.
Still, in the face of industrial-grade surveillance, even small safeguards can become acts of resistance...
| Threat Vector | Recommended Defense | Tools & Notes |
|---|---|---|
| Remote spyware injection | Avoid unknown links, attachments, or app update prompts | Use app stores only (Google Play, App Store); consider NetGuard (Android only) |
| Man-in-the-middle interception | Use encrypted messaging and trusted networks | Signal (end-to-end by default); VPNs like Mullvad (no-log) |
| Messaging platform weaknesses | Choose apps with default encryption; avoid cloud-synced message backups | Signal > WhatsApp > Telegram; use “Secret Chats” in Telegram; disable auto-backup |
| ISP data profiling & DNS leaks | Encrypt browsing and hide DNS traffic from ISPs | Cloudflare 1.1.1.1, DNSCrypt, Tor Browser |
| OS or software vulnerabilities | Keep software updated and avoid sideloaded apps | Enable auto-updates; use Google Play Protect |
| Device compromise detection | Run periodic spyware scans and forensic audits | Mobile Verification Toolkit (MVT), iMazing (macOS/iOS) |
| Physical device seizure or theft | Lock device with biometrics, strong PINs, and enable full encryption | Android File Encryption, iOS Data Protection, Secure Lock Screens |
| High-risk communication needs | Use dedicated, offline or “clean” devices with minimal apps | Secondary burner phones; no personal logins; no syncing |
| Suspected spyware infection | Power off device and seek expert forensic assistance | Access Now Helpline, Amnesty’s Security Lab, MVT |
Worse still, the looming ICT Amendment Bill threatens to institutionalize surveillance under the guise of legality, removing the checks, the courts, and the public scrutiny that might have restrained it.
The optimist says Kenya’s courts will step in. The realist says laws like (ICT Bill) are designed to pre-empt oversight. When surveillance is coded into legislation, the Constitution becomes optional.
Optimus 3.0 is no longer a line item. It’s a mirror of he who holds power. And he who watches as and when he abuses it.