How the DCI Uses Spyware to Monitor Calls, Messages, and Location Data

Spyware was installed on the phone of filmmaker Bryan Adagala while the device was in the custody of Kenyan police, according to a forensic report by digital rights watchdog Citizen Lab.

The phone was one of four seized by the Directorate of Criminal Investigations (DCI) following the arrest of Adagala and three other creatives, MarkDenver Karubiu, Nicholas Wambugu, and Christopher Wamae, on 2 May 2025. The group had worked on the documentary Blood Parliament, and were detained under the Computer Misuse and Cybercrimes Act, which has faced growing criticism for its use against government critics. Their devices were returned on 10 July.

A forensic analysis by Citizen Lab, based at the University of Toronto, confirmed with “high confidence” that the commercial surveillance tool FlexiSpy was installed on Adagala’s iPhone on 21 May at 5:17 pm, during the period the phone remained in police possession. The software allows remote access to calls, messages, and real-time location data. The report was conducted at the request of Adagala and his legal team.

Lawyer Ian Mutiso, representing the four men, has advised them to stop using the compromised devices and plans to challenge the chain of custody in court. He confirmed that the full report will be disclosed once judicial permission is granted. The Directorate of Public Prosecutions (DPP) has not yet decided whether to proceed with charges against the group.

The spyware incident has added to broader concerns about digital surveillance in Kenya, particularly the targeting of activists, journalists, and dissenting voices. In 2024 and 2025, civil society groups documented extensive monitoring during Gen-Z-led protests against economic conditions and government policy. The Paradigm Initiative, supported by the Open Society Foundations, reported over 80 abductions linked to geolocation tracking during the unrest.

Other legal cases have highlighted the expanding scope of state surveillance. Software developer Mary Wacuka Maina is suing for Sh290 million in damages over a failed contract to develop a surveillance system allegedly aimed at opposition figures. In a separate case, a DCI officer admitted in court to accessing blogger David Mokaya’s personal data from Safaricom without a court order. Mokaya is currently facing charges under the cybercrime law.

The Communications Authority of Kenya (CA) has also come under scrutiny. Although it denies participating in real-time tracking, the Supreme Court ruled in 2023 that the agency could permit access to subscriber data. The CA has further denied any operational role in the controversial arrest of Kelvin Moinde, which was linked to the death of a teacher.

Legal challenges to the Computer Misuse and Cybercrimes Act are ongoing. The Bloggers Association of Kenya is appealing a 2020 High Court ruling that upheld 26 disputed provisions of the law. Constitutional lawyer Mercy Mutemi has argued that the legislation is being used to suppress free expression online. Concerns have also been raised over recent budget allocations. The National Treasury has set aside Sh120 million for a new surveillance system for the DCI, which sources say is already in operation. 

Critics argue that such investments point to a deepening of surveillance practices under the guise of national security. International organisations have taken note. The Civicus Monitor currently classifies Kenya’s civic space as “obstructed”, citing the use of force against peaceful protesters and the misuse of digital surveillance. 

The US Department of State has acknowledged efforts to address human rights issues but continues to report widespread impunity and overreach by security agencies.