Close Menu
    Facebook LinkedIn YouTube Instagram X (Twitter)
    Blue Tech Wave Media
    Facebook LinkedIn YouTube Instagram X (Twitter)
    • Home
    • Leadership Alliance
    • Exclusives
    • Internet Governance
      • Regulation
      • Governance Bodies
      • Emerging Tech
    • IT Infrastructure
      • Networking
      • Cloud
      • Data Centres
    • Company Stories
      • Profiles
      • Startups
      • Tech Titans
      • Partner Content
    • Others
      • Fintech
        • Blockchain
        • Payments
        • Regulation
      • Tech Trends
        • AI
        • AR/VR
        • IoT
      • Video / Podcast
    Blue Tech Wave Media
    Home » Special report: Smart Africa leaked email list was obtained without consent
    AFRINIC

    Special report: Smart Africa leaked email list was obtained without consent

    By Jocelyn FangSeptember 4, 2025No Comments5 Mins Read
    Share
    Facebook Twitter LinkedIn Pinterest Email
    • Our interviews find the overwhelming majority of respondents deny sharing contact details with Smart Africa or even knowing the organisation.
    • Smart Africa’s possession of a mass mailing list highly questionable. 

    What happened: A mass-email error reveals a sensitive contact list

    A special investigation by BTW Media has revealed that the majority of emails exposed by Smart Africa in its clumsy email last month were obtained without the consent of the owner.

    Smart Africa circulated an invitation titled “Online Consultation Session on AFRINIC Elections & CAIGA Framework” with recipients placed in the To field rather than Bcc, exposing a large set of AFRINIC-aligned email addresses to all other recipients. Independent coverage reports that the message originates from a Smart Africa project manager and describes the scale as thousands of addresses, elevating the incident from a simple etiquette lapse to a significant data-exposure event.

    What our interviews show: Most recipients reject any notion of consent

    BTW Media contacted many of the AFRINIC resource members and network operators whose emails were exposed. The vast majority told us they never shared email addresses with Smart Africa and, in many cases, had “no idea who they are.” Typical responses include: “Absolutely not”; “No, we did not”; “I have never shared my contact information and did not consent”; and “No, I did not share my email and I don’t know them.” Several interviewees explicitly request that no further contact be made. A minority acknowledge that their addresses might be discoverable elsewhere—for example, where an engineer agrees to be listed as a technical contact on an ASN or IP resource—yet emphasise that technical WHOIS entries are not blanket consent for mass outreach unrelated to incident response.

    Also read: Smart Africa leaks thousands of AFRINIC member email addresses

    Why Smart Africa’s explanation falls short: Public vs non-public data

    There are two sources of AFRINIC-related contact data on the public record, and neither cleanly justifies Smart Africa’s possession of a consolidated mass-mail list:

    • AFRINIC membership pages list organisations and physical addresses for transparency, but they do not present a downloadable or browsable compendium of member emails. 
    • AFRINIC’s WHOIS is an official public record intended for Internet operations (abuse, routing, incident coordination) and is explicitly accessible to anyone; it is not a marketing database. AFRINIC further notes that bulk WHOIS data is meant for operational or research purposes. 

    By contrast, Smart Africa’s visible-recipient message appears to target a broad constituency of members, not specific resource contacts about an operational incident. That mismatch between purpose and use sits at the core of the criticism expressed by interviewees.

    Also read: Why the AFRINIC dispute is about more than IP addresses – it’s about freedom

    Risk profile: Security and legal obligations trigger

    Exposed registry-adjacent addresses are attractive to phishers who can impersonate AFRINIC or vendors to harvest credentials, initiate fraudulent resource changes, or solicit payments. The legal exposure is non-trivial: Mauritius’s Data Protection Act 2017 requires breach notification to the Commissioner within 72 hours where a controller becomes aware of a personal-data breach, with potential obligations to notify affected individuals if risk is high. If the list originates inside AFRINIC or from an AFRINIC contractor, questions arise over controller/processor roles and the lawful basis for disclosure; if Smart Africa compiled the list from disparate sources, it must still demonstrate a valid legal basis for processing.

    Smart Africa’s growing role – and why higher standards apply

    Smart Africa positions itself as a convening platform for Africa’s digital transformation and has recently publicised a co-ordinated continental response to the AFRINIC governance crisis. That stewardship claim sharpens expectations around data governance: a body seeking influence over internet-governance outcomes must meet baseline privacy and security hygiene, including strict access control to lists, opt-in records, and default Bcc for any external mailings.

    Also read: Secret AFRINIC ‘Reforms Committee’ sparks fresh concerns over internet governance in Africa

    What Smart Africa must answer now

    • Provenance: How does Smart Africa obtain a member-like mailing list that is not public on AFRINIC’s site? If received from any AFRINIC source, what is the legal basis and what agreements govern the transfer? If compiled externally, what is the processing basis and the purpose limitation?
    • Breach response: Who is the controller for this dataset and have the required 72-hour notifications been triggered? Are affected individuals being warned against phishing (with DMARC/DKIM/SPF guidance) and provided with a contact point for remediation?

    Context for readers: What WHOIS does—and does not—do

    To understand the nuance raised by our sources, it helps to recall that IANA allocates AS-number ranges to regional registries, and each RIR publishes WHOIS so engineers can reach the right people quickly. In AFRINIC’s region, that transparency is foundational to routing stability, but it is not carte blanche for broad political or policy mobilisation without consent. 

    Bottom line from the interviews

    The overwhelming message from those we contacted is simple: they do not consent to Smart Africa’, they do not know how their emails land on the list. Smart Africa need provides a verifiable explanation for the list’s provenance and demonstrates compliance with data-protection obligations, the criticism from AFRINIC’s community is both reasonable and well-founded.

    Afrinic email privacy Smart Africa Smart Africa mailing list
    Jocelyn Fang

    Jocelyn is a community engagement specialist at BTW Media, having studied investment Management at Bayes business school . Contact her at j.fang@btw.media.

    Related Posts

    How constitutional ambiguities endanger AFRINIC

    September 4, 2025

    AFRINIC crisis tests Mauritius Constitution and ICANN role

    September 4, 2025

    AFRINIC and political neutrality: Lessons from Mauritius’ constitutional debates

    September 4, 2025
    Add A Comment
    Leave A Reply Cancel Reply

    CATEGORIES
    Archives
    • September 2025
    • August 2025
    • July 2025
    • June 2025
    • May 2025
    • April 2025
    • March 2025
    • February 2025
    • January 2025
    • December 2024
    • November 2024
    • October 2024
    • September 2024
    • August 2024
    • July 2024
    • June 2024
    • May 2024
    • April 2024
    • March 2024
    • February 2024
    • January 2024
    • December 2023
    • November 2023
    • October 2023
    • September 2023
    • August 2023
    • July 2023

    Blue Tech Wave (BTW.Media) is a future-facing tech media brand delivering sharp insights, trendspotting, and bold storytelling across digital, social, and video. We translate complexity into clarity—so you’re always ahead of the curve.

    BTW
    • About BTW
    • Contact Us
    • Join Our Team
    TERMS
    • Privacy Policy
    • Cookie Policy
    • Terms of Use
    Facebook X (Twitter) Instagram YouTube LinkedIn

    Type above and press Enter to search. Press Esc to cancel.