Special report: Smart Africa leaked email list was obtained without consent

• Our interviews find the overwhelming majority of respondents deny sharing contact details with Smart Africa or even knowing the organisation.
• Smart Africa’s possession of a mass mailing list highly questionable.

What happened: A mass-email error reveals a sensitive contact list

A special investigation by BTW Media has revealed that the majority of emails exposed by Smart Africa in its clumsy email last month were obtained without the consent of the owner.

Smart Africa circulated an invitation titled “Online Consultation Session on AFRINIC Elections & CAIGA Framework” with recipients placed in the To field rather than Bcc, exposing a large set of AFRINIC-aligned email addresses to all other recipients. Independent coverage reports that the message originates from a Smart Africa project manager and describes the scale as thousands of addresses, elevating the incident from a simple etiquette lapse to a significant data-exposure event.

What our interviews show: Most recipients reject any notion of consent

BTW Media contacted many of the AFRINIC resource members and network operators whose emails were exposed. The vast majority told us they never shared email addresses with Smart Africa and, in many cases, had “no idea who they are.” Typical responses include: “Absolutely not”; “No, we did not”; “I have never shared my contact information and did not consent”; and “No, I did not share my email and I don’t know them.” Several interviewees explicitly request that no further contact be made. A minority acknowledge that their addresses might be discoverable elsewhere—for example, where an engineer agrees to be listed as a technical contact on an ASN or IP resource—yet emphasise that technical WHOIS entries are not blanket consent for mass outreach unrelated to incident response. See also: AfriNIC's Vanishing Member register.

Also read: Smart Africa leaks thousands of AFRINIC member email addresses

Why Smart Africa’s explanation falls short: Public vs non-public data

There are two sources of AFRINIC-related contact data on the public record, and neither cleanly justifies Smart Africa’s possession of a consolidated mass-mail list: See also: Alejandro Fernandez.

• AFRINIC membership pages list organisations and physical addresses for transparency, but they do not present a downloadable or browsable compendium of member emails.
• AFRINIC’s WHOIS is an official public record intended for Internet operations (abuse, routing, incident coordination) and is explicitly accessible to anyone; it is not a marketing database. AFRINIC further notes that bulk WHOIS data is meant for operational or research purposes.

By contrast, Smart Africa’s visible-recipient message appears to target a broad constituency of members, not specific resource contacts about an operational incident. That mismatch between purpose and use sits at the core of the criticism expressed by interviewees. See also: Aldo Garcia.

Also read: Why the AFRINIC dispute is about more than IP addresses – it’s about freedom

Risk profile: Security and legal obligations trigger

Exposed registry-adjacent addresses are attractive to phishers who can impersonate AFRINIC or vendors to harvest credentials, initiate fraudulent resource changes, or solicit payments. The legal exposure is non-trivial: Mauritius’s Data Protection Act 2017 requires breach notification to the Commissioner within 72 hours where a controller becomes aware of a personal-data breach, with potential obligations to notify affected individuals if risk is high. If the list originates inside AFRINIC or from an AFRINIC contractor, questions arise over controller/processor roles and the lawful basis for disclosure; if Smart Africa compiled the list from disparate sources, it must still demonstrate a valid legal basis for processing. See also: Alcymer Vieira.

Smart Africa’s growing role – and why higher standards apply

Smart Africa positions itself as a convening platform for Africa’s digital transformation and has recently publicised a co-ordinated continental response to the AFRINIC governance crisis. That stewardship claim sharpens expectations around data governance: a body seeking influence over internet-governance outcomes must meet baseline privacy and security hygiene, including strict access control to lists, opt-in records, and default Bcc for any external mailings.

Also read: Secret AFRINIC ‘Reforms Committee’ sparks fresh concerns over internet governance in Africa

What Smart Africa must answer now

• Provenance: How does Smart Africa obtain a member-like mailing list that is not public on AFRINIC’s site? If received from any AFRINIC source, what is the legal basis and what agreements govern the transfer? If compiled externally, what is the processing basis and the purpose limitation?
• Breach response: Who is the controller for this dataset and have the required 72-hour notifications been triggered? Are affected individuals being warned against phishing (with DMARC/DKIM/SPF guidance) and provided with a contact point for remediation?

Context for readers: What WHOIS does—and does not—do

To understand the nuance raised by our sources, it helps to recall that IANA allocates AS-number ranges to regional registries, and each RIR publishes WHOIS so engineers can reach the right people quickly. In AFRINIC’s region, that transparency is foundational to routing stability, but it is not carte blanche for broad political or policy mobilisation without consent. See also: Alcides Cremonezi.

Bottom line from the interviews

The overwhelming message from those we contacted is simple: they do not consent to Smart Africa’, they do not know how their emails land on the list. Smart Africa need provides a verifiable explanation for the list’s provenance and demonstrates compliance with data-protection obligations, the criticism from AFRINIC’s community is both reasonable and well-founded. See also: Alberto Anaya.