Raising an Alarm During Abductions: The Case of the Anti-Finance Bill Protests in Kenya

20 Feb 2026

Note: This document is written for interlocutors in Kenya to share our work – “At-Compromise Security: The Case for Alert Blindness” (to appear at EUROCRYPT 2026) – directly with them.

I am so happy. This is not just the poor, but this is everyone coming together. People had femicide, then they had the floods, so when it came to the Finance Bill they’d had enough (Protester, Nairobi, 25 June 2024).

This sense of revolutionary relief marked the 25 June 2024 for many protesters on the streets of several Kenyan cities. A relief that turned out to be short-lived.

During these protests against the proposed 2024 Finance Bill, William Ruto’s security forces abducted people for their assumed protest-related activities. At the time of the protests – and in their aftermath – we conducted fieldwork in Kenya (mainly in Nairobi, but with visits to Mombasa and Kisumu) over six and a half months, with the aim of understanding the security needs and practices among protesters and activists. This work is joint between Rikke, who conducted the fieldwork, and cryptographers Ben, Martin and Simone.¹

Since the last period of fieldwork in early 2025, we have been analysing the wealth of field data and the extensive contributions from the people in Kenya who engaged in our research – through daily interactions in different settings, interviews, placard-making sessions, group discussions and so on. Through this, we have produced our first piece of work, which we describe in these pages; it concerns the ability to raise an alarm during abductions without the abductors noticing. While our work is not limited to abductions, this emerged as a key finding from the fieldwork.

To ground our contribution, we incorporate some observations and quotes from people who were abducted during this period and who trusted us with their experiences. We also stress that what we set out here is not to suggest a technological solution to abductions, but to focus on a particular form of protection during abductions (and potentially other forms of capture).

Abductions as a new threat

The fieldwork revealed how the risk of being abducted was not considered a security concern before the anti-Finance Bill protests in 2024, while arrests and physical violence were expected. One participant who was abducted in the early days of the protests exemplified this:

No, no, no. There wasn’t a concern at that point […] We have done demonstrations before. The worst that they [the security forces] can do ... they normally arrest you, then they charge you and then give you a cash bail or whatever. It had never reached a point where they could torture people or go beyond that. You see now, for us, this is something that was normal to us. Abductions weren’t.

Abductions gave rise to security strategies that broadened the collective security; protesters increasingly relied on each other and their networks for protection. This was, for example, seen in how they sought to move in groups with established check-in protocols, temporarily moved in with friends or family and avoided staying in one place for more than a few days. Some had a second (clean) phone and several phone numbers which were often linked to someone else’s ID, while they relied on support organisations for legal and medical assistance.

Coordinated abductions

The experiences of those who were abducted highlight how abductions were often carried out by ‘abduction squads’² of between four and eight masked individuals who did not identify themselves. They had their phones taken and asked to unlock them. They were beaten, threatened and driven to an unknown location.

Most of the abductions were coordinated and followed a similar pattern. Once at the location, the abducted person was ‘handed over’ to interrogators who questioned them about their protest activities, inquired about funding for the protests and forced them to unlock their devices. They threatened and tortured them. Between interrogations they were kept in a room, blindfolded and with their hands tied, often lying on the floor or a mattress. One abducted person shared the psychological and physical torture they had endured:

[I]t’s psychological torture, because they [interrogators] tell you: ‘Just remember, you are not going back […] so it depends on how you answer us, how we will handle you depends on how you answer our questions. Who is financing you? What are you planning?’ […] They were using a tool. I don’t know whether it was an iron or wood, hitting me on the arm. So, I still have injuries.

Others were kept in their abductors’ moving vehicle, occasionally being taken out for questioning, beatings and torture. While some of those abducted were taken to a police station after a couple of days and released, others were ‘dumped’ in unknown locations and found by locals far away from where they had been captured. Others were killed and later retrieved from, for example, swamps and quarries or discovered in morgues.

During this period, the practice of raising an alarm, which was already an established protection mechanism among activist groups in the case of arrest, was adapted to the threat of abductions. Protesters developed informal tactics to secretly alert trusted contacts that they had been taken, to mount public online pressure to call for their release. There are several examples of this leading to the release of the abducted person and many surmised that the ability to ‘shout’ had saved them. As shared by one participant who was abducted during the time of the protests:

I declined the call and I wrote to him a message. Very brief message: ‘Hey, I’m being abducted. I don’t know where I am’ […] After I had texted him, he took the screenshot [of the message] and posted it on X […] funnily enough, after like 30 minutes or so, as they [the abductors] were driving me around, the car stopped again […] They opened the trunk, and then they started beating me up. And then they asked me: ‘Where is that phone?’ So they knew that I had another phone because my friend shared my screenshot […] I think that is the only thing that saved me.

At-Compromise Alert Blindness

Based on these findings, we formalise a new security goal called at-compromise security (AtC), which tries to provide some protection even during an ongoing ‘compromise’, i.e. an abduction. For example, AtC might enable a person to safely send an SOS message to a server – a computer operated by a trusted organisation.

A key idea that emerged from our data is alert blindness (AB): the system should let a person send an SOS message without the abductor realising it. At first glance this seems impossible: if the attacker can see everything on the device, how can a covert message be sent? We show how this becomes possible if we take into account that a person and their device are two separate entities, and we combine secrets that the person memorises (like a PIN) with secrets that are stored somewhere else (like on a server).

Moreover, we can exploit the abductors’ behaviour: they force the people they abduct to unlock their phones to extract information and gather intelligence. By designing a protocol that reacts differently depending on which PIN the person enters, the server can detect an SOS attempt even when the abductor sees nothing unusual.

Concretely, our protocol works as follows. During setup, the person picks a PIN (e.g. a four-digit PIN) and communicates it to the server. The server never sees the actual PIN but only a unique random digest of it. This digest can be thought of as a sealed envelope of a unique colour that corresponds to the PIN; the server sees the envelope colour but not the PIN inside the envelope. Suppose the person chooses 7863 as their PIN and this maps to pink. The server stores the pink envelope.

After setup, the person uses their device normally with this PIN. Each time they enter the PIN, the phone sends the corresponding envelope colour to the server, which replies with a secret needed to unlock the device. In our example, the person enters 7863, the device sends the pink envelope, the server recognises it as the setup envelope, and returns the unlocking secret. The app unlocks as expected.

The interesting case is when the person enters a PIN different to the one chosen at setup, i.e. different to 7863 in our example. If the person enters any other PIN, the device sends the corresponding envelope colour to the server. When the server sees that this envelope colour differs from the stored setup envelope (i.e. it is not pink), it knows that something has gone wrong – and interprets this as an SOS signal. The server in any case sends the secret that allows to unlock the app back to the device so that the app unlocks as expected, but it also triggers the SOS signal.

In summary, the correct PIN (7863 in our example) unlocks the app but no SOS signal is triggered. Any other PIN (any PIN that is not 7863 in our example) unlocks the app and sends an SOS signal – but the abductor notices no difference.

Next steps

The immediate step for us is to explore what should happen once an SOS signal is triggered. Who should be alerted? Which trusted organisation might run the server? What social protocols should be in place? How do we mitigate false SOS signals? To answer some of these questions we hope to run a series of community co-design sessions over the coming months.

Acknowledgements

This work would not exist without the many people in Kenya who so generously gave of their time to engage in this work. They accepted us into their spaces of organising and protesting at a time when they faced growing threats to their security and trusted us with their experiences.