Stalking the Messenger: Ending Impunity for Illegal Surveillance

Opinion |

We know that the issues around digital surveillance are complicated. The tech side of the tools used and the means to circumvent them are complicated. Drawing a hard line between what may be acceptable to help ensure our personal security and what pushes our societies into Orwellian territory is also complicated.

As the revelations of the Pegasus Project show us, illegal surveillance is the latest weapon in the ever-growing arsenal used against journalists and human rights defenders. In effect, surveillance in this context is equivalent to stalking. A pernicious activity that can easily cross from online harassment to physical attacks. It’s illegal. It disproportionately affects those who are among the most vulnerable, whether because of their gender, sexual orientation, race, or ethnicity. And if people are permitted to stalk with impunity, the problem will not stop.

Increasingly used as a laser-focused tactic, a weapon to intimidate, instil fear, and paralyse the work of journalists, this kind of surveillance puts sources at risk and impedes journalists from providing us with information to expose crime and corruption, and to speak the truth about power.

“I don’t think it’s journalists as individuals that the government has a problem with. The government has a problem with the people […] It wants to continue committing crimes in the shadows so that no one will uncover those facts or ask questions about it. And journalists are the ones who spoil this plan.” — Azerbaijani journalist Sevinj Vaqifqizi.

On this International Day to End Impunity for Crimes Against Journalists, a day advocated for by IFEX, we need to bring surveillance to the fore as a tactic that is threatening journalists’ safety, and draw attention to how impunity creates the conditions under which it will continue to thrive.

IFEX members have long warned of the dangers of malware like Pegasus. A product of the Israeli NSO Group, it infects targets’ phones, exposes data, and even gains access to cameras and microphones. Despite the company’s claim that it vets clients based on their human rights records, it sold Pegasus to authoritarian regimes – as well as to countries like Mexico, where targets included media figures, a government scientist, and international human rights investigators – united by having publicly posed challenging questions to the government.

The personal impact of such surveillance can be devastating.

“When you are speaking, watching, or doing something with someone in your house or in a cafe or wherever you may be, they are there listening to you, watching everything that you do. Everything that you do in your bedroom, the shower, in your kitchen, in your office with your friends, or whoever.” — Mexican journalist Carmen Aristegui: profiled here

“My family members are also victimized. The sources are victimized, people I’ve been working with, people who told me their private secrets are victimized.” — Azerbaijani journalist Khadija Ismayilova: profiled here

Globally, at least 180 journalists were selected as Pegasus targets.

The decades our network has put into promoting journalists’ safety confirm that it cannot be fully achieved in a climate where individuals – or states – can intimidate, threaten, and harm them, and not be held accountable. Year-round, IFEX members work to bring perpetrators to justice, and to establish conditions that will make it harder for them to commit such crimes in the first place.

We know that it is a massive undertaking. In spite of being illegal under international human rights law, actors involved in illegal surveillance are almost never held accountable.

The challenge is to identify where to intervene, where to spend our energy, where we can have the biggest impact in stemming this predatory practice – including, but not limited to, confronting corporations and governments that enable and participate in the illegal surveillance of journalists.

It’s a many-headed beast, surveillance. There are multiple entry points to effect change, from policy work to set boundaries on what is considered ‘necessary and proportionate’ surveillance, to pressuring states to adopt international standards, to controls on the exports of spyware, to supporting preventive measures like strengthening and normalizing encryption.

Ending impunity for illegal surveillance has to be part of this work. It’s a long game, not for the weak-of-heart, and this is even more true when the perpetrators of the crimes are states. But we know from our experience seeking accountability for physical attacks on journalists that this type of sustained work does pay off. Just over a week ago, two decades of advocacy – by IFEX member FLIP, by Jineth Bedoya Lima herself, and by so many others – led to the groundbreaking Inter-American Court of Human Rights ruling in her case that there was “serious, precise and consistent evidence of State involvement in the acts of physical, sexual and psychological torture against the journalist.” This ruling sets an important precedent for the entire region.

The other good news is that we have a lot to draw on, on our side. There is a massive, global network of people – working in different fields, perhaps, or focusing on different issues – but with the combined skills, expertise, and clout needed to ensure that illegal surveillance does not go unchallenged, that those found culpable pay a price, and that this price effectively deters others.

As long as we keep leveraging opportunities like IDEI to come together, collaborate, learn from and support each other, raise our voices and find strategic pressure points where we can have a real impact, we can, and will, counter the scourge of illegal surveillance of journalists.

Annie Game is the Executive Director of IFEX, the global network that promotes and defends freedom of expression and information as a fundamental human right.

Policy Brief: How African States Are Undermining the Use of Encryption

By Lillian Nalwoga |

Encryption enables internet users to protect their data and communications from unauthorised access. Accordingly, anonymity and the use of encryption in digital communications are key enablers of citizens’ enjoyment of the right to privacy.

Worryingly, many African countries have passed legislation that limits anonymity and the use of encryption, purportedly to aid governments’ efforts to combat terrorism and crime. Other governments in the region limit the use of encryption to enable them to monitor the communications of critical journalists, human rights defenders, and opposition politicians.

In commemoration of the inaugural Global Encryption Day, the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) has published a policy brief that highlights restrictions to encryption and what needs to be done by governments in Africa to promote the use of encryption. The brief shows that encryption laws and government practices in several countries undermine the privacy rights of citizens, which in turn hampers their right to free expression and to secure use of digital technologies.

The importance of the right to anonymity in the digital era has been recognised in the Declaration of Principles on Freedom of Expression and Access to Information in Africa of the African Commission on Human and Peoples’ Rights. Principle 40(3) provides that: “States shall not adopt laws or other measures prohibiting or weakening encryption, including backdoors, key escrows, and data localisation requirements unless such measures are justifiable and compatible with international human rights law and standards.”

However, encryption is under threat from governments in Africa, as indeed in other parts of the world. Among the concerns cited by the brief are legislation and regulations that require registration and licensing of encryption service providers before they can offer cryptographic services. This is the case in Benin, Chad,  Cameroon, Congo Brazzaville, Democratic Republic of Congo (DR Congo), Ethiopia, Guinea, Ivory Coast, Malawi, Mali, Morocco, Senegal, South Africa, Tanzania, Tunisia and Zambia, among others. Offering encryption services without a license attracts penalties, as does failure to hand over secret encryption codes to state authorities, or using prohibited encryption tools.

Encryption in Africa

The requirement for registration of encryption services providers makes it easy for regulators and other government agencies to access information held by these service providers, including decryption keys and encrypted data. This undermines best practices which require governments to reject laws, policies, and practices that limit access to or undermine encryption and other secure communications tools and technologies. 

Further, the brief points to how governments in Africa prohibit the use of some types of encryption and require disclosure to regulators of the characteristics of cryptology. Crucially, governments should not prohibit the use of encryption by grade or type. Further, governments should not mandate insecure encryption algorithms, standards, tools, or technologies. 

Meanwhile, laws on interception of communications across the continent including in Benin, Cameroon, Chad, Ivory Coast, Malawi, Mali, Niger, Nigeria, Rwanda, Senegal, Tanzania, Togo, Tunisia, Uganda, Zambia and Zimbabwe require communication service providers to put in place mechanisms, including the installation of software, which facilitates access and interception of communications by state agencies. Indeed, state agencies in several countries can request for decryption of data held by service providers, which poses a big concern. 

For instance, Zimbabwe’s Interception of Communications Act requires cryptography services providers to decrypt data at judicial authorities’ request or provide them with the codes allowing the decryption of data they have encrypted (article 78). Section 11(1)(d) permits security agents to demand that information is decrypted before it is handed to them, where the disclosure is necessary for national security, to prevent or detect a severe criminal offense, or in the interests of the country’s economic well being. Failure to comply is punishable with up to five years’ imprisonment, a fine not exceeding USD 373, or both. Similar provisions are found in the laws of several other countries.

Such compelled assistance from service providers has been reinforced with mandatory SIM card registration of phone users around the continent, as well as data localisation requirements amidst ineffective safeguards.

 In some countries, if the private communications of human rights defenders and opposition politicians fall into the hands of state agencies, the consequences can be dire. The brief cites Rwanda, where the private communications of musician Kizito Mihigo, opposition leader Diane Rwigara, and two former army officers were used in their separate prosecutions. In Ethiopia, the Zone 9 bloggers were detained and prosecuted, among others, for using encrypted communications.

Meanwhile, Uganda instituted a ban on use of Virtual Partial Networks (VPNs) in the face of internet taxes and network disruptions. For its part, Zimbabwe barred telecom operator Econet Wireless from introducing the Blackberry Messenger service, which provided encrypted messaging, arguing that it contravened the southern African country’s interception of communications law which bars provision of services which the communications regulator can not intercept. Another example cited is Mauritius, which this year attempted to introduce a controversial lawful interception mechanism that would decrypt and re-encrypt all social media traffic. 

In light of the above concerns, the CIPESA brief is urging governments to repeal or amend provisions that place undue restrictions on the use of encryption tools; cease blanket compelled service providers and intermediary assistance to state agents and instead provide for clear and activity-bound assistance; and enact data protection and privacy laws that robustly promote the use of strong encryption. 

The full brief can be accessed here.

Will Our Human Rights and Freedoms and a Free and Open Internet be the Next Victims of Cybercrime?

Manifesto Launch |

The Collaboration on International ICT Policy for East and Southern Africa (CIPESA) has joined civil society organisations and industry in a rally against the potential threat of cybercrime on human rights and freedoms as well as the open internet.

Day-by-day the effects of cybercrime continue to get worse. Although something clearly needs to be done, there is growing concern that any efforts to tackle this modern scourge come at the expense of fundamental human rights and that they threaten the open and free internet.

As countries are considering their input to the United Nations ahead of the scheduled January negotiations on a Cybercrime Convention, the CyberPeace Institute and the Cybersecurity Tech Accord have brought together a range of stakeholders to publish the Multistakeholder Manifesto on Cybercrime. The principles outlined in the Manifesto should be at the heart of any cybercrime legislation and to guide the negotiating process.

The Manifesto is supported by over 50 members of civil society, industry organizations (such as the Center for Democracy and Technology, World Wide Web Foundation, Cyber Threat Alliance, and Derechos Digitales) and individuals. Signatories to the Manifesto want to also ensure that any cybercrime convention preserves and upholds basic human rights and freedoms guaranteed under existing international UN and other treaties.

“Today, industry and civil society are coming together through a Multi-Stakeholder Manifesto on Cybercrime which provides a set of principles to guide governments in their negotiations at the United Nations” says Klara Jordan, Chief Policy Officer at the CyberPeace Institute. 

In the build up to the convention negotiations, this Manifesto is an urgent appeal to all UN member states, UN agencies, and others involved in the current process, to address concerns regarding the draft and align their submissions with the Manifesto.

The Manifesto also highlights the importance of ensuring cybercrime perpetrators are held accountable for their actions: “In an area as opaque as cyberspace, public-private partnerships are often an indispensable tool to gain insights into evolving cyber threats and those behind them,” said Annalaura Gallo, Head of Secretariat, Cybersecurity Tech Accord. “A new Cybercrime Convention should establish clear mechanisms for states to reduce the operating space for criminals,” added Annalaura Gallo

The Manifesto also tackles the challenges inherent in the current UN process, in particular the lack of multistakeholder participation. “We are concerned about the lack of consultation, inclusion and involvement of stakeholders from across civil society and industry”, said Klara Jordan, adding: “The participation of civil society entities is crucial to ensure that the impact of these crimes on society is properly taken into account.” “The technology industry is ready to offer its expertise and input to UN states in the upcoming negotiations on cybercrime. We hope that our input will be sought more consistently than has been the case in the past in discussions involving the security of our internet ecosystem,” emphasized Annalaura Gallo.

*********

About the CyberPeace Institute: Headquartered in Geneva, Switzerland, the CyberPeace Institute is a nongovernmental organization whose mission is to reduce the harms from cyberattacks on people’s lives worldwide, provide assistance to vulnerable communities and call for responsible cyber behaviour, accountability and cyberpeace.

About the Cybersecurity Tech Accord: The Cybersecurity Tech Accord is a coalition of over 150 technology companies committed to advancing peace and security in cyberspace. The group’s mission revolves around four foundational principles: strong defense, no offense, capacity building and collective response.

How State Surveillance is Stifling Democratic Participation in Africa: State of Internet Freedom in Africa Study Findings

FIFAfrica21 |

As African countries embrace digital technologies, there is growing concern that the rising state surveillance, which is partly being enabled by the same digital technologies, is undermining African citizens’ digital rights and hindering their willingness to meaningfully participate in democratic processes.

One of the “democratising effects” of the internet was that it had provided a safe and alternative engagement platform that could help circumvent and diminish the repressive state’s control over the means of communication, thereby enabling greater organising and expression of dissenting opinions. However, autocrats in the region have appropriated the power of digital technologies to stifle dissent and to ramp up their capabilities to snoop on, punish, and silence critical and dissenting forces.

According to the 2021 State of Internet Freedom in Africa report by the Collaboration on International ICT Policy for East and Southern Africa (CIPESA),  surveillance has become a principal threat to digital rights in Africa, a weakening force to civil society and independent voices, and ultimately a driver of authoritarianism. The study maps the prevalent forms of surveillance, the laws that aid surveillance, and the impact of state surveillance on the ability of individuals and organisations to organise, mobilise, and engage in democratic processes.

Both physical surveillance and digital surveillance have for several years been prevalent in the countries studied. However, the study shows that  digital surveillance is expanding in scope, with several countries now deploying spyware, drones, and video surveillance (CCTV), as well as social media monitoring, mobile phone location tracking, and the hacking of mobile phones, messaging, and email applications.

The abuse of surveillance is rife in countries with high levels of impunity for rights violations and a low level of accountability for the actions of the government and its institutions. In virtually all countries studied, not only has surveillance become commonplace but the right to communicate anonymously in digital spaces has been profoundly eroded through mandatory SIM card registration and creation of inter-linked databases for national ID, voters’ registers, and other services provisions.

Government critics including leading opposition leaders, human rights defenders and activists who do human rights and governance work, as well as investigative journalists, remain prominent targets of state surveillance.

Enablers of State Surveillance

Many countries have enacted various laws that permit surveillance, mandate telecommunication intermediaries to facilitate the interception of communication, stipulate the mandatory collection of biometric data, limit the use of encryption, require the “localisation” of personal data, and grant law enforcement agents broad search and seizure powers.

In countries such as Chad, Malawi, Senegal, Tanzania, Tunisia and Zambia, laws prohibit offering encryption services without licensing, and in other cases, encryption service providers are required to decrypt any encrypted information that they hold to aid lawful interception. Moreover, while all countries have laws that facilitate lawful surveillance, many of these laws have pervasive flaws, are partially implemented, indiscriminately applied, and widely abused.

While democratic participation is based on free will and freedom, the study found that the law has been instrumentalised in many countries including Uganda, Rwanda, Nigeria, Ghana, and Tanzania, to intimidate and to carry out arbitrary arrests and detention, prosecution, and persecution of individuals. The limited oversight over surveillance activity, where the actions of those who conduct illegal surveillance remain shrouded in secrecy with limited accountability for their actions, or redress for victims of surveillance, remains of concern.

Impact on Democratic Participation

The overreach effect of increased surveillance across the region is the curtailment of rights to freedom of expression, access to information, association and assembly, and diminished appetite for participation in democratic processes.

Undermining the Right to Freedom of Expression and Access to Information

The rights to freedom of expression and access to information are critical to meaningful democratic participation and civic engagement. The inability to freely express oneself has a direct impact on democratic participation since it limits an individual’s engagement in political discussions and the capacity to influence others, especially during periods of political contestation, as well as limiting engagement in civic spaces.

The fear of repercussions associated with surveillance curtails the rights of individuals who have been victims of surveillance to freely express themselves. The study shows that this fear has forced human rights defenders, activists, government critics and journalists into self-censorship, to be less vocal, and to limit expression of their opinions especially on debates on political affairs.

Infringing on the Right to Privacy of Communications

Surveillance intrudes on the privacy of individuals and  has become a means through which fear is instilled in political activists, the opposition, HRDs and the public. According to the United Nations High Commissioner for Human Rights, the right to privacy is not only impacted by the examination or use of information about a person by a human or an algorithm.  Rather, even the mere generation and collection of data relating to a person’s identity, family or life already affects the right to privacy, as through those steps an individual loses some control over information that could put his or her privacy at risk.

Overall, surveillance has  undermined the ability of democracy actors to use digital communication channels – some have stopped using the channels to communicate altogether or have restricted their communications. Further, it has increased their costs on communication and operations generally..

Curtailing Freedom of Assembly and Association

The right to freedom of assembly and association is intricately linked to the rights and ability to freely express oneself, seek information, and mobilise. The curtailment of these freedoms can be felt in the individuals’ withdrawal from active engagements with peers, their representatives to parliament and other political actors. The study shows that the rights to assembly and association have been limited for victims of state surveillance and other democracy actors.

The study found that victims of surveillance and those who closely work with or associate with them, tended to take an overly cautious approach due to fear of repercussions such as being arbitrarily arrested, prosecuted, and detained.

The ability to organise and mobilise for activities, especially political meetings, is among the aspects that have been adversely affected by state surveillance. Some actors have resorted to organising meetings online as opposed to physically, and only with trusted individuals, which has affected the reach and effectiveness of such meetings and the mobilising power of such actors.

Effect on the Work of Organisations

According to the report, state surveillance has adversely affected  the work of organisations, making it difficult for them to achieve their goals including gathering information and mobilising for activities. Some organisations  were affected by disruptions of their activities, including being evicted from their offices by landlords at the request of state officials.

In addition, the costs of running the organisations had gone up, due to the level of financial investments made towards implementing safety and security measures. Organisation staff  lost precious energy and time worrying about surveillance, and felt controlled and less free in undertaking their work. Some organisations scaled down their work especially on governance issues.

Impact on Personal Life and Relations

The impact of surveillance goes beyond affecting peoples’ ability to meaningfully participate in democratic processes, to their personal life and relations. Individuals who were targets of state surveillance had relationships with their family, friends and society affected. Many of them lamented their lack of a social life as they could no longer make new friends, visit their old friends or family members, invite them to their homes, or be seen with them in public.

The research found widespread fear among the respondents, including their families, friends, and colleagues because of the surveillance they had experienced, or due to the apprehension of ongoing or future surveillance. Surveillance of their communication, lives and work had affected their psychological well-being and mental health in various ways. The mental toll of surveillance had resulted in constant and increased feelings of anxiety, anguish, stress, worry, depression, paranoia, fear, isolation, danger, risk, hurt, and insecurity.

There was widespread fear among respondents of repercussions for expressing opinions, in the form of  threats, harassment, arrest, attacks, abduction, detention, prosecution, death, and making their family, friends and associates targets of state action.

The study makes the following key recommendations:

  1. Governments should repeal, amend or review existing laws, policies and practices on surveillance, interception of communication, biometric data collection, and limitations on the use of encryption to ensure  compliance with the established international minimum standards on human rights and communications surveillance.
  2. Judiciaries and Parliaments need to proactively check the excesses of the state and its agencies in surveillance to ensure accountability and transparency of the executive arms of government.
  3. Civil society organisations (CSOs) should continue to investigate, document, and expose data and privacy breaches such as unauthorised access, surveillance and non-compliance by data collectors, controllers and processors.
  4. CSOs should engage in strategic public interest litigation through collaborative efforts to challenge laws, measures and acts that violate privacy rights and push for policies and practices reforms that uphold privacy.
  5. Organisations under threat of surveillance should enhance their internal digital capacity and build capacity of their staff in digital literacy, cyber hygiene, physical and digital security and data protection measures; and how to manage new surveillance measures and other emerging threats to digital rights.
  6. Intermediaries should regularly publish, update and widely disseminate privacy policies and transparency reports and inform users about the collection, use, handling, sharing and retention of their data and the measures taken to protect their right to privacy.

How Surveillance, Collection of Biometric Data and Limitation of Encryption are Undermining Privacy Rights in Africa

By Paul Kimumwe |

The right to privacy online has become a critical human rights issue, given its intricate connection with, and its being a foundation for the realisation of other rights including the rights to freedoms of expression, information, assembly, and association and preservation of human dignity. However, many African countries have steadily taken measures to undermine this right, including enacting retrogressive laws and policies that facilitate surveillance and the collection of biometric data, and others that limit the use of encryption

The advent of the Covid-19 pandemic has exacerbated the privacy concerns yet in several countries, digital rights were already under steady attack, including via internet shutdowns, criminalisation of “false news”, misinformation and disinformation campaigns by state and non-state actors, harassment and prosecution of social media users, and growing state surveillance.

In responding to the pandemic, many countries adopted regulations and practices, including deploying surveillance technologies and untested applications, to enable them collect and process personal data for purposes of tracing, contacting, and isolating those suspected to be carrying the virus and those confirmed to carry it. These measures were quickly adopted, often without adequate regulation or oversight.

In this research report, the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) has analysed laws and policies that impact on privacy, notably those that regulate surveillance, data localisation, biometric databases, and encryption.

The research covered 19 countries – Cameroon, Chad, Egypt, Ethiopia, Kenya, Ghana, Malawi, Mali, Mozambique, Namibia, Nigeria, Rwanda, Senegal, Tanzania, Tunisia, Uganda, Zambia, Zimbabwe, and South Africa.

Summary findings

Growing Surveillance: The research findings show that overall, there has been notable progress in the enactment of specific laws and policies safeguarding the right to privacy, including requiring judicial authority to authorise surveillance in countries such as Kenya, Nigeria, Tanzania, Tunisia and Uganda.

However, there are a few cases, such as in Zimbabwe, where authorisation for monitoring and intercepting communications is offered by non-independent and partial actors such as ministers. In addition, many of the countries’ laws do not measure up to international human rights standards and fail to establish clear and appropriate oversight, redress, and remedy mechanisms.

Indeed, “national security” considerations have been employed in laws in various countries broadly to justify and authorise the interception of communication, restrict privacy rights, grant wide search and seizure powers to law enforcement agencies, mandate intermediaries such as telecommunication service providers to facilitate interception, and to require data localisation.

In addition, while various countries have criminalised illegal surveillance and placed various safeguards on the conduct of state surveillance, many of them still contain retrogressive provisions that leave scope for intrusion, including enabling state surveillance with limited safeguards.

Limitation of Encryption Anonymity and the use of encryption in digital communications are critical in advancing both the right to freedom of expression and right to privacy. In the absence of these rights,  the capacity of individuals to communicate anonymously and without fear of their communications being intercepted cannot be guaranteed.

There are few positive provisions in some countries that require the protection of personal data through technical security measures which include encryption. On the other hand, many countries in the study have passed legislation that limit anonymity and the use of encryption through criminalisation of possession and use of cryptographic software or hardware, providing for fines and prison sentences.

The findings show that in countries like Chad, Malawi, Senegal, Tanzania, Tunisia and Zambia, there are penalties for offering cryptographic services without licensing, registration or authorisation. Interception of communications provisions often require service providers to decrypt any encrypted information that they may intercept in the course of offering assistance to lawful interception. In countries such as Mali and Tanzania, the laws require the encryption service providers, upon registration with the authorities, to disclose the technologies they plan to use for encryption.

Data Localisation The findings show that a growing number of African countries have been legislating on data localisation, which has mostly taken the form of a requirement to store data locally and forbidding unauthorised cross-border data transfers. Various countries have specified the conditions for authorising transfer, mostly where the data subject has offered consent and where an adequate level of protection is assured in the recipient country or international organisation.

Several African countries have adopted different approaches towards data localisation. Several countries use laws on financial services (Nigeria, Ethiopia and Rwanda), cybersecurity and cybercrimes (Rwanda, Zambia and Zimbabwe), telecommunications (Cameroon, Rwanda and Nigeria) and data protection (Kenya, South Africa, Tunisia and Uganda) to place restrictions on cross-border transfer of data.

Some countries have specified the data that cannot be exported without authorisation. Kenya specifies all public data; Nigeria mentions all government data and all subscriber and consumer data; while Zimbabwe, Malawi and Tunisia cite personal information.

Establishment of Biometric Databases  In several countries, government agencies are collecting and processing personal data without adequate data protection laws, amidst limited oversight mechanisms and inadequate remedies. While many have recently passed data protection laws and policies, implementation is not effective, and the safeguards are not water-tight as required under international human rights law.

Some laws in countries such as Chad, Kenya, Tunisia, Uganda, South Africa, and Zimbabwe, prohibit the collection of certain categories of data, including specific types of biometric data generally, or where certain conditions are not complied with. In the other countries studied, the laws require the mandatory collection of biometric information for the registration of telecommunications subscribers, for digital identity programmes and during voters’ registration. Several laws and policies on biometric data collection contain provisions on sanctions and penalties for breach.

Weak Oversight, Transparency and Accountability Mechanisms The study found that countries have adopted different approaches to oversight, including specifying courts, data protection authorities, sector regulators and administrative bodies as key oversight bodies. Some of these bodies are located within the executive, and therefore may lack the proper legal, financial, and institutional independence to stem violations within government, and especially by state security agencies. The laws in most countries require judicial authorities to issue a warrant for interception or monitoring of communications. However, in some countries interception orders can be issued by non-judicial officials, such as ministers.

The deficiency of accountability and transparency is among the weakest links in the various countries’ surveillance laws. While some countries, such as Nigeria, Rwanda, Tunisia, Zimbabwe, have commendable oversight and accountability provisions, it is not known whether they are applied. No entity in any of the countries studied permits public access to records on interception which the laws require state authorities to compile periodically, or publishes any data related to interception warrants issued and if at all they do record such data, they are categorised as classified information under state secrets laws. Thus, the public and oversight institutions such as judiciaries and parliaments remain in the dark about the extent and legality of the conduct of surveillance in the respective countries.

Recommendations

  • Governments should review existing laws, policies and practices on surveillance, including Covid-19 surveillance, biometric data collection, encryption and data localisation to ensure they comply with the principles in the African Commission on Human and Peoples’ Rights (ACHPR) Declaration on Principles of Freedom of Expression and Access to Information in Africa and international human rights standards.
  • Governments should also adopt multi-stakeholder approaches to ensure meaningful participation of all stakeholders in the development of policies and laws that affect the right to privacy and data protection.
  • Civil society actors should use strategic public interest litigation as an avenue to challenge laws that violate privacy rights and push for policies and practices reforms that uphold privacy.
  • Civil society actors should also monitor and document privacy rights violations through evidence-based research, and report on state compliance with their obligations to human rights monitoring bodies.

See the full research report here.