State of Internet Freedom in Africa 2022: The Rise of Biometric Surveillance

FIFAfrica22 |

Digital biometric data collection programmes are becoming increasingly popular across the African continent. Governments are investing in diverse digital programmes to enable the capture of biometric information of their citizens for various purposes.

A new report by the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) documents the emerging and current trends in biometric data collection and processing in Africa. It focuses on the deployment of national biometric technology-based programmes in 16 African countries, namely Angola, Cameroon, Central African Republic, Democratic Republic of Congo, Kenya, Lesotho, Liberia, Mozambique, Nigeria, Senegal, Sierra Leone, Tanzania, Togo, Tunisia, Uganda, and Zambia.

The report published today is the ninth consecutive one issued by CIPESA since 2014 under the State of Internet Freedom in Africa series. It was released at the Forum on Internet Freedom in Africa (FIFAfrica), which is taking place in Lusaka, Zambia.

The biometric data collection programmes reviewed by the report include those related to civil registrations, such as the issuance of National Identity cards, biometric voter registration and identification programmes, government-led CCTV programmes with facial recognition capabilities, national ePassport initiatives, refugees’ registration, and mandatory biometric SIM card registration.

The report highlights the key trends, potential risks, challenges and gaps relating to biometric data collection projects in the continent. These include limited public engagement and awareness campaigns; inadequate legal frameworks that heighten risks to privacy; exclusion from accessing essential services; enhanced surveillance, profiling and targeting; conflicting interests and the wide powers of third parties; and limited capacity and training. 

Consequently, the study notes that these biometric programmes are being implemented in countries with poor digital rights records, declining democracy and rising digital authoritarianism, which casts doubt on the integrity of biometric data collection programmes and the resultant databases. Thus, viewed collectively, the developments, trends and risks outlined in the report heighten concern over the growing threats to the right to privacy of personal data and potential violations of digital rights on the continent. 

Finally, the report presents recommendations to various stakeholders including the government, civil society, the media, the private sector and academia, which, if implemented, will go a long way in addressing data protection and privacy gaps, risks and challenges in the study countries. 

The key recommendations include a call to:

  • Governments to implement the laws and policy frameworks on identity systems and data protection and privacy while paying keen attention to compliance with regionally and internationally recognised principles and minimum standards on data protection and privacy for biometric data collection and require the adoption of human rights-based approaches. 
  • Countries without data protection and privacy laws such as Liberia, Mozambique, Sierra Leone and Tanzania should expedite the process of enacting appropriate data protection laws so as to guarantee the data protection and privacy rights of their citizens. 
  • Governments to ratify the AU Convention on Cyber Security and Personal Data Protection (Malabo Convention) to ensure government commitment to regional data protection and privacy as a means to hold them accountable.
  • Governments to establish independent and robust oversight data protection bodies to regulate data and privacy protection including biometric data.
  • Civil society to engage in advocacy and lobby governments to develop, implement and enforce privacy and data protection policies, laws and institutional frameworks that are in compliance with regional and international minimum human rights standards.
  • Civil society to monitor, document and report on the risks, threats, abuses and violations of privacy and human rights associated with biometric data collection programmes, and propose effective solutions to safeguard rights in line with international human rights standards.
  • The media to progressively document and report on initiatives such as advocacy by civil society and other stakeholders to keep track of developments. 
  • The media to conduct investigative journalism to identify and expose privacy violations arising from the implementation of biometric data collection programmes.
  • The private sector to take deliberate efforts to ensure that all their respective biometric data collection programmes and systems are developed implemented and managed in compliance with best practices prescribed by the national, regional and international human rights standards and practices on privacy and data protection, including the UN Guiding Principles on Business and Human Rights.
  • The private sector to ensure that they progressively adopt and develop comprehensive internal privacy policies to guide the collection, storing and processing of personal data. 
  • The private sector to take deliberate efforts aimed at involving data subjects in the control and management of their personal data by providing timely information on external requests for information. 
  • Academia to conduct evidence-based research on data protection and privacy including biometrics, highlighting the challenges, risks, benefits and trends in biometric data collection programmes. 

The full State of Internet Freedom in Africa 2022 Report can be accessed here.

Are Malawians Sleep-Walking into a Surveillance State?

By Jimmy Kainja |
In the last three years, the Malawi government has passed a lot of legislation, among these, is the National Registration and Identification System (NRIS), which according to the National Registration Bureau, is aimed at addressing the lack of universal and compulsory registration – the NRIS allows Malawians to have a national ID.
According to UNDP, one of the main funders of the exercise, 9 million Malawians have registered as of October 2019. This shows that Malawians have generally welcomed the exercise. Meanwhile, the registration in on going all District Offices where anyone turning 16 years can register and have their ID card issued.
Reasons for the general acceptability of the ID registration differ and in absence of any survey it is difficult to generalise the reasons but it can be speculated that among the reasons is that the majority of Malawians lacked any form of ID to do daily transactions. Majority Malawians do not have a passport or driver’s license and yet advance in technology, mobile banking for example, has increased demand for IDs in the country.
Following the NRIS exercise, the national ID has become increasingly become the only form of identification for most public transactions and registrations. In 2018 Malawi government through its telecoms regulator, MACRA, rolled out mandatory SIM Card registration, this is provided for in PART XI of Communications Act, 2016. The voter registration for 2019 tripartite elections required the national ID as a form of identification; and now commercial banks in the country have rolled out what they are calling “know your customer” (KYC) exercise, in which clients have to update their personal information with the banks. This time the banks are only accepting the national ID as a form of identity for Malawians, and passport for none Malawians.
This means that in a very short space of time Malawians have given away a lot of their personal data to both private and public institutions. All the data is tied to one’s national ID. This includes our communication data through our SIM Card enabled communication – internet, text messages and voice calls. But who how safe is this personal data? During the voter registration exercise did we not hear of Malawi Electoral Commission found abandoned in Mozambique? How do we ensure that our personal data is safe? How can we be sure that no third parties have access to our personal data? Who should be held accountable in case of any data breach?
These are legitimate questions, especially as any breach of personal data has implications on personal privacy. Privacy is inviolable right and it is constitutionally provided for under article 21 of Malawi constitution. Often people argue that you should not worry about privacy if you have nothing to hide. Yet, privacy does not mean that you have something to hide.
Journalist, Glenn Greenwald observes that privacy is important because we all need places where we can go to explore the issue without the judgmental eyes of other people being cast upon us. He argues that their people have all kinds of things they want to keep a secret that has nothing to do with criminality. He adds:
“only in a realm where we’re not being watched can we really test the limits of who we want to be. It’s really in the private realm where dissent, creativity and personal exploration lie… When we think we’re being watched, we make behaviour choices that we believe other people want us to make … it’s a natural human desire to avoid societal condemnation. That’s why every state loves surveillance — it breeds a conformist population.”
In the wake of mass personal data collection, Malawi needs personal data protection legislation, and this legislation should have been in place before the NRIS and what has followed that exercise. Data protection is important in order to prevent third parties from accessing personal data and also stopping the authorities abusing personal data they collected in good faith.
Personal data protection is crucial for freedom of choice and freedom of expression. People are unable to express themselves freely in the presence of watchful eye on everything that you are doing, browsing on the Internet for example. Inevitably, this has a chilling effect on activists, human rights defenders and other vulnerable communities as these groups can easily be targeted by both state and non-state actors.
The mass collection of personal data in the absence of data protection law should be of concern to all Malawians as it has the capacity to allow state surveillance. Furthermore, the mandatory SIM card registration in the absence of data protection laws means that our private communication, online and offline can easily be violated by both state and non-state actors. As with the mandatory SIM card registration, governments usually use security to introduce laws and policies. But you cannot protect people on one hand while violating other rights and freedoms on the other. Security and civil liberties can and do coexist and it is the obligation of the state to balance the two.
*Note: this article is informed by Internet freedom and digital rights training for CSOs I coordinated and co-facilitated in Lilongwe (30-31st July 2019) on behalf of The Collaboration on International ICT Policy in East and Southern Africa (CIPESA).
This article was originally published in The Nation

What Should be on the 2016 Agenda for Internet Freedom in Africa?

By Juliet Nanfuka |
Towards the end of 2015, the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) under the OpenNet Africa initiative convened some of Africa’s leading thought leaders to discuss the various facets of internet freedom in Africa.
The Forum on Internet Freedom in East Africa is one of very few gatherings that assemble an African audience within the continent to discuss matters related to upholding internet freedom. The Forum brought together 200 participants from 18 countries – triple the number of those who attended the inaugural 2014 forum, which hosted 85 participants from six countries. The event drew up a set of actionable recommendations that will inform onward engagements on advancing internet freedom in Africa by CIPESA and its partners, and hopefully for other actors in this space.
Over the course of two days, several issues were discussed, including how to address online violence against women (VAW), whose magnitude and manifestation is not clearly known, as most cases in Africa go unreported.
Another key highlight was the increase in freedom of expression violations for critical media and bloggers especially during periods of electioneering. One way to address this could be through the use of counter speech and transparency in combating hate speech, misinformation and false claims. The media’s role in advancing internet freedom in Africa – both as a vulnerable group but also as infomediaries –  was highlighted.
Africa has registered a rise in abuses and attacks on internet freedom, including a proliferation of laws, legal and extralegal affronts, as well as limited judicial oversight over surveillance and interception of communications. Discussions on the balance between national security and its perpetual clash with freedom of expression, access to information and the right to privacy reflected the need to address gaps in existing laws that do not adequately protect citizens from mass surveillance and privacy infringements.
Meanwhile, the appreciation of digital safety tools and practices remains paramount, for citizens, the media, human rights defenders and activists. Thus, the continued need for capacity building and awareness raising efforts on internet freedom was stressed by Forum participants. Closely related to this is the need for localisation exercises between tools developers and end users, given the diverse contexts of African internet users.
Internet freedom could also be supported by the budding community of artists and creatives on the continent, who are currently not adequately involved in discussions around freedom of expression and privacy online.
Read the full Forum Report, which also explores the relationship between internet freedom and online economics, press freedom, online creative expression, access to information, cybercrime and digital safety, from the perspectives of law enforcement, regulators, intermediaries, artists, the media and human rights defenders. On each of these themes, the report discusses the challenges and opportunities and suggests actions to take in order to advance internet freedom in Africa.

Forum Sparks Debate on Internet Freedom in Africa

By Juliet Nanfuka |
The recently concluded two-day Forum on Internet Freedom in East Africa 2015 sparked debate on the many facets of internet freedom, including access to information, digital safety, media freedom, online violence against women, regulation of the internet, freedom of expression online, and the online economy.
The first day of the Forum coincided with the internationally celebrated Right to Know Day (September 28) and also served as a platform to recognise the tenth anniversary of the Access to Information Act  in the host country, Uganda.
The Forum, organised by the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) under the OpenNet Africa initiative, brought together just under 200 participants, a dramatic increment from the 85 who participated at last year’s inaugural Forum. Participants represented a wide spectrum of stakeholders including communications regulators, civil society, intermediaries, private sector, tech enthusiasts, artists, media and ordinary citizens. It was supported by the African Centre for Media Excellence (ACME), Hivos, Ford Foundation, Open Technology Fund, UNESCO and Web We Want.
According to the ITU, there are currently 3.2 billion people using the internet of which, by end 2015, two billion will come from developing countries. There is therefore a need to create awareness and to advocate for internet rights in developing countries that are registering a dramatic uptake of the internet.
The African Declaration on Human Rights has set the foundation upon which human rights standards and principles of openness in internet policy formulation can be developed in Africa. While various policies and laws have been developed in the continent’s 54 countries, many contradict the rights to privacy, access to information, data security, and freedom of expression.
In his opening remarks at the Forum, Jaco du Toit, Communication and Information Adviser at the UNESCO Regional Office for Eastern Africa, pointed to growing concerns over the mechanisms used by governments in the region to monitor citizen’s activities both online and offline. These concerns threaten legitimate online interactions including by the media that  plays  the role of  society’s watchdog, and by critical citizens with large online footprints and human rights organisations that rely on information to encourage civic participation and good governance.
The use of ICT tools by citizens to exercise their right to free expression and as an engine for development is widely recognised especially as the push for open data gains momentum across the African continent. However, recognition of internet rights in the same breath as the rights guaranteed offline by national constitution remains a grey area.
 Internet Freedom in East Africa
The forum served as the launch of the State of Internet Freedom in East Africa 2015 report on access, privacy and security online in Burundi, Kenya, Rwanda, Tanzania, and Uganda. The report is the result of qualitative and quantitative research conducted in the focus countries between May 2014 and August 2015.
The report highlights legal developments related to internet freedom in each of the focus countries such as the May 2015 ruling by the East African Court of Justice (EACJ) against the Burundi Press Law of 2013, on the grounds that some sections went against the principles of press freedom. This marked a victory for the Burundi Journalists Union who had petitioned the court over the repressive law. In Kenya, the Security Laws (Amendment) Act was signed into law despite concerns over its expansion of the surveillance capabilities of the Kenyan intelligence and law enforcement agencies.
In Tanzania, the controversial Cybercrimes Act and the Statistics Act were both passed in 2015 notwithstanding protests due to the restrictions they place on advancing transparency and access to information.
Progressive public access developments are also reported such as the Smart Kigali initiative which provides wireless internet service on select public transport buses. The Ministry of ICT in Rwanda also launched the “Stay Safe Online” campaign aimed at promoting awareness on cyber security.
The report also presents some of the violations of internet freedom that were registered in East Africa over the last year.
Knowledge, Attitudes and Perceptions on Internet Freedom
The report found that understanding of what constitutes internet freedom among the region’s citizens is varied. The majority associated internet freedom with the ability to utilise the internet free of unwarranted state regulations or commercial restrictions.
Online safety practice was low with only 48% of the respondents using digital safety and security tools to safeguard themselves online. A lack of awareness of security risks on digital platforms and shortage of skills to secure communications were among  the reasons for not actively utilising online safety tools.
The report further found widespread perception among East Africans of government surveillance even where there was limited  evidence remain prevalent of actual surveillance. Respondents cited national security, countering terrorism, and combating hate speech as key reasons for government surveillance.
Discussion Echoes Report Findings
Discussions in the 13 sessions at the forum repeatedly pointed out contradictory or non-existent laws to protect users especially in instances where critical content in writing, or creative and performing arts have led to arrests. This in turn has contributed to self-censorship by independent content producers and media.
Further, victims of online violence against women (VAW) do not have any legal structures to ensure their rights are upheld; instead, many are castigated more than the perpetrators of the violence. Limited legal provisions on the vice have thus led to a culture of silence and misinformation which in turn impacts upon reporting of cases to indicate the extent and actual statistics of VAW in African countries.
Discussions at the forum echoed insights gathered in the report, including the friction between control of content which impacts upon freedom of expression and regulation of the internet so as to combat hate speech and terrorism, and to maintain national security and public order.
“Ignorance of the law is not an excuse,” said Irene Kaggwa, Head of Research and Development at the Uganda Communication Commission on the need for responsible use of the internet. Jimmy Haguma, Acting Commissioner with Uganda Police’s Cybercrimes unit, , added that “freedom without control” would contradict certain needs, such as ensuring child online safety and protection from theft and fraud.
The challenges involved with ensuring that the internet is a safe space for genuine interaction were summarised by Facebook’s head of Public Policy for Africa, Ebele Okobi, who noted that “If Facebook were a country, it would be the biggest country in the world.” She added that the global platform faces a challenge of how to apply the laws of every country in which it has users in its policy on online content.
Underpinning all discussions at the forum was the use of social media and the need for users to build their digital security capacities as the online arena increasingly becomes the key avenue for social interaction. However, legislation in many countries has not moved fast enough to ensure the protection of users who fall victim to online abuse and violence.
In his closing remarks, Vincent Bagiire, Chair of the ICT Committee, Parliament of Uganda, emphasised the necessity for further engagement on internet freedom not only by civil society but with a more inclusive multi-stakeholder approach which works towards ensuring a free and open internet. He stated that this responsibility exists first at the national level, “but given the borderless, global nature of the internet”, it is also very much a global issue. “Internet freedom is both a domestic and a foreign policy subject,” he said.
The Forum had representation from 19 countries including Burundi, Cameroon, Democratic Republic of Congo, Ethiopia, Germany, Italy, Kenya, Nigeria, Rwanda, Tanzania, South Africa, South Sudan, Sudan, Somalia, Uganda, United Kingdom, United States of America, Zambia, Zimbabwe
For more details, visit the Forum on Internet Freedom in East Africa 2015 page, See the full programme and the speaker biographies.