Promoting Effective and Inclusive ICT Policy in Africa

Tag Archives: PRIVACY

  HomeCollaboration on International ICT Policy for East and Southern Africa (CIPESA)  /  PRIVACY
Surveillance
12Mar

The Surveillance Footprint in Africa Threatens Privacy and Data Protection

Author CIPESA Posted on

By Edrine Wanyama 

Digital and physical surveillance by states, private companies that develop technology or supply governments and unscrupulous individuals globally and across Africa is a major threat to the digital civic space and operations of civil society organisations (CSOs), human rights defenders (HRDs), activists, political opposition, government critics and the media. The highly intrusive technology, which is often facilitated by biometric data collection systems such as for processing of national identification documents, voter cards, travel documents, mandatory SIM card registration and the installation of CCTV cameras for “smart cities”, adversely impacts the digital civic space. 

Given these developments, the Digital Rights Alliance Africa (DRAA), a network of CSOs, media, lawyers and tech specialists from across Africa that seeks to champion digital civic space and counter threats to digital rights on the continent, recently held a learning session on “Understanding Surveillance Trends, Threats and Challenges for Civil Society.” The Alliance was created by the International Center for Not-for-Profit Law (ICNL) and the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) in response to rising digital authoritarianism. It currently has members from more than 12 countries, who collectively conduct research and advocacy and share experiences around navigating digital threats and influencing strategic digital policy reforms in line with the alliance’s outcome declaration

The virtual learning session built capacity among the Alliance members to better understand digital surveillance and the related threats facing democracy actors. Discussions delved into the nature of surveillance, the regulatory environment, and strategies to navigate and counter surveillance risks and threats. The threats and risks include harassment, arbitrary arrests, persecution and prosecution on trumped up charges. 

While emphasising the need to understand emerging surveillance technologies, ecosystem and deployment tactics, Richard Ngamita, the Team Leader at Thraets, highlighted the huge investment (estimated at USD 1 billion annually) which African governments have made in acquiring surveillance technologies from China, Israel, the United States of America and Europe. Ngamita urged CSOs, HRDs and other actors to build digital security capacity to protect against illegal surveillance.

Victoria Ibezim-Ohaeri, the Executive Director of Spaces for Change, while referencing the  Proliferation of Dual-Use Surveillance Technologies in Nigeria: Deployment, Risks & Accountability – Spaces for Change report, highlighted weak regulation and unaccountable practices by states that facilitate unlawful surveillance across the continent and their implications on rights. According to the report,

“The greatest concern around surveillance technologies is their potential misuse for political repression and human rights abuses. Surveillance practices also undermine the citizens’ dignity, autonomy, and security, translating to significant reductions in citizens’ agency. Agency reductions are magnified by the state’s power to punish dissent. This creates a chilling effect as citizens self-censor or avoid public engagement for fear of being surveilled or punished. The citizens have little agency to challenge or resist the state’s surveillance because of low digital literacy, poverty and broader limitations in access to justice.”

Michaela Shapiro, the Global Engagement and Advocacy Officer at Article 19, United Kingdom, discussed the governing norms of surveillance globally while paying particular attention to the common gaps that need policy action at the country level in Africa. Recalling the intensification of digital and physical surveillance as part of state responses to curb the spread of Covid-19 in the absence of clear oversight mechanisms, Michaela emphasised the role of CSOs in advocating for data and privacy protection. 

To-date, the leading instrument of data protection on the continent, the African Union Convention on Cyber Security and Personal Data Protection has only 16 ratifications out of 55 states, while only 36 states have enacted specific laws on privacy and data protection rights.

Surveillance in Africa generally poses a major threat to individuals’ data and privacy rights since governments exercise wide access over the data subjects’ rights. National security and the loopholes in the laws are usually exploited to abuse and violate data rights. While there are regional and international standards, these are often overlooked with governments taking measures that are not provided for by the law, rendering them unlawful, arbitrary and disproportionate under human rights law. 

By way of progressive actions, speakers noted and made recommendations to States and non-state actors to the effect that:

States and Governments 

  • Address surveillance and bolster personal data and privacy protections through adopting robust legal and regulatory frameworks and repealing restrictive digital laws and policies.
  • Promote and enhance transparency and accountability through the establishment of independent surveillance oversight boards.
  • Strictly regulate the use of surveillance technologies by law enforcement and intelligence agencies to ensure accountability.
  • Collaborate with other countries to develop harmonised privacy standards within the established regional and international standards to have settled positions on cross-border controls on surveillance.

Civil Society Organisations

  • Build and enhance capacities of HRDs and other players in data governance and accountability to equip them with knowledge to counter common data privacy threats by governments and corporate entities.
  • Push for ethical and responsible use of technology to prevent and minimise technology-related violations. 
  • Challenge all forms of unlawful use of surveillance practices through legal action by, among others, taking legal actions.

Tech Sector

  • Conduct regular audits and impact assessments to address potential privacy breaches and enhance accountability and transparency. 
  • Prioritise privacy and integrate privacy protections into their products and services including data collection minimisation and establish strong security measures for privacy.
  • Prioritise ethical considerations in the development and deployment of new technologies to guarantee strong protections against potential violations.

15Oct

Uganda’s Changes On Computer Misuse Law Spark Fears It Will Be Used To Silence Dissidents

Author CIPESA Posted on

By News  Writer |

Uganda’s controversial Computer Misuse (Amendment) Bill 2022, which rights groups say will likely be used to silence dissenting voices online, has come into force after the country’s President Yoweri Kaguta Museveni signed it into law yesterday.

The country’s legislators had passed amendments to the 2011 Computer Misuse Act in early September, limiting writing or sharing of content on online platforms, and restricting the distribution of children’s details without the consent of their parents or guardians.

The bill was brought before the house to “deter the misuse of online and social media platforms.” A document tabled before the house stated that the move was necessitated by reasoning that “enjoyment of the right to privacy is being affected by the abuse of online and social media platforms through the sharing of unsolicited, false, malicious, hateful and unwarranted information.”

The new law, which is also curbing the spread of hate speech online, recommends the application of several punitive measures, including ineligibility by offenders to hold public office for 10 years and imprisonment for individuals who “without authorization, accesses another person’s data or information, voice or video records and shares any information that relates to another person” online.

Rights groups and a section of online communities are worried the law might be abused by regimes, especially the current one, to limit free speech and punish persons that criticize the government. Some have plans to challenge it in court.

Fears expressed by varying groups come in the wake of increasing crackdowns on individuals that don’t shy away from critiquing Museveni’s (Uganda’s longest-serving president, who also blocked social media in the run up to last year’s general election) authoritarian regime online.

Recently, a Ugandan TikToker, Teddy Nalubowa, was remanded in prison for recording and sharing a video that celebrated the death of a former security minister, who led the troops that killed 50 civilians protesting the arrest of opposition politician Robert Kyagulanyi Ssentamu (Bobi Wine) in 2020. Nalubowa, a member of Ssentamu’s National Unity Platform, was charged with offensive communication in contravention of the Computer Misuse Act 2011 amid public outcry over the harassment and intimidation of dissidents. Ssentamu, Museveni’s critic and country’s opposition leader, recently said the new amendment is targeting his ilk.

The Committee to Protect Journalists (CPJ) had earlier called on Museveni not to sign the bill into law, saying that it was an added arsenal that authorities could use to target critical commentators, and punish media houses by criminalizing the work of journalists, especially those undertaking investigations.

The Collaboration for International ICT Policy in East and Southern Africa (CIPESA) had also made recommendations including the deletion of Clause 5, which bars people from sending unsolicited information online, saying that it could be abused and misused by the government.

“In the alternative, a clear definition and scope of the terms “unsolicited” and “solicited” should be provided,” it said.

It also called for the scrapping of punitive measures, and the deletion of clauses on personal information and data, which duplicated the country’s data protection law.

The CIPESA said the law also is likely to infringe on the digital rights of individuals, including the freedom of expression and access to information, adding that the provisions did not address issues, like trolling and harassment, brought forth by emerging technologies as the law sought to do in the first place.

This article was first published by the Ghana Business on Oct 15, 2022.

16Aug

Privacy Imperilled: Analysis of Surveillance, Encryption and Data Localisation Laws in Africa

Author Evelyn Lirri Posted on

By Evelyn Lirri |

Across Africa, the proliferation of digital technologies is being matched by state measures that negate the right to privacy. The accelerated adoption of digital technologies has come with increased collection and sharing of large quantities of personal data, which is a major concern as several countries lack data privacy laws and many that have them are not implementing the laws. 

As a result, the right to privacy has come under growing siege, which is in turn negatively impacting the enjoyment of other rights, including freedom of expression, association, and access to information online.

In this report, the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) analyses country-specific laws that various governments on the continent have enacted and how they impact privacy and data security through surveillance, restrictions on encryption, data localisation, and biometric databases. The report covers 23 countries – Algeria, Angola, Benin, Burkina Faso, Burundi, Cape Verde, the Central Africa Republic (CAR), Congo Brazzaville, the Democratic Republic of Congo (DRC), Gabon, Guinea Conakry, Ivory Coast, Lesotho, Liberia, Madagascar, Mauritania, Morocco, Niger, Sao Tome and Principe, Sierra Leone, South Sudan, and Togo.

According to the report, governments across the continent continue to collect and process personal data, intercept communications and permit surveillance without putting in place the requisite oversight mechanisms and adequate remedies, despite being signatories to regional and international conventions that recognise the right to privacy and provide safeguards for data protection, such as the revised Declaration of Principles of Freedom of Expression and Access to Information in Africa, the International Covenant on Civil and Political Rights, and the Universal Declaration of Human Rights.

Weak Oversight of Surveillance Operations 

One of the emerging concerns is the lack of independent judicial oversight over surveillance operations. In some countries, surveillance operations are entirely carried out and overseen by bodies within the executive, with parliaments and courts of law excluded. In Lesotho, interception warrants may be issued by the Minister responsible for the National Security Services, while in Niger, interception is ordered by the President. In South Sudan, this responsibility is vested with the Director General of the National Security Service, while in The Gambia it lies with the Minister of Interior. In Togo, the Prime Minister, and the Ministers responsible for the economy and finance, defence, justice, and security and civil protection can trigger interception of communications.

In countries such as Benin, the Democratic Republic of the Congo (DRC), Morocco, Niger, and Togo, justification for surveillance is specified under the law. The reasons provided include the preservation of national security or defence, investigation of crimes, prevention of terrorism, organised crime, and activities that undermine public peace or public order. However, these crimes are not defined or are vaguely defined, which gives latitude to state authorities to broadly interpret the laws in undermining the rights of critics and opponents.

 Limitations on Encryption

The use of encryption is critical in helping citizens to protect their data and communications while enjoying the right to privacy and freedom of expression. In several countries, however, this right is being threatened as governments impose restrictions that require the registration of encryption service providers, ban certain types of encryptions, and compel service providers to hand over decrypted data.

In Algeria, individuals and organisations that want to acquire and use encryption services must be granted authorisation by the country’s Regulatory Authority of Post and Electronic Communications. On the other hand, in countries such as the Democratic Republic of Congo, the Central Africa Republic, Niger, Benin, Guinea Conakry, Ivory Coast, Congo-Brazzaville, Morocco, Togo and Burkina Faso, an authorisation may be sought if the encryption is not exclusively for providing authentication or integrity control functions. Failure to seek authorisation or using prohibited encryption could attract a heavy penalty including jail time, a fine, or both.

Countries like Mali, Tanzania, and Malawi also require service providers to disclose specific software to be used for encryption. Such prohibitive provisions undermine privacy and freedom of expression that access to encryption accords.

Compelled Assistance by Service Providers

Governments are also using compelled assistance – where state agencies seek access to data from service providers, including through courts of law and regulators, to gain access to individuals’ private data. This includes access to the secret code of encrypted data, or to decrypted data, and generally requiring service providers to render assistance to state agencies in the interception of communications.     

Laws in countries like Benin, Ivory Coast, Congo-Brazzaville, Gabon, Guinea Conakry, and Sierra Leone specify grounds on which the state can access encrypted data of individuals and also facilitate lawful interception of communications. Laws in several countries require intermediaries such as telecom companies and Internet Service Providers (ISPs) to facilitate surveillance.

 As the report notes, compelled service provider assistance as stipulated in some countries’ laws is quite worrisome as it gives governments and their agencies unfettered access to individuals’ private data beyond limits prescribed by law or permissible by international standards.

Data Localisation

Various countries have enacted laws to control the cross-border transfer of personal data for a multitude of reasons, including national security, personal data protection, and data sovereignty. Algeria, Niger, Morocco, Benin, Cape Verde, Madagascar, Guinea Conakry, Ivory Coast, Congo Brazzaville, Sao Tome & Principe and Togo have laws that prohibit cross-border transfer of personal data unless authorised by data protection authorities.

However, as the report’s findings show, despite having laws in place, enforcement remains weak. Further, data localisation requirements could, in the absence of robust legal and practical safeguards, further facilitate efforts by state and non-state actors to undermine privacy-related rights. Morocco, Algeria, and Ivory Coast are some of the countries where data localisation measures are being implemented.

 Biometric Data Collection

Recent years have seen a number of African countries undertake mass collection, processing and storage of personal data through initiatives such as mandatory SIM card registration, electronic biometric passports, IDs, and driving licences. Although many countries have also passed laws on data protection and privacy, weak implementation mechanisms, coupled with the absence of the requisite safeguards, remain a threat to individual privacy. This is particularly so in instances where regulatory authorities have the power to direct telecom operators to hand over information such as that contained in the SIM card databases.  

Furthermore, the existing oversight mechanisms and provisions for remedies in the case of data breaches have not been effective enough to protect the personal information and communication of individuals in line with internationally recognised human rights standards.    Many countries have enacted data protection laws but have additional legislation that gives the state and its agencies power to access citizens’ biometric information, often under the guise of protecting national security. This is the case with countries such as Kenya, Gabon, Uganda, Lesotho, Mauritius, Morocco, Niger, Sao Tome, Togo, Algeria, Congo Brazzaville, and Ivory Coast.

 Recommendations

 Government:

  • Enact data protection laws in countries such as Liberia, Sierra Leone and South Sudan to provide for and guarantee protection of personal data.
  • Review existing laws, policies and practices on surveillance, including COVID-19 surveillance, biometric data collection, encryption and data localisation, to ensure they comply with article 9 of the African Charter and with the principles in the African Commission on Human and Peoples’ Rights Declaration of Principles on Freedom of Expression and Access to Information in Africa 2019.
  • Cease blanket compelled service provider assistance and provide for clear, activity-bound and court-mandated assistance.
  • Submit periodic reports to the different international human rights treaty body monitoring mechanisms such as the African Commission on Human and Peoples’ Rights, the Human Rights Committee and the Universal Periodic Review process, on the measures taken to guarantee the right to privacy and data protection.

Civil Society:

  • Work collaboratively with stakeholders such as the private sector and academia, including through litigation to challenge laws and measures that violate privacy rights.
  • Monitor and document privacy rights violations through evidence-based research.
  • Conduct regular analysis of proposed laws to identify the gaps and propose revisions before they are enacted into law.
  • Advocate for the promotion and protection of the right to privacy and data protection through various advocacy engagements.

Private Sector: 

  • Develop, publish and implement internal privacy and data protection policies and best practices in handling customer data so as to guarantee customers’ data protection and privacy.
  • Regularly publish transparency reports that highlight all cases of personal data and information disclosure to government agencies as well as other assistance offered to governments to enable communication interception and monitoring.
  • Develop technologies and solutions and use privacy-enhancing technologies that embed and integrate privacy principles by design and default.
  • Comply with the United Nations Business and Human Rights Principles by conducting human rights impact assessments to ensure that measures undertaken do not harm individual rights to privacy and data protection.

Find the full report here: Privacy Imperilled: Analysis of Surveillance, Encryption And Data Localization Laws in Africa  

See another CIPESA report Mapping and Analysis of Privacy Laws in Africa that maps privacy-related laws in 19 other countries.

20Aug

A Partnership to Advance Digital Rights and Internet Development in Africa

Author CIPESA Posted on

By Israel Nyoh |

The Internet Society and the Collaboration on International ICT Policy in East and Southern Africa (CIPESA) recently signed an agreement to work together for an open, secure, and trustworthy Internet for Africa.

A digital revolution is transforming markets and societies across Africa. Digitalization is helping governments to generate more income, while enabling e-commerce, e-health, and automation, which is strengthening African economies. But, as is often the case, with each technological promise there is also a threat. Because many African countries grapple with digital literacy and security challenges, digital technologies are being used to foster cyber criminality and cyber surveillance, while governments sometimes deny citizens their digital rights.

The agreement commits the Internet Society and CIPESA to advancing progressive Internet policy, advocating for the Internet way of networking, encryption, and measuring the health of digital infrastructure in the region.

Actions that promote a “trustworthy Internet to every African are of critical importance for the digital transformation plans that many African countries are implementing,” says Dawit Bekele, Regional Vice President for Africa, Internet Society.

The two organizations have further committed to:

  • Share knowledge, ideas, and lessons learned in Internet policy, encryption, and the Internet way of networking in Africa.
  • Pool efforts and expertise in responding to Internet policy issues in Africa.
  • Undertake joint research and stakeholder engagements, and lead advocacy on critical Internet policy and Internet development issues in the region.

CIPESA has a history of advocating for digital rights and building capacity on digital security in Africa, mostly through research, stakeholder engagements, and knowledge sharing. This agreement with the Internet Society will strengthen CIPESA’s efforts while enabling it to also reach new constituencies in Africa.

Wairagala Wakabi, Executive Director of CIPESA, says, “The key to meaningfully promoting digital rights and Internet development in Africa lies in multi-sector partnerships that leverage varied expertise, address the critical and emerging issues, and steadily reach wider constituencies of multiple stakeholders.”

History of Collaboration

The Internet Society and CIPESA have been working together for close to a decade to advance digital rights in Africa.

Their work has focused on strengthening the development of personal data protection guidelines for Africa, fighting against Internet shutdown and restrictions, and growing the community of people advancing digital rights and Internet development in Africa, through the Forum on Internet Freedom in Africa (FIFAfrica).

This article was first published by the Internet Society on August 19, 2021.

19Aug

A Call on TECNO to Uphold Users Privacy and Security

Author CIPESA Posted on

Open Letter |

Strengthening the digital security of at-risk groups and organisations amidst growing digital rights attacks in Africa has become increasingly crucial. However, inadequate device security is undermining such efforts.

Investigations by Privacy International have revealed that TECNO – a phone manufacturer with an estimated 47% market share in East Africa and widely used across other regions on the continent – is putting users’ privacy and security at risk. 

Based on testing of a TECNO device – the Y2 – purchased in Uganda, the investigations reveal that the phone’s operating system was outdated, having not received updates since 2013. Further, pre-installed applications that users can not uninstall were using up space on the device. Whereas the specific model of phone with the vulnerabilities was discontinued from production by TECNO back in November 2019, it remained on sale as recently as 2020. 

In response to the revelations, Privacy International, the Collaboration on International ICT Policy for East and Southern Africa (CIPESA), together with nine other civil society organisations have submitted a letter to TECNO calling on the Chinese manufacturer to make changes to their practices and protect users’ privacy and security.

The letter urges TECNO to make three key changes to significantly improve their users’ privacy and security:

  1. TECNO should ship phones with a supported version of the Android operating system.
  2. TECNO should do their best to support the longevity of their devices and therefore combat e-waste. They must tell consumers, at the point of sale, how long their device will be supported, provide regular updates to the device, and notify users when continuing to use a device poses a risk to their privacy or security.
  3. TECNO should minimise the amount of bloatware, superfluous apps and other extras that come pre-installed on their phones. Whenever bloatware is included, it should exist in the user partition and therefore be removable by the user.

“It’s vital that TECNO listen to civil society and make these small changes to protect their users. TECNO users across Africa and the world deserve to know what they’re buying, especially when their phone will no longer receive security support,” said Caitlin Bishop, Privacy International’s project lead on work around low-cost technology.

Skills in digital security and safety are lacking among some of the most at-risk groups in many African countries. Surveillance schemes by state and non-state actors leverage this skills and knowledge gap. It is important therefore that leading device manufacturers, such as TECNO, guarantee privacy and security by design in order to ensure the safety of users,” said Ashnah Kalemera, CIPESA’s Programme Manager.

A copy of the letter can be accessed here.

1 2 3 5
en en