Civil Society Groups Denounce the European Union’s Involvement in Surveillance in Africa

Open Letter |

The increasing involvement of foreign entities in undermining democracy and respect for human rights in the digital sphere in Africa is widely documented. Whereas these schemes have mostly been attributed to spyware vendors and data analytics firms, recent disclosures have implicated the European Union (EU).

Investigations by Privacy International have revealed the use of EU aid and cooperation programmes to train and equip security forces in Africa with surveillance techniques. The disclosures reveal that the European Union Agency for Law Enforcement Training (CEPOL) has trained police and security agencies in Algeria, Morocco and Tunisia in phone and internet surveillance, including social media monitoring, telecommunications metadata analysis, device investigations and data extraction. According to Privacy International, whereas cybersecurity, terrorism and violent extremism are threats in the countries that CEPOL is supporting, “the absence of effective privacy and security safeguards and in contexts where security agencies arbitrarily target activists, journalists and others, surveillance techniques and tools pose a serious threat to people’s rights and their work.”

In Algeria, Egypt, Niger, Libya, Morocco, and Tunisia, EU bodies are reportedly training and equipping border and migration authorities with surveillance tools, including wiretapping systems and other phone surveillance tools, in a bid to “outsource” the EU’s border controls. Further, support for the development of biometric identity systems in Cote d’Ivoire, Mali and Senegal with EU aid funds is raising serious privacy concerns.

In response to the revelations, Privacy International, the Collaboration on International ICT Policy for East and Southern Africa (CIPESA), together with 12 civil society organisations from Europe and Africa have submitted a letter to the European Commission calling for urgent reforms to EU aid and cooperation programmes to ensure they promote privacy protections in non-member countries and do not facilitate the use of surveillance which violates fundamental rights.

In the letter, the civil society organisations call on the European Commission to enact strict due diligence and risk assessment procedures, and to agree to transparency, parliamentary scrutiny and public oversight measures aimed at protecting human rights in non-member countries.

A copy of the letter is available here.

The Stampede for SIM Card Registration: A Major Question for Africa

By Edrine Wanyama |
It is anticipated that by 2025, there will be at least 5.9 billion mobile subscribers accounting for 71% of the world’s population. As of 2017,  Sub-Saharan Africa (SSA) had  a mobile subscription rate of 44% which is projected to reach  52% by 2025. Further, SSA’s mobile internet penetration by 2017 stood at 21% and is anticipated to increase to 40% by 2025.  However, the region has registered the largest number of cases of mandatory SIM card registration yet it suffers some of biggest challenges in personal data protection and privacy.
The benefits of SIM card registration include facilitation of citizens’ access to e-Government services, easy identification of an individual’s mobile number and number portability when switching networks. In addition, it aids combating cybercrime including terrorism by limiting covert communication and promotes good relations between consumers and service providers by simplifying identification of consumers and their use of SIM services. Accordingly, many governments argue that mandatory SIM card registration is for purposes of safeguarding digital and physical security. However, critics argue that when SIM card registration is effected without due safeguards, it poses a threat to privacy and freedom of expression.
Indeed, in 2013 Mexico repealed its policies on SIM card registration “after a policy assessment showed that it had not helped with the prevention, investigation and/or prosecution of associated crimes.” Finland has not enforced compulsory SIM card registration and nonetheless, through voluntary mobile signatures, service providers has succeeded in facilitating user’s access to relevant retail, banking and e-Government services.
Globally, over 90 countries conduct compulsory SIM card registration yet some remain without clear policy on its implementation. Amidst criticisms that mandatory registration does not necessary combat cybercrime, as criminals take the necessary precautions to avoid being detected and circumvent mandatory SIM card registration, African countries continue to proactively enforce SIM card registration. Among the prevailing challenges on the continent is the difficulty in validating identity documents in an environment with a wide range of service providers who create room for potential circumvention.
Mandatory registration has negatively affected access and usage of mobile telecommunication services due to the tedious process which entails the production of documentation such as passports and national identity cards prior to registration, which sometimes results in failure to attain a SIM card, disconnection, or  deactivation of SIM cards.
Additionally, there have been repetitive calls for registration of SIM cards in countries such as Uganda and Nigeria with personal data being collected  more than once. In Uganda, despite government explanation that SIM card verification is aimed at ensuring secure and safer communications, citizens have unanswered questions on the exercise. Suspicion arises due to a fresh validation of SIM card registration using national identity cards subsequent to registration which was initially done using valid documents such as students’ identity cards, driving permits and passports.
Double collection of personal data may partly imply collection of data beyond what is necessary for the purpose contrary to the internationally established data protection principles such as those set out in the Organisation for Economic Co-Operation and Development (OECD) Data Protection Principles. Further, there is no guarantee of individual privacy as most of the African countries do not have data protection laws. Moreover, most of the existing data protection laws do not meet internationally recognised standards considered sufficient to guarantee personal data protection and are therefore regarded as offering moderate or limited protection.
Meanwhile, efforts to buttress data protection in Africa have not yielded much. Out of 54 countries on the continent, only 14 have data protection laws (Angola, Benin, Burkina FasoMali, Gabon, GhanaIvory Coast, Lesotho, Madagascar, MoroccoSenegalSouth AfricaTunisia and Zimbabwe). A few others such as Uganda, Kenya, Nigeria, Tanzania and Niger have Bills. Regional efforts have also not yielded much. The Convention on Cyber Security and Personal Data Protection which was adopted by the African Union in 2014 has registered only 10 signatories (Benin, Chad, Congo, Ghana, Guinea-Bissau, Mauritania, Sierra Leone, Sao Tome & Principe, Zambia and Comoros) and one ratification by Senegal.
Ultimately, there is need to reconcile state interests with citizens’ personal data and privacy rights. Mandatory registration, especially in the absence of clear registration guidelines and the lack of data protection laws, puts personal data at risk. African governments need to learn from other jurisdictions such as Europe with regards to processing of personal data as part of SIM card registration. In enforcing SIM card registration, there should be a clear set registration timelines, clear and unambiguous registration requirements.

Bridging Cyber Security Gaps: SMEs Trained in Uganda

By Edrine Wanyama |
Uganda’s Small and Medium Enterprise (SME) sector is credited with contributing 20% to the country’s Gross Domestic Product (GDP) in 2016. While the level of adoption of technology as a key component of operations within the sector remains unclear, its effective utilisation requires entities to also embrace safety and security measures as a priority.
Identifying security controls to defend against cyber threats and data protection thus formed the basis of discussions at a cyber standards training workshop for SMEs in Uganda. Organised by the National Information Technology Authority (NITA-U) in collaboration with the Commonwealth Telecommunications Organization (CTO), the workshop, held in Kampala, Uganda on August 23-24,2017 targeted SME entrepreneurs, banking industry officials as well as ICT sector representatives from non-government organisations and other ICT stakeholders.
The workshop explored the Information Assurance for Small Information Assurance for Small to Medium Enterprises (IASME) which encourages SME’s to comply with international information security management standards
Possible risks include; theft of data for monetary gain or competition by criminals, hacking, physical insecurity to staff and office equipment, malware attacks, insecure configuration, updating software from unreliable sources, access control and spam.
Discussions on information security are abound in Uganda as the Data Protection and Privacy Bill, 2015 makes slow progress in Parliament while laws like the Computer Misuse Act, 2011, The Electronics Signatures Act, 2011 and the Electronic Transactions Act, 2011 do not fully address the issue of data protection and privacy.
According to a 2016 report based on a global survey of cybersecurity managers and practitioners, cyber security and information security is considered a technical issue rather than a business imperative.  The findings of this study echo sentiments held by civil society organisations which face similar digital security threats including increasingly sophisticated threats and rate of incidents according research conducted by the Collaboration for International ICT Policy in East and Southern Africa (CIPESA). It revealed that various CSOs were concerned about, or had been victims of hacking attempts on their email accounts and internal networks, that they had been targeted by phishing emails, and that they feared their activities were being surveilled by authorities
In order to be better positioned to address cyber threats, civil society and SME need to be equipped with skills encompassing both online and offline responses. These include knowhow on policy and compliance, physical environmental protection, risk assessment, access controls, incident management, monitoring, backup, malware identification and technical intrusions.
Through a cyber essentials course and practical exercises, participants at the workshop were equipped with basic skills for enabling non-technical users to establish five information security controls including malware protection, access control, patch management, secure configuration, boundary firewalls and internet gateways.
As a follow-up to the exercise, selected participants will undergo further training for possible contracting as IASME information security assessors for SME’s. CTO’s international events and seminars are conducted in all countries of the Commonwealth, across the continents of Africa, Europe, the Americas, Asia and the Pacific region. Specifically, in Africa, the events have been held in Botswana, Cameroon, Ghana, Kenya, Liberia, Mozambique, Nigeria, Papua New Guinea, South Africa, Swaziland and Uganda.
 

Announcement: Forum on Internet Freedom in Africa 2016

The Forum on Internet Freedom in Africa is scheduled to take place on September 27–29, 2016 in Kampala, Uganda.
The Forum provides a unique opportunity to deliberate and build a network of supporters of internet freedom in Africa. It brings together a wide range of civic actors such as journalists, bloggers, human rights defenders, and activists, private sector actors such as telecom companies, as well as communication regulators and law enforcement.
In 2015 the Forum assembled panelists from a diversity of backgrounds, which facilitated spirited discussions as captured in this report.

See the 2015 Forum Highlights video

A key highlight at the Forum is the launch of the State of Internet Freedom in Africa report that captures trends on internet freedom in select African countries. The 2016 report will cover the most number of countries so far.
These deliberations come as various African countries witness a slide in online freedom of expression and association, as well as breaches of the rights to privacy and access to information.
Visit the Forum page for more information.
Eventbrite - Forum on Internet Freedom in Africa 2016

Report: Women's Rights and the Internet in Uganda

By APC, CIPESA, WOUGNET |
This submission is a joint stakeholder contribution to the second cycle of the Universal Periodic Review (UPR) mechanism for Uganda. This submission focuses on women’s rights and the internet in Uganda. It explores the extent of implementation of the recommendations made in the previous cycle of the UPR and also identifies emerging concerns in Uganda regarding women’s rights online.
See the full report here