Promoting Effective and Inclusive ICT Policy in Africa

Tag Archives: surveillance

  HomeCollaboration on International ICT Policy for East and Southern Africa (CIPESA)  /  surveillance
09Dec

Africa in the Crosshairs of New Disinformation and Surveillance Schemes That Undermine Democracy

Author admin Posted on

By Daniel Mwesigwa |

A range of spyware vendors including Italian Hacking Team, the Anglo-German Gamma Group, and Israeli’s NSO Group, have found a ready market in authoritarian and repressive governments in Africa and elsewhere. Similarly, systematic propaganda campaigns designed by meddlesome actors – including government agents and ambitious data analytics companies such as Cambridge Analytica working on behalf of state and non-state actors – are becoming conspicuous in Africa, especially during electoral periods. 

The tools and tactics of these operators, who are mostly non-African, are increasingly undermining democracy and respect for human rights in Africa, as they enable mass surveillance and disinformation that manipulates and undermines political discourse. 

For example, Chinese tech giant Huawei and its technicians were implicated in an August 15, 2019 exposé by The Wall Street Journal that detailed how the company’s staff had helped the Uganda Police to hack into the encrypted communications of an opposition figure. As a result, the security officers were able to thwart the opposition leader’s mobilisation plans. The article also stated that technicians from Huawei had helped Zambian authorities to access the phones and social media pages of a group of opposition bloggers who were tracked and arrested. 

Through security vulnerabilities, spyware tools and products give governments, notably intelligence and law enforcement authorities, super powers to surveil using covert intrusion systems across major mobile platforms and operating systems. In 2016, the Citizen Lab, an interdisciplinary lab working at the intersection of global affairs and technology at the University of Toronto, uncovered Pegasus – a sophisticated malware developed by the NSO Group that is injected into a target’s phone via text or WhatsApp, a popular messaging tool in Africa. The Citizen Lab has since identified Pegasus operations in over 45 countries including Algeria, Egypt, Ivory Coast, Kenya, Morocco, Rwanda, South Africa, Togo, Uganda, and Zambia. But NSO has reportedly bragged time and again how it can penetrate various operating systems and applications irrespective of the security patches.

According to the 2019 State of Internet Freedom in Africa Report, the “surveillance state” in Africa gained notoriety at the turn of the decade, after the infamous Arab Spring that swept across North Africa in 2011, allegedly amplified by dissident voices on social media. The report documents how repressive states such as Tanzania, Uganda, Ethiopia, Botswana, and Rwanda have since boosted their surveillance capabilities through procurement of advanced spyware. In 2015, it was revealed that Uganda and Tanzania had procured Hacking Team’s premium Remote Control System (RCS) for intrusion into systems across major mobile platforms and operating systems. 

More recently, the Financial Times reported that Rwanda paid up to USD 10 million to the NSO Group to spy on government critics and dissidents through WhatsApp – an allegation Rwanda president Paul Kagame denied in a presidential press briefing held on November 8, 2019, only acknowledging that they spy on “our enemies” using “human intelligence”. He added, “I wouldn’t spend my money over a nobody [Rwandan exiles] yet we have sectors like education to spend such money”. 

But Kagame’s denial is to be taken with a pinch of salt. In 2016, a Rwandan court sentenced a popular singer, Kizito Mihigo, to 10 years in prison on allegations of conspiracy to overthrow the government, based on hacked private WhatsApp and Skype messages exchanged with alleged dissidents in exile. 

The alleged Rwanda cases appear to be linked to others of NSO infiltrating the WhatsApp accounts of journalists, human rights activists, political dissidents, prominent female leaders, and other members of civil society in up to 20 countries, which prompted Facebook (the owners of WhatsApp) to sue NSO in October 2019. The lawsuit brought by Facebook in the U.S Federal Court accuses the spyware maker of hacking into the WhatsApp accounts of 1,400 users worldwide. While there are scanty details on the exact identities of the affected, it is reported that 174 are lawyers, journalists, human rights defenders and religious leaders.

According to the Financial Times, those targeted in Rwanda, six of whom it interviewed and they confirmed being alerted by WhatsApp about the possible NSO-enabled surveillance of their communications. These included a journalist living in exile in Uganda, who had petitioned the Uganda government “to help protect Rwandans in the country from assassination”; South Africa and UK-based senior members of the Rwanda National Congress (RNC), an opposition group in exile; an army officer who fled Rwanda  in 2008 and testified against members of the Rwandan government in a French court in 2017; and a Belgium-based member of the FDU-Inkingi opposition party.

Meanwhile, some foreign powers are purportedly testing, as New York Times recently reported, “New Disinformation Tactics in Africa to Expand Influence”. The report detailed how the Wagner Group founded by businessman Yevgeny Prigozhin, who allegedly has close ties to the Russian government, has over the last couple of years been running aggressive disinformation campaigns on Facebook. 

It is reported that Prigozhin’s campaign used locally-opened Facebook accounts to disguise behaviour and also used sham news networks that regularly reposted articles from Russia’s state-owned Sputnik news organisation to promote Russian policies while undermining US and French policies in Africa. On October 31, 2019, Facebook reportedly removed these accounts that were influencing operations “in the domestic politics” of eight African countries – Cameroon, the Central African Republic, Congo Brazzaville, Ivory Coast, Madagascar, Mozambique, and Sudan.

Earlier in 2019, Facebook reportedly shut down a separate “fake news” operation targeting elections in African countries such as Nigeria, Senegal, Togo, Niger, Angola, and Tunisia, propagated by “inauthentic” accounts on Facebook and Instagram run by Israeli commercial firm, Archimedes Group.  Between 2013 to 2017, governments such as Kenya and Nigeria reportedly hired Cambridge Analytica to manipulate their electorate in a bid to win presidential elections for the incumbents.

Besides the disinformation campaigns linked to Russian actors, and the Israel-made spyware, there are also facial recognition surveillance programmes such as the Huawei’s “Smart Cities”, which has been deployed in 12 African countries. This phenomenon is referred to by some as an export of digital authoritarianism. 

It is now evident that governments and non-state actors face an uphill task of combatting the governance challenges caused by this phenomenon. Accordingly, governments, with the help of tech platforms, need to understand what legislation and policies, including oversight and enforcement mechanisms, are necessary to strengthen the protection of democracy and human rights in the rapidly changing digital world.

17Sep

Zone 9 Bloggers To Speak on Censorship, Repression and Surveillance at the Forum on Internet Freedom in Africa 2018 (FIFAfrica18)

Author admin Posted on

Announcement |
In order to contribute to the democratic discourse in Ethiopia, in May 2012, nine individuals formed the Zone 9 blogging collective – a loose network of activists regularly blogging and campaigning on human and democratic rights. However, two weeks after the launch of the initiative, the Ethiopian government blocked access to the collective’s online platform. In April 2014, six members of the collective were jailed on allegations of working with foreign organisations and rights activists by “using social media to destabilise the country.” The other three members fled into exile.
At the upcoming Forum on Internet Freedom in Africa 2018 (FIFAfrica18) members from the collective will share a stage and speak on their experiences of censorship, repression and surveillance. In an hour and half long session, members of the collective will share their stories including the tactics employed by the state to surveil and censor them, their trial, imprisonment for 15-18 months, and post-incarceration trauma. Their participation will serve as a means of raising awareness on the realities of being an activist in a repressive state and life after release from incarceration.
See draft Forum agenda
The collective gets its name from the eight zones of the notorious Kaliti prison in Addis Ababa where political prisoners are housed. The ninth zone is a metaphorical extension of the zones to apply to the rest of the country due to the harsh controls on freedom of speech and association across Ethiopia at the time.
In February 2018, after six years of facing charges that included terrorism and inciting violence, prosecutors in Ethiopia dropped all charges against the last members of the collective that still faced prosecution.  The announcement came as part of ongoing economic and political reforms in the country since the resignation of former Prime Minister Hailemariam Dessalegn in February 2018, and appointment of a new premier, Abiye Ahmed, two months later.
Since then, the government has freed thousands of prisoners; announced measures to liberalise the telecom  sector; and dropped charges against many opposition leaders, bloggers, and activists. Further, the new administration has lifted the state of emergency that had been reinstated in February 2018, reconnected mobile and broadband internet services that were cut off since 2016, and unblocked 246 websites, blogs, and news sites that had been inaccessible for over a decade.
See more about Ethiopia’s reforms.

Who are the Zone 9 Bloggers?

Zelalem Kibret is an Ethiopian scholar and blogger. He was previously a Scholar-at-Risk fellow at the Hutchins Center for African and African American Research, and the Center for Human Rights and Global Justice, at New York University School of Law. By training, Zelalem is a lawyer specialised in Public International Law. Until April 2014, he was a Professor of law at Ambo University in Ethiopia.
Among his interests is research which focuses on transitional politics and justice, traditional justice, individuals in international law, counter-terrorism, new social movements, and liberation technology.
Zelalem is the co-recipient of the 2015 Committee to Protect Journalists’ (CPJ) International Press Freedom award and the 2015 Reporter Sans Frontieres’ (RSF) Citizen-Journalist award. He earned his LL.M degree from Addis Ababa University in Public International Law.


Nathenael Feleqe Aberra is a co-founding member of Zone 9 Activists and Blogging collective. He is an active member of the Ethiopian Economics Association and a full time employee in a financial intuition in Ethiopia  with close to eight years’ experience in Human Resource Management. His interest areas include Economic Development, Democracy and Human Rights.
 


Jomanex Kasaye | Born and raised in “the jewel of rift valley” – Adama also known as Nazareth located 90 km from the capital Addis Ababa, Jomanex is an Information Technology enthusiast, who has previously worked as a tutor and system administrator in addition to running his own businesses. He is a co-founding member of the Zone 9 Activists and Blogging collective and now lives in exile.

Befekadu Hailu Techane describes himself as a Management Information Systems (MIS) expert by profession who turned a writer by inclination. His novella titled “Children of Their Parents” won the Bill Burt Award for African Literature (Ethiopia) in 2012. He has worked as an editor for Enqu Magazine, editor-in-chief for Weyeyet Magazine and volunteering editor for Global Voices [all in Amharic]. His blogging and activism work has seen him jailed four times – including an 18 month detention period. Befekadu is among the co-founders of the Zone 9 Activists and Blogging collective.
He currently works as a columnist for Duestche Welle Amharic Service, as a freelancing journalist for ethiotube.net, an internet TV channel, and part-time program coordinator for Ethiopian Human Rights Project.


Atnafu Brhane is a blogger and human rights activist in addition to being one of the co-founders of the Zone 9 Activists and Blogging collective. He began his career as an IT expert for a local administration office in Ethiopia before joining the collective. He also worked with Article 19 East Africa to give digital security trainings for human rights activists and journalists.
His work with the collective saw him get arrested and charged with terrorism in 2014 following which he spent 18 months in prison. He currently works as Digital Media Coordinator and Campaigner for  the Ethiopia Human Rights Project.

Abel Wabella describes himself as a passionate storyteller, who is fascinated by the commencement of the digital era. As a social media marketer, Abel has developed a sound knowledge of new media tools and techniques. Since he started blogging in 2011, he has engaged in social media activism, humanitarian advocacy, social justice projects, localisation and business projects.
As such, Abel shifted his career interests from mechanical engineering into the media arena. His work saw him detained, which served to further fuel his activism. Abel has a vast virtual office experience and is a member of the Global Voices volunteer community of more than 1,400 writers, analysts, online media experts, and translators, which localises its content into 40 languages including Amharic. He is also a co-founder of the Zone 9 Activists and Blogging collective.
Abel is currently working on newly established media called Gobena Street.
 

06Aug

Challenges and Prospects of the General Data Protection Regulation (GDPR) in Africa

Author admin Posted on

Policy Brief |
Privacy is a fundamental human right guaranteed by international human rights instruments including the Universal Declaration of Human Rights in its article 12 and the International Covenant on Civil and Political Rights, in its article 17. Further, these provisions have been embedded in different jurisdictions in national constitutions and in acts of Parliament.
In Africa, regional bodies have invested efforts in ensuring that data protection and privacy are prioritised by Member States. For instance, in 2014 the African Union (AU) adopted the Convention on Cybersecurity and Personal Data Protection. In 2010, the Southern African Development Community (SADC) developed a model law on data protection which it adopted in 2013. Also in 2010, the Economic Community of West African States (ECOWAS) adopted the Supplementary Act A/SA.1/01/10 on Personal Data Protection Within ECOWAS. The East African Community, in 2008, developed a Framework for Cyberlaws. Notwithstanding these efforts, many countries on the continent are still grappling with enacting specific legislation to regulate the collection, control and processing of individuals’ data.
On May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) came into effect. The GDPR is likely to force African countries, especially those with strong trade ties to the EU, to prioritise data privacy and to more decisively meet their duties and obligations to ensure compliance.
See this brief on the Challenges and Prospects of the General Data Protection Regulation (GDPR) in Africa, where we explore the consequences of GDPR for African states and business entities.

30May

Sections of Kenya’s Computer Misuse and Cybercrimes Act, 2018 Temporarily Suspended

Author admin Posted on

By Juliet Nanfuka |
Barely two weeks after the presidential assent to the Computer Misuse and Cybercrimes Act, 2018, a High Court judge has issued a conservatory order suspending the entry into force of 26 sections of Kenya’s contentious Computer Misuse and Cybercrimes Act, 2018. The order by Judge Chacha Mwita, suspending the sections until July 18, follows a petition filed by the Bloggers Association of Kenya (BAKE), which challenged the law for contravening constitutional provisions on freedom of opinion, freedom of expression, freedom of the media, freedom and security of the person, right to privacy, right to property and the right to a fair hearing.
In the order issued on May 29, the judge certified BAKE’s petition as urgent, and stated that  respondents (who include the Attorney General, the Speaker of the National Assembly, the head of the National Police Service, and the Director of Public Prosecutions) be served immediately. The respondents would have seven days from receipt to file written submissions. Hearing of the petition is scheduled for July 18, 2018.
Although the conservatory order only stalls the enforcement and could be lifted or maintained thereafter, it nonetheless represents a win for digital rights advocates in Kenya, as they have in the interim satisfied the judge that there is an arguable case to be made against the constitutionality of the recently enacted law. The order also marks another landmark ruling in the litigation towards respect and realisation of digital rights across Africa.

According to the  order, the suspended sections are: 5, 16, 17, 22, 23, 24, 27, 28, 29, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 48, 49, 50, 51, 52 & 53.


Various organisations criticised the bill prior to its assent on May 16, 2018 calling it unconstitutional. Among the organisations were the Kenya ICT Action Network (KICTANET), Article 19 Eastern Africa, BAKE and the Centre to Protect Journalists (CPJ) who deemed numerous sections unconstitutional and detrimental to Kenyan citizens’ digital rights. They said it infringed on the privacy of individuals, freedom of expression, speech, opinion and access to information online.
Kenya already has a history of stifling online critics of the state and state actors, as echoed by James Wamathai, the Director of Partnerships at BAKE. In a statement, he said: “In the past several years, there have been attempts by the government to clamp down on the freedom of expression online. This Act is a testament of these efforts, especially after other sections were declared unconstitutional by the courts.
Among the prevailing concerns on the law is the use of vague language on issues such as “false” or “fictitious” content and false publications in Section 22 and 23, accompanied with heavy obligations on users to verify truthfulness or untruthfulness of information before disseminating. As per section 12, failure to comply would result in a fine of five million Kenyan shilling (USD 50,000), up to two years in prison, or both.
The  court order comes on the heels of the two judgments (Okiya Omtatah Okoiti v The Communication Authority of Kenya and 3 others Constitutional Petition No. 53 of 2017 and Kenya Human Rights Commission v Communications Authority of Kenya and 3 others no. 86 of 2017) by the Kenya High Court in which the petitioners successfully challenged the installation on mobile phone networks of a communication surveillance system dubbed Device Management System (DMS), by the Communications Authority (CA) Kenya (CA). The petitioners argued that, through this system, the authority would have undue access to the communications of citizens.
As more countries in Sub-Saharan Africa develop technology related laws, it is fundamental that the laws uphold human rights standards prescribed at global and regional levels, including in the International Covenant on Civil and Political Rights (ICCPR), the African Charter on Human and Peoples Rights (ACHPR), and African Union Convention on Cybersecurity and Personal Data Protection. However, recent developments such as has been witnessed in East Africa appear to prioritise the criminalisation and penalisation of internet use rather than encourage its adoption as a tool for greater access to information, and for expanding free expression and civic engagement.
Kenya’s neighbours Tanzania and Uganda have this year taken actions detrimental to digital rights. In Uganda, social media taxes that could be introduced in July 2018 threaten internet access and affordability while in in Tanzania, online content producers will have to pay over USD 900 to register with the state for permissions to maintain their platforms, according to new regulations.
 

18Apr

The Stampede for SIM Card Registration: A Major Question for Africa

Author admin Posted on

By Edrine Wanyama |
It is anticipated that by 2025, there will be at least 5.9 billion mobile subscribers accounting for 71% of the world’s population. As of 2017,  Sub-Saharan Africa (SSA) had  a mobile subscription rate of 44% which is projected to reach  52% by 2025. Further, SSA’s mobile internet penetration by 2017 stood at 21% and is anticipated to increase to 40% by 2025.  However, the region has registered the largest number of cases of mandatory SIM card registration yet it suffers some of biggest challenges in personal data protection and privacy.
The benefits of SIM card registration include facilitation of citizens’ access to e-Government services, easy identification of an individual’s mobile number and number portability when switching networks. In addition, it aids combating cybercrime including terrorism by limiting covert communication and promotes good relations between consumers and service providers by simplifying identification of consumers and their use of SIM services. Accordingly, many governments argue that mandatory SIM card registration is for purposes of safeguarding digital and physical security. However, critics argue that when SIM card registration is effected without due safeguards, it poses a threat to privacy and freedom of expression.
Indeed, in 2013 Mexico repealed its policies on SIM card registration “after a policy assessment showed that it had not helped with the prevention, investigation and/or prosecution of associated crimes.” Finland has not enforced compulsory SIM card registration and nonetheless, through voluntary mobile signatures, service providers has succeeded in facilitating user’s access to relevant retail, banking and e-Government services.
Globally, over 90 countries conduct compulsory SIM card registration yet some remain without clear policy on its implementation. Amidst criticisms that mandatory registration does not necessary combat cybercrime, as criminals take the necessary precautions to avoid being detected and circumvent mandatory SIM card registration, African countries continue to proactively enforce SIM card registration. Among the prevailing challenges on the continent is the difficulty in validating identity documents in an environment with a wide range of service providers who create room for potential circumvention.
Mandatory registration has negatively affected access and usage of mobile telecommunication services due to the tedious process which entails the production of documentation such as passports and national identity cards prior to registration, which sometimes results in failure to attain a SIM card, disconnection, or  deactivation of SIM cards.
Additionally, there have been repetitive calls for registration of SIM cards in countries such as Uganda and Nigeria with personal data being collected  more than once. In Uganda, despite government explanation that SIM card verification is aimed at ensuring secure and safer communications, citizens have unanswered questions on the exercise. Suspicion arises due to a fresh validation of SIM card registration using national identity cards subsequent to registration which was initially done using valid documents such as students’ identity cards, driving permits and passports.
Double collection of personal data may partly imply collection of data beyond what is necessary for the purpose contrary to the internationally established data protection principles such as those set out in the Organisation for Economic Co-Operation and Development (OECD) Data Protection Principles. Further, there is no guarantee of individual privacy as most of the African countries do not have data protection laws. Moreover, most of the existing data protection laws do not meet internationally recognised standards considered sufficient to guarantee personal data protection and are therefore regarded as offering moderate or limited protection.
Meanwhile, efforts to buttress data protection in Africa have not yielded much. Out of 54 countries on the continent, only 14 have data protection laws (Angola, Benin, Burkina FasoMali, Gabon, GhanaIvory Coast, Lesotho, Madagascar, MoroccoSenegalSouth AfricaTunisia and Zimbabwe). A few others such as Uganda, Kenya, Nigeria, Tanzania and Niger have Bills. Regional efforts have also not yielded much. The Convention on Cyber Security and Personal Data Protection which was adopted by the African Union in 2014 has registered only 10 signatories (Benin, Chad, Congo, Ghana, Guinea-Bissau, Mauritania, Sierra Leone, Sao Tome & Principe, Zambia and Comoros) and one ratification by Senegal.
Ultimately, there is need to reconcile state interests with citizens’ personal data and privacy rights. Mandatory registration, especially in the absence of clear registration guidelines and the lack of data protection laws, puts personal data at risk. African governments need to learn from other jurisdictions such as Europe with regards to processing of personal data as part of SIM card registration. In enforcing SIM card registration, there should be a clear set registration timelines, clear and unambiguous registration requirements.

1 8 9 10 11 12 13