The United Nations Human Rights Committee’s findings repudiated the government’s claims that its surveillance law, theRegulation of Interception of Communications and Provision of Communications-related Information Act (or, Rica, as it’s commonly called in South Africa) is justifiable, given the country’s extremely high crime rate and the global terrorist threat.
Rica makes it illegal to intercept communications without a warrant from a designated judge (the “Rica” judge). Law enforcement and intelligence agencies are authorised to use the act to assist their investigations, providing they follow the procedures in the act.
South Africa has a sorry history of government abuse of communications surveillance to repress the anti-apartheid movement, and memories of these abuses remain strong. However, various global and local factors at the dawn of the new millennium made the country’s citizens more open to rights-limiting laws such as Rica.
South Africa’s Parliament passed Rica into law along with other anti-terrorist laws in the wake of the September 11 attacks on the US. The world was in shock at the brutality of the attacks, and locally, citizens were also crime-weary after a massive crime spike in the late 1990s.
But more people are realising that, in their freedom, they may have given an important element of their freedom away – their communications privacy. The Snowden revelations have highlighted the dangers of under-regulated surveillance. More South Africans have also become unhappy with poor service delivery and systemic corruption, and formed political organisations, trade unions and social movements outside the influence of the ruling African National Congress alliance.
When there has been political foment in the ruling party in the past, different factions have abused their access to the communications surveillance capacities of the state to spy on their perceived opponents. The full extent of these problems came to light in 2008 when a ministerial report into these abuses was leaked to the press (known as the Matthews Commission report).
The Commission proposed wide-ranging reforms to prevent similar abuses from occurring again. However, there is little reason to believe that these reforms have been implemented. One of the practices it criticised was that mass surveillance did not fall under Rica. The UN Committee has amplified this criticism in its report.
There are two interception centres in South Africa: the Office for Interception Centres (OIC), which is established by Rica to undertake communications interceptions, and the National Communications Centre (NCC), which undertakes mass surveillance and which isn’t established or regulated by any law. This renders mass surveillance and the activities of the NCC unlawful and unconstitutional. After the Matthews Commission report was released, the then Ministry of Intelligence developedtwo bills to regulate the activities of the NCC, but once the Jacob Zuma presidency assumed office, the bills were shelved.
This means that the most powerful mass surveillance machine of the state is the one that is least regulated: an issue that should concern South Africans greatly as the government already has a track record of abusing it.
Other abuses have come to light, in spite of the lack of transparency around government spying. Sunday Timesjournalist Mzilikazi wa Afrika had his communications intercepted by members of the Crime Intelligence Division of the police, on suspicion that his frequent trips to neighbouring Mozambique meant that he was gun-running. Yet, in fact, he was pursuing a story for the paper.
Perversely, the Inspector-General of Intelligence – tasked with oversight of the country’s intelligence services – declared the interception of wa Afrika’s communications legal, as the police had followed the Rica process. This situation arose because the grounds for the issuing of interception warrants in Rica are vague and speculative: another weakness the committee criticised.
The committee also expressed concern about the lack of independent oversight of the Rica judge’s work, which increased the scope for abuses. The Rica judge marks his or her own homework, in that s/he decides about interception applications and also provides the only reporting on these decisions, through an annual report to Parliament’s intelligence committee.
Rica is also weak on metadata protections. The law sets a lower standard for approving access to archived metadata, in that ordinary judges, who do not necessarily have the specialist knowledge of the designated Rica judge, can approve a request. It also requires communications service providers to retain all metadata (or what it calls communications-related information) for three to five years. Given the increasing difficulty of separating out metadata from communications content – as increasingly metadata reveals content too – this lower level of protection is outdated and unjustifiable.
Blanket retention of metadata has become a hugely controversial issue. In 2014, the European Court of Justice struck down the European Union Data Retention Directive as being disproportionate to the aim it sought to achieve. Yet, South Africa remains out of step with this important development, and persists with the blanket retention of metadata. A recent media report pointed to the trafficking of metadata being widespread, which is hardly surprising as blanket retention lends itself to such privacy-violating practices.
Disappointingly, the committee did not pronounce on another controversial feature of Rica, which requires Subscriber Information Module (SIM) card registration. This practice is a de facto violation of privacy – in that it limits the ability of mobile phone users to communicate anonymously. A growing body of international research also suggests that this practice is useless as a crime-fighting tool, which raises the question of why South Africa persists with it.
More worryingly, mass surveillance technologies can also be bolted onto the SIM registration database. If the authorities have access to International Mobile Subscriber Information (IMSI) catchers, or “grabbers” as they are known in South Africa – and there is evidence that they do – then they could use the database to print out the names and addresses of every mobile phone-carrying participant in an opposition protest, for instance. The potential for abuse of such a database is huge.
The committee also did not pronounce on the fact that Rica does not make provision for user notification: in other words, once investigations have reached a nonsensitive stage and warrants have expired, users whose communications have been intercepted should be informed. The committee did not pronounce explicitly on this important issue despite the growing international lobby supporting such notification as a general rule, although they did argue for more transparency. Such a provision would be an important check and balance on abuse.
In spite of these silences, the committee’s report is a major advance for the struggle for privacy of communications in South Africa. It is now up to civil society and popular movements to pick up the cudgels and ensure that abuses – to the extent that they exist – are stopped.
Many have argued that in the age of the internet of everything, privacy is dead. Those who make this argument, including in South Africa, appear not to be aware that the struggle for privacy is, in fact, alive and well, and even gaining ground. Happily, the committee’s report on South Africa shows that reports on the death of privacy are greatly exaggerated, to paraphrase Mark Twain. DM
Jane Duncan is a professor in the Department of Journalism, Film and Television at the University of Johannesburg. She is a member of the Right2Know Campaign (R2K), and the Media Policy and Democracy Project (MPDP), which recently completed a major study on communications surveillance in South Africa. She was part of a delegation to the recent UN Human Rights Committee hearings on South Africa, representing R2K, Privacy International and the Association for Progressive Communications (APC). The three organisations collaborated on a submission to the Committee on privacy and surveillance. An edited version of this article was originally published on Privacy International’s blog.