Cyberspying. Hackers. Drones. Mass interception devices. Row upon row of servers storing millions of conversations. High resolution cameras, and uniformed personnel in war rooms watching our every move on an array of obnoxiously oversized screens. This is what comes to mind when one hears the phrase “government surveillance”. The astounding advances in surveillance tech mean that the all-seeing eye of Big Brother has never been more powerful – or more difficult to regulate. But the biggest threat to our privacy may lie in something completely unglamorous, old school and low-tech: phone bills. By HEIDI SWART.
Heidi Swart is a journalist who has extensively investigated South Africa’s intelligence services.
This story was commissioned by the Media Policy and Democracy Project, an initiative of the University of Johannesburg’s department of journalism, film and TV and Unisa’s department of communication science.
It’s not his finest hour. Senior magistrate of the Cape District, HJ Venter, is in the witness box of the Western Cape High Court. The success of a serious criminal case over which he presided may be in jeopardy, and he has some serious questions to answer.
It all started mid-2003. In just over three months, three cigarette trucks belonging to the British American Tobacco Company of South Africa (BATSA) were hijacked – two in the Western Cape, near Rawsonville and Darling, and a third outside Port Elizabeth in the Eastern Cape. Armed men disguised as police and traffic officials pulled over the trucks at mock road blocks, and stole their cargo. After the first two robberies, police were clueless.
Fortunately, an informer identified five suspects, and provided law enforcement with the numbers of the cellphones they allegedly used during the heists.
Today, a three-year-old will warn you that it’s a bad idea to use your mobile during a robbery. But back in 2003, the boys probably didn’t think much about the fact that their phones were generating incriminating data. A mobile service provider’s network stores information about outgoing and incoming calls, primarily for billing purposes. The data includes the ownership details of the phone and SIM card, the numbers you dial, the numbers of the people who call you, the call duration, the starting and finishing times of calls, and your approximate location when you make or receive a call. This information is known by various names – call records, billing records, call data, call-related information, metadata, and archived communications-related information, to name a few.
Police can obtain this information from mobile service providers, and use software to do a detailed analysis showing your personal communication habits and movements. The data can place a suspect near the crime scene at the time of its occurrence, and can show a connection between suspects, or reveal new suspects. It can be used to create visual maps of the personal comings and goings of a single person of interest, or to investigate multiple crimes with many role players, such as hijacking operations or smuggling rings. When it comes to such organised crime syndicates, the number of cellphones involved may reach double digits. A month’s call records for 30 numbers can result in thousands of data sets. The gang will be happily retired by the time the next generation of police officers have finished figuring out the connections.
But South African law enforcement seems well equipped to deal with massive data sets: Introducing IBM’s i2 Analyst’s Notebook. (For a fun interactive tutorial, go here.) A 2015 court judgment in which nine people stood accused of smuggling abalone reveals SAPS’s use of this software. Call data, which service providers give to the police in electronic format (the days of printouts are long gone), is imported into the programme. Now, a speedy visual analysis of masses of call records is possible. For instance, it can instantly show the strength of connections between suspects (based on how often they spoke, and how long) and reveal major role players who were never on the radar. Three sources – each with close working relationships to SAPS – have confirmed that this software is still in use. According to one of those sources, about 1,500 police officers in South Africa are trained to use it.
So, in the 2003 BATSA hijacking case, the police approached the service providers and got the call records for the cell numbers that the informer gave them. The records were used as evidence in the trial; they revealed the approximate locations where the phones were used on the days of the robberies, as well as on the days before and after. At this stage, things didn’t look good for the gang.
But early in the trial, four of the 11 accused cried foul. They wanted their call records declared inadmissible as evidence, and a trial-within-a-trial ensued to decide if the call records were properly obtained. The accused had a strong case. Enter Rica: The Regulation of Interception of Communications and Provision of Communication-related Information Act. Long name, basic aim: To protect your constitutional right to privacy, Rica bars law enforcement agencies from monitoring your calls without a court order from a specially designated judge – a.k.a. the Rica judge. Police must present the mobile service provider with the court order, and only then is the SP compelled to assist – or face penalties that could land an individual employee in jail or in debt.
Similarly, Rica prevents police from obtaining call records from your SP without a court order.
But if you’re in Pofadder and need to get call records a.s.a.p.., you may not have time to wait for the only Rica judge in the country – who sits in Pretoria – to give the green light. Fret not! Rica states that law enforcement can use another law – section 205 of the Criminal Procedures Act. With section 205, you can pop into the nearest court and apply to a high court judge, regional court magistrate or magistrate to give you the thumbs up.
However, in the BATSA case, two of the section 205 court orders were anything but watertight, and this is what senior magistrate Venter had to answer for. The thing is, Rica demands that police only listen in on calls or obtain call records if all other sleuthing attempts have failed to produce sufficient evidence, or would be too dangerous. And the police need to convince the court of this. At the very least, they need to open a case docket with a witness statement, or some other form of evidence, as part of their motivation. Then, they must make a formal application on which a public prosecutor must sign off. After this, a judge or magistrate must review the application and evidence for final approval.
However, in the BATSA trial-within-a-trial, presiding high court judge Lee Bozalek was unconvinced that the senior magistrate had properly scrutinised the relevant statements before issuing the section 205 court orders. Bozalek said in his final ruling that during cross-examination the magistrate had to concede that the statements “made no mention at all of the cellphone numbers in question, let alone any persons who may allegedly have used such numbers in connection with the commission of any crime”. Bozalek opined that the “main determinant of the magistrate’s attitude to the applications” seemed to be the fact that the deputy-director of public prosecutions had signed off on them.
The cellphone evidence related to the four accused was thrown out, with Bozalek making it clear that when approving a court order for call data records, “the issuing magistrate’s function is decidedly not that of a ‘rubber stamp’”.
Fortunately, all was not lost, because there was enough other evidence to convict. But the case illustrates some very real threats to successful criminal prosecution – and your privacy.
And this case is no exception. A mobile security expert with detailed knowledge of the working relationship between law enforcement and mobile service providers said that at times magistrates did in fact appear to rubber-stamp section 205 court orders. The source stated that in their experience law enforcement sometimes requested several months’ worth of call data, and that the purpose of collecting all that information was difficult to fathom. (Rica compels mobile service providers to keep subscribers’ call records for a minimum of three years, up to a maximum of five years. Thus, it’s possible to look years into your past.) The source added that it was possible for police to write down additional numbers on a court order after the court approved it; there is no standard form for section 205 court orders to prevent this.
A second source, another mobile security specialist with ties to crime intelligence and intimate knowledge of the section 205 application process, attests to similar practices. The source said that police at times presented a service provider with a legitimate section 205 court order with a list of numbers belonging to genuine suspects. Then, extra numbers unrelated to a case were added to this list, without the service provider’s knowledge. This was usually the doing of an individual law enforcement officer wanting to obtain information to sell to third parties.
Another clearly documented case backing up the sources’ statements is illustrated in the trial of businessman Glenn Agliotti. In 2010, Agliotti was acquitted of a string of charges, including the murder of mining magnate Brett Kebble. The state failed to provide sufficient evidence.
During the trial, it emerged that section 205 court orders were used to get call records of Agliotti’s defence counsel – Advocate Lawrence Hodes, some of Hodes’ clients, Hodes’ father (who was an advocate but unconnected to the case), other law firms, and private investigator Warren Goldblatt. During the entire investigation, at least 50 lever arch files filled with cellphone records were subpoenaed. In his final judgment, judge Frans Kgomo said: “Nobody could shed any light to this court what could have happened to all that data because only a handful of data was handed in and used as exhibits in this case.” He added: “…if this state of affairs did occur or does occur and is allowed to persist, we should all be afraid, very afraid!”
And we should be.
Based on information provided by a mobile industry insider who has ties to the major service providers, at least 1,600 to 2,000 section 205 court orders for call records are served on SPs each month. And that’s an extremely moderate estimate. The source could not provide statistics for section 205 court orders served on all service providers, and it’s possible that the true figure could be double that number. According to the source, one court order could request records for more than one cellphone number. It may sound like a big figure, but let’s put that into perspective: The four major service providers combined had over 80-million subscriptions in the 2015/2016 financial year, and police statistics show that over two-million serious crimes were reported between April 2015 and March 2016.
(We asked the Ministry of Justice and Correctional Services if it could provide statistics for the number of section 205 court orders for call records issued nationally. Spokesperson Advocate Mthunzi Mhaga? said that the lower court judiciary did put in place measures to keep records of section 205 proceedings. However, he said that the department was “not in possession of statistics of the number of section 205 orders which were issued”.)
In both the BATSA and Agliotti cases, there was a second judge to make sure that the law was upheld. But who usually double-checks procedures?
An obvious candidate is the Rica judge. After all, Rica was established to protect citizens from this type of abuse. However, says Mhaga, a designated Rica judge cannot be approached to issue an order in terms of section 205 of the CPA. He explains further: “The designated judge is not involved in proceedings in terms of section 205 of the Criminal Procedure Act and no statutory duty exists which requires the designated judge ‘to keep track of or review’ proceedings in terms of section 205 of the Criminal Procedure Act.”
Also, although Rica (section 19) does provide its own procedures for police to obtain call records, section 19 Rica applications are not overseen by the Rica judge either. These applications are also processed by the high and magistrates’ courts. And the Rica judge does not double-check section 19 applications, because there is no legal obligation to do so (although the Rica judge must keep copies of those applications and the related court orders for at least five years).
In any event, section 19 of Rica is seldom used when compared to section 205 of the CPA. A source within the public prosecutor’s office said that, in their experience, only section 205 was used to apply for call records. When we asked the department of justice for clarity on the matter, Mhaga said, “It is probable that most call-related information is obtained in terms of section 205 of the Criminal Procedure Act.” He said that section 19 of Rica is primarily used when call records have to be obtained on a continual basis as it becomes available.
Bottom line: The public must rely on the police, the public prosecutor and the courts to make sure private call records are not unduly released.
When we asked SAPS about the potential misconduct of police officers when using section 205 procedures to obtain call records, they appeared at ease to leave the matter in the hands of the courts. SAPS spokesman Brigadier Vishnu Naidoo said investigators are expected to comply with the set procedure. If they don’t, “the court is at liberty to take corrective steps in respect of the evidence”.
However, the Justice Department is not sitting idle. Says Mhaga: “The Department is currently in a process to revise the Rica. Most other countries have also revised their interception legislation to ensure a more open and transparent process which is aimed at protecting the privacy of the communications of persons relative to the legitimate needs of the State to protect its subjects against crime. International developments will be taken into account during this revision process. Section 205 of the Criminal Procedure Act, which was amended by the Rica to provide for the provision of archived communication-related information, will also be considered during the revision process.”
For now, activists and civil society would do well to watch that revision process keenly: Call-related data, when compared to actual phone calls or text messages, comprise by far the greatest portion of intercepted personal information. And as things stand, the one law established to protect us from illegal interception – Rica – ultimately does little to put one’s mind at ease when it comes to call record privacy. DM
Photo by _mixer_ via Flickr