In 2017, some of Cyril Ramaphosa’s emails were hacked and leaked by unknown individuals. These emails suggested that he was a “blesser”: in other words, that he used his position of authority to prey on young women for sexual favours.

At the time, Ramaphosa claimed that state intelligence resources were being used to smear him. He also claimed that some of the emails had been doctored.

I’ve been struck by the parallels between his account and the activities of the state spy agencies in what could well be the hacking capital of the world, Mexico. Using the excuse of fighting the war against drugs, they have hacked the emails of opposition politicians, journalists and even estate agents, regularly and with impunity.

But the Mexican spies use a brilliant psychological tactic to put their victims on the back foot. They alter the hacked communications slightly to make their victims look even worse than they actually are, and then release them publicly. After that, the spies sit back and laugh as their hapless victims are forced to explain publicly which affairs they had and which they didn’t have.

A source in Ramaphosa’s camp also described how their movements were tracked, to the point where those ANC people who were suspected of collaborating with him were identified and warned to back off.

This description is strongly suggestive of mass surveillance network analysis and location tracking capabilities the State Security Agency (SSA) is known to possess. The spies make use of hacking, too, to the point where by 2015, South Africa had become the third largest named user of one of the most powerful weapons-grade hacking tools in the world, Finfisher.

It is more than likely that the spies have been using mass surveillance (or surveillance that targets many people even if there isn’t a reasonable suspicion of criminality) and other powerful surveillance tools because they are so badly regulated.

Yet the SSA has argued, in a response to the amaBhungane Centre for Investigative Journalism’s constitutional challenge to Rica, that their mass surveillance activities are above board. In this article, I will show why the SSA is wrong.

The SSA’s mass surveillance capabilities are housed in the National Communications Centre (NCC), which is responsible for foreign signals intelligence-gathering (spy-speak for intelligence obtained from communications between someone outside South Africa and someone inside it).

Yet, unlike the Office for Interception Centres (OIC) – which undertakes the Rica intercepts – the National Communications Centre is not established explicitly in any law. That is, there is no law of general application that establishes the NCC, states what its powers and functions are and what the limitations on its powers are. The arguments the SSA have made that existing laws cover the National Communications Centre are simply wrong.

The under-regulation of foreign signals intelligence is not peculiar to South Africa. Spy agencies the world over have argued that because strategic surveillance focuses on big picture issues such as forecasting threats to national security, it must have the freedom to be more wide-ranging than surveillance for criminal justice purposes. This is because a country can never know what national security threats are looming.

But, spy agencies the world over are also being challenged over these arguments. In the wake of the Edward Snowden leaks which revealed how mass surveillance is being abused, increasingly people are not willing to take the spy agencies’ arguments at face value.

Internationally, the tide is beginning to turn against mass surveillance on the basis that it is a disproportionate response to national security threats. In fact, the UN Special Rapporteur on Privacy, Joseph Cannataci, has even predicted “the beginning of the judicial end of mass surveillance”.

At the international level, there are important attempts to rein mass surveillance in. Some time ago, the European Court of Human Rights developed principles for regulating mass strategic surveillance on national security grounds.

The court argued that any founding law mandating strategic surveillance should include the following:

• A clear statement on the nature of the offences giving rise to the surveillance;
• Clearly defined categories of people liable to have their communications intercepted;
• Limits on the duration of interception;
• Adequate procedures for the examination, analysis and storage of the data obtained;
• Adequate precautions when dissemination data to other parties; and
• Clear statements about when the data obtained may be erased or the records destroyed.

There are no such legal requirements placed on the activities of the National Communications Centre, which is hardly surprising as it has no founding law. Several human rights organisations have built on the European Court’s requirements in arguments to the same court, contesting the United Kingdom’s communications surveillance practices.

This case, which was heard by the European Court late last year, is likely to set the standard for mass surveillance regulation around the world, so it is of major significance for the SSA.

Increasingly, spy agencies elsewhere must seek bulk warrants for mass surveillance, a case in point being the United Kingdom. The spy agencies are also being required to subject themselves to greater legal controls around their use of selectors, or the terms they use to search communications en masse. The broader the selectors, the greater the likelihood for abuse. The SSA’s response in the amaBhungane case suggests that their selectors are very broad indeed.

Some jurisdictions have foreign signals intelligence courts. Largely, these have been unsatisfactory checks on abuses of mass surveillance – the US Foreign Intelligence Surveillance Court being a case in point – but South Africa doesn’t even have such a court. In fact, to all intents and purposes the SSA’s mass surveillance activities fall outside Rica.

As far back as 2008, the Matthews Commission of Enquiry into intelligence abuses called this situation unlawful and unconstitutional. Yet the Zuma presidency did nothing to address the problems, instead sneering at the report.

South Africa does not face any major external threat to national security. So the SSA cannot argue that its spying capabilities should be less well-regulated than those countries that do. In fact, a reasonable person should ask why the NCC even exists.

Internationally, the tide is also turning against governments compelling communication service providers to store metadata (or data about our communications) on an indiscriminate basis, as this is also a form of mass surveillance. Instead, the developing legal standard favours targeted preservation orders. Yet, Rica still requires communication companies to store metadata for between three to five years “just in case”. The SSA appears to be blissfully unaware of all these international developments.

Then there is hacking and other forms of tactical surveillance using mass surveillance tools such as IMSI catchers (known in South Africa as Grabbers). The Joint Standing Committee on Intelligence and the Rica judge have adopted a technologically neutral approach towards surveillance: that is, once a warrant has been granted to a spy agency to spy, they can use whatever tools they see fit.

This approach is misguided, as not all surveillance tools are born equal. Some are more invasive than others, and consequently should be subjected to a higher legal standard for approval. For instance, IMSI catchers should attract a warrant, which is the developing legal standard in the US.

According to Rica, intercept information – or information that is derived from communication intercepts – is admissible in court. Yet information derived from hacking exploits is polluted by the manner of interception, as hacking alters the device that is hacked. Therefore, hacked intercept information should not be admitted as evidence in court. Alternatively a forensic expert should be brought in to verify that the integrity of the hacked information has not been compromised.

The Rica judge should be able to draw on technical experts in deciding whether a particular surveillance tool is warranted, and what the privacy impacts are likely to be. As things stand, there are no such requirements in South Africa, which puts us far behind the curve.

Another state practice that potentially enables mass surveillance is SIM card registration. Rica makes registration mandatory, in spite of growing international evidence that this practice is a waste of time. It also violates the right of people to communicate anonymously. There is tenuous evidence of it making a substantial contribution to crime-fighting as criminals generally go around the system.

Even the police have had to admit that the SIM card registration database is so unreliable that they cannot rely on it in their work, which is hardly surprising given how the database is populated. Even a surveillance-obsessed country like Mexico abandoned SIM card registration, several years after thousands of Mexicans registered their SIM cards in the name of the president as an act of resistance.

As a likely victim of these sorts of spying practices, Ramaphosa should address all these problems. Surveillance technologies have run far ahead of the law, which is an international problem. But South Africa is particularly far behind because, for the past decade, the Zuma administration has stalled a policy and legislative review of the intelligence services. After all, under-regulation of the state’s most powerful spying capabilities was in Zuma’s interests.

In the next article, I will look at what Ramaphosa needs to do to fix the SSA’s counterintelligence function. DM

Jane Duncan is a professor in the Department of Journalism, Film and Television at the University of Johannesburg. Her new book is called Stopping the spies: constructing and resisting the surveillance state in South Africa (forthcoming from Wits University Press).

Photo: Former SA president Jacob Zuma confers with the former State Security Minister David Mahlobo at the ANC Policy Conference, 1 July 2017, Nasrec, Johannesburg.