Your cellphone records and the law: The legal loophole that lets state spying run rampant
There are laws in place preventing intelligence services from intercepting communications unless a specially designated judge scrutinises each case. But, on estimate, 95% of court orders related to telecoms interception are never even seen by this judge, thanks to a “legal loophole” that may prove extremely hard to close.
Telecoms surveillance in South Africa is governed by Rica – the Regulation of Interception of Communications and Provision of Communication-Related Information Act. The law clearly distinguishes between two categories of information that can be intercepted. The first is communications content – whatever is said in a phone conversation, and written in texts, emails or private social media messages.
Intelligence services can only get hold of communications content if they apply for court order to a specially designated judge assigned in terms of Rica. The judge not only personally reviews each application, but must also issue an annual report of his or her activities to the Joint Standing Committee on Intelligence, or JSCI. The committee is responsible for the parliamentary oversight of intelligence services in South Africa. Should a citizen suspect that the state illegally intercepted their communications, they may approach the Inspector General of Intelligence (IGI) to investigate the matter. The IGI carries out civilian oversight of South Africa’s intelligence services.
Then there’s a second aspect to interception, namely communications-related information, also known as metadata or call data. This is the information about phone calls, messages, and emails. It includes the time at which phone calls were made or mobile devices were connected to a network, when these connections ended, how long they lasted, the numbers involved, the cell towers to which the phones or devices connected, IP addresses, when messages were sent and who received them, and so on.
And it’s extremely invasive. It can be used to track people in space and time, and map their daily routines and relationships. It may not contain the “what”, “why” and “how” of what you are doing and saying, but it clearly reveals the “when”, “where” and “who”.
The seizure of customer call data by far comprises the biggest part of telecommunications surveillance in South Africa. Extrapolations from statistics provided by major cellphone providers indicate that intelligence services pull the metadata of between 70,000 and 195,000 phone numbers annually.
But Rica has very little to do with how intelligence agencies obtain call data.
That’s because Rica in effect “outsources” call record interception to an entirely different Act. Section 15 of Rica allows authorities to utilise section 205 of the Criminal Procedures Act (CPA) to obtain metadata from service providers. For intelligence services to get hold of such data, they have to get a section 205 court order issued by a magistrate or high court judge. (The Rica judge cannot issue these orders.)
Originally, section 205 had nothing to do with call data. It actually regulates how a witness is called to provide evidence in court. A section 205 court order compels a person to testify in a criminal case. However, if that person can provide the public prosecutor with the necessary information, they don’t have to take the stand. In the same way, call data is viewed as evidence, and the cell phone company is ordered to provide those records, and to testify about those records in court if necessary. Thus, the witness is the service provider employee who takes the stand.
In essence, the largest part of communications surveillance in South Africa is legislated by the Criminal Procedures Act via the ordinary courts, despite all the special provisions introduced by Rica. For an indication of the relatively small portion of interception-related court orders that are actually issued by the Rica judge, it’s useful to look at the statistics from the country’s largest service provider, Vodacom. For the 2016/2017 financial year, the company was served with 1,075 interception directions (court orders) issued in terms of Rica by the Rica judge. For the same period, they received 19,850 Section 205 court orders from ordinary magistrates and judges. So, the Rica judge oversaw only 5.4% of all interception cases related to Vodacom customers.
The Rica judge also does not have the capacity to process tens of thousands of applications for call data. As it stands, the judge’s resources are already thinly spread. The latest available statistics (for the 2014/2015 financial year), shows the judge had to deal with a combined total of 760 Rica requests from the various intelligence agencies. Two per day if she worked weekends and holidays.
This situation is problematic for several reasons, as the spokesperson for privacy advocacy group Right2Know (R2K), Murray Hunter, explains. He says that Section 205 is essentially a loophole that’s allowed law enforcement to bypass all of the privacy protections that Rica puts in place.
“Despite the criticisms we have of Rica,” says Hunter, “at the very least the law makes it clear that the state can only spy on your communications when you are suspected of a serious criminal offence, and only then with the permission of a special judge who must report (to Parliament) on their decisions. For whatever reason, Section 205 allows the state to spy on your communications for any offence, and with the permission of any judge or magistrate, who don’t need to report (to Parliament) on their decisions.”
Hunter has cause for concern. Earlier Daily Maverick investigations have shown that intelligence services can easily abuse their power to illegally obtain call data through the Section 205 court process. This includes obtaining call data of people not involved in a case, either to sell the data to third parties, or to do surveillance for personal reasons.
Arguably, scrutinising someone’s call records is less invasive than looking at what is actually being said or written, and hence does not require special legislation. But Hunter disagrees. “When lawmakers passed Rica, they assumed that the information about your communication was less sensitive than the contents of the communication. That assumption is out-of-date and just wrong, and has put whistle-blowers, journalists and others at risk, and left all of us vulnerable to spying.”
Indeed, advances in technology has made the use of call data all the more invasive. Specialised software allows SA’s intelligence operatives to analyse thousands of call records to form an intimate picture of an individual’s life, relationships, and movements.
Hunter says the laws governing call data interception need to be reformed, and that the orgnisations is considering its legal options.
But Section 205 of the CPA is a robust piece of legislation that’s been around a lot longer than Rica, and has withstood serious scrutiny in court.
In 1996, the constitutional court ruled that Section 205 did not infringe upon several constitutional rights, including the witness’ right to privacy. (The applicant was arguing that his right to privacy was being violated because he was forced to testify.)
But the Concourt said that the CPA does allow a witness who has a ‘just cause’ to refrain from testifying. In addition, should a judge rule that your reason for refraining isn’t good enough, you cannot summarily be thrown in jail. The penalty for refusing or failing to testify can range from two to five years imprisonment. But the judge may only sentence a recalcitrant witness to jail time if he or she believes that the evidence that witness can provide is truly needed to uphold law and order.
In the end, the Concourt ruled that the “Section 205 provisions are as narrowly tailored as possible to meet the legitimate state interest of investigating and prosecuting crime”.
However, that case did not involve call data. And, when a service provider employee takes the stand to talk about a customer’s call records, it clearly is not the witness’ privacy that’s at stake.
In a 2010 case heard in the KZN High Court, one Thoshan Panday took the police and the Justice Department to court after they’d used Section 205 to seize his documents and bank statements.
His lawyer argued that the process was unconstitutional: for one, the police did not keep a record of the events giving rise to the section 205 orders, nor did they keep the applications for those orders. Since Panday was left unable to scrutinise the applications and court orders himself, his constitutional right to access of information was violated.
Although Panday’s case didn’t involve call data evidence, the principle he was arguing nonetheless also applies to such data; if there is no record of the applications and their accompanying section 205 court orders, it makes it difficult for the Inspector General of Intelligence to investigate if the order was justified.
But, in the Panday case, the judge ruled that the courts were under no obligation to keep such records. Ultimately, the judge confirmed that the scrutiny of the application by the public prosecutor and the presiding judge or magistrate was adequate to ensure that there was no abuse of power.
Of course, there is clear evidence that this is not always the case.
Hunter says that R2K now is taking a long hard look at Section 205, and that it’s not necessarily bulletproof, even if the courts have upheld aspects of it in various criminal matters.
He adds that there needs to be full and equal protection of people’s private information, irrespective of whether it’s communications content or metadata.
“What this means is the law needs to set a new, universal standard to protect people from surveillance in South Africa. The Section 205 procedure needs to be thrown into the bin. Any interception of communications has to go through a specially appointed judge, who is expertly attuned to issues of privacy and digital rights, who is transparent and publicly accountable. No more back doors, no more loopholes.” DM
Heidi Swart is a journalist who has extensively investigated South Africa’s intelligence services
This story was commissioned by the Media Policy and Democracy Project, an initiative of the University of Johannesburg’s department of journalism, film and TV and Unisa’s department of communication science