Shower head video cameras: How Rica fails to regulate state surveillance of citizens
Rica legislation was designed to compel mobile operators to help police fight crime, clearly spelling out the obligations of both sides to keep communications interception above board. Yet the state has never needed a special law nor mobile operators’ assistance to intercept; there always were powerful alternatives. Legislators always knew this, but somehow several surreptitious interception technologies fell through the regulatory cracks. Now the 20-year-old act is getting a much-needed update. But will it catch up to the surveillance technology that’s always been ahead of it?
In 2021, the Constitutional Court ordered major changes to Rica (the Regulation of Interception of Communications and Provision of Communication-related Information Act of 2002). These include better privacy protections for journalists and lawyers, compelling the state to inform you, after the fact, if you have been surveilled. This comes after a lengthy court battle and years of media reports about illegal state surveillance.
Read more in Daily Maverick: “The awful state of SA’s lawful telecoms interception, Part One”
At first glance, one might assume Rica’s faults result from its origin in the palaeolithic era of telecoms; 20 years after it was penned, we’ve moved on from SMSes and 2G calls to smartphones doubling as personal computers. But the truth is that the technologies to circumvent Rica and intercept without the operator’s knowledge were available long before the act’s inception. These include computer hacking, satellite signals interception and equipment that can connect directly to mobile devices to siphon off communications. And although Rica makes it clear that any form of state interception is illegal without a court order, it doesn’t provide much detail about how state use of these highly secretive, cloak-and-dagger technologies is to be overseen.
This state of affairs is no accident.
After apartheid, South Africa’s new ANC-led government was keen to establish the state’s capability to monitor the communication networks of private mobile and internet service providers. The keyword here: private. Rica’s predecessor, the Interception and Monitoring Prohibition Act of 1992, didn’t take into account the likes of Vodacom or MTN. During apartheid, the state-owned post office (later to spawn a privatised Telkom) controlled all landlines, then most South Africans’ only telecommunications option. If the apartheid state wanted to monitor phone calls, it only needed to place the right equipment on its own telephone network. Modernity destroyed this convenience.
Rica addressed this dilemma by prescribing the terms of lawful interception, a legally regulated partnership between state law enforcement and the mobile operator. This arrangement was common in democracies at the time, and still is.
Checks and balances
Lawful interception is a very specific method of communications surveillance. It requires a so-called handover interface. This is a piece of equipment that’s locked away in a highly secure enclosure on the premises of a mobile operator. Usually, only a handful (fewer than five) of government-vetted staff members have physical access.
This interface can create a digital copy of a suspect’s cellular communications and send it to a special law enforcement surveillance facility: the Office for Interception Centres (OIC) in Sandton, Johannesburg. The OIC is specifically named in Rica, and the act clearly prescribes the processes of lawful interception tied to it. Only in life-and-death emergencies and cases of serious criminal offences (such as high treason, murder and drug smuggling) can intelligence services and police intercept. They will need an interception direction (a special court order) from a special Rica judge which they must then serve on a mobile operator, thus legally obliging cooperation. The Rica judge must be satisfied that the interception is being used as a last resort, when other methods of intelligence gathering are unfeasible or too dangerous.
The mobile operator, to an extent, figures into the checks and balances to prohibit misuse of interception by state officials. For instance, in life-and-death emergencies, police may orally request a mobile operator to track a phone even if there is no interception direction from the Rica judge. Afterwards, both law enforcement and the operator have to provide separate documentation relating to the case to the judge to ensure Rica compliance. The new version of Rica will require the state to inform a surveillance subject that their communications were intercepted, as long as that doesn’t jeopardise the case. With the lawful interception process, the operator will also have a record of the interception request, and it may even be possible to rope in the assistance of operators in notifying people that the state was intercepting their data.
But the operator isn’t always a part of the interception process. It’s possible to tap into the communications network covertly, without their knowledge. Yet Rica is vague about state use of these secretive technologies.
To pinpoint defects
A few government entities were responsible for the half-baked version of Rica that was so heavily criticised by then Chief Justice Mogoeng Mogoeng in his Constitutional Court judgment on the act. In the late 1990s, the Department of Justice and Constitutional Development was primarily responsible for drafting the new legislation. But other players, including the securocrats, got a chance to weigh in first.
To draft the new law, the Justice Department received guidance from the South African Law Reform Commission (SALRC). Established by the South African Law Reform Commission Act 19 of 1973, the SALRC is part of the department and its sole purpose is to research and pinpoint defects in existing laws – and make recommendations to fix them. It did just that with the Interception and Monitoring Prohibition Act of 1992.
The SALRC looked at interception legislation in several other democracies, and consulted broadly and at length with many South African government departments, academia, the banking sector, the legal fraternity, mobile operators like Vodacom and MTN, landline provider Telkom, internet service provider Mweb Connect and satellite comms company Globalstar Southern Africa. It also spoke to various police departments, the Intelligence Ministry and the National Intelligence Agency (today the domestic branch of the State Security Agency). Late in 1999, a year after its investigation was initiated, the SALRC published its final report, which mentions a number of technologies nation states use to intercept without the service provider’s knowledge.
One such technology that didn’t make it into Rica is mass interception. The government’s National Communications Centre (NCC) is a cluster of satellite dishes outside Pretoria run by the State Security Agency (SSA). The NCC performs what is known as bulk communications monitoring – essentially “listening” to masses of satellite communications traversing the country’s borders to identify suspicious conversations. It’s meant to aid the police, intelligence services and the Financial Intelligence Centre.
The mobile provider isn’t involved with the NCC; whereas lawful interception described in Rica is part of a criminal investigation, where evidence must be collected before a Rica judge approves interception of a specific suspect’s communications, mass interception works the other way around: you can find new suspects and then target them – all without a warrant or the service provider’s knowledge. In fact, vendors of interception equipment clearly distinguish between the two very different products – lawful interception and bulk monitoring – on this basis.
Along with the other changes ordered to Rica, the ConCourt ruled that the NCC’s activities are illegal, since the act doesn’t explicitly provide for it. The SSA said the NCC subsequently closed down. (When we asked the SSA if the facility was indeed closed, spokesperson Mava Scott confirmed this, saying that the parliamentary watchdog, the Joint Standing Committee on Intelligence, “has on more than one occasion visited the NCC as part of its oversight functions, among others to get an assurance that the Constitutional Court judgment is being implemented”.
The committee did not respond to a request for comment.
The order to close down the NCC wasn’t entirely out of the blue. A 2008 ministerial review of state intelligence services found that the facility “fails to comply” with Rica. Then minister of intelligence and the man who called for the review, Ronnie Kasrils, tried to introduce legislation reining in the NCC, but retired before changes materialised. Then, with Jacob Zuma becoming president in May 2009, both the 2008 review findings and the regulation of the NCC dropped off the radar. See also the Joint Standing Committee’s 2008 annual report here.
Yet the concept of mass interception – monitoring all communications entering or exiting a country – far predates the Nineties. In 1954, the US Central Intelligence Agency dug an underground highway from the small West Berlin village of Rudow across the border to the Soviet zone. The aim: to reach and secretly tap into a terminus of telephone cables that could simultaneously carry 432 calls from East German officials. American war reporter Andrew Tully recounted this in CIA: The Inside Story, his bestselling book about the infamous intelligence gatherers’ bizarre endeavours, first published in 1961.
The Law Reform Commission’s report also shows that legislators were clearly aware of mass interception efforts like the US’s Echelon. None of this was top secret. Echelon was first reported on in detail by investigative reporter Nicky Hager in his 1996 book Secret Power. The book shocked the European Union into action; the European Parliament started a major investigation into Echelon, with their report in January 1998 describing the system as a global satellite interception network “indiscriminately intercepting very large quantities of communications and then siphoning out what is valuable using artificial intelligence aids like Memex”. These communications included “most of the world’s satellite phone calls, internet, email, faxes and telexes”. Benefiting from the results was the so-called Five Eyes intelligence alliance – the US, Britain, Canada, New Zealand and Australia.
Closer to home, the 1996 Pikoli commission made recommendations for what intelligence services should be doing in the new democratic South Africa. One of those recommendations was to establish the NCC. It is not clear whether the commission’s suggestion was inspired by Hager’s revelations of Echelon, but in 2000 Cabinet approved the NCC’s mandate, and by 2002 it was up and running. Still, the SALRC made no clear recommendations about the lawful use of mass interception.
A shower head
By October 1999, the month that the SALRC released its final recommendations for Rica, a second report from the European Parliament was clear: interception technology was rapidly advancing to include all new electronic communication methods. It spelt out details of satellite signal interception, submarine cable interception, space interception of inter-city networks, internet interception…” The list goes on. By comparison, the list of equipment the SALRC saw as worrisome was reminiscent of a James Bond film: miniature tape recorders concealed inside cigarette packets; sub-miniature transmitters smaller than sugar cubes; a video camera in the form of a shower head.
But, over the years, South Africa’s intelligence services have used interception technologies far surpassing modified everyday objects.
Take, for example, the grabber, which allows the state to intercept without a service provider’s assistance or knowledge. It’s a portable device (picture a Pelican case with an oversized 1990s laptop) and can be housed in a van or the back of a bakkie. It acts like a cellphone tower, and “fools” a cellphone into connecting to it. One basic function of a grabber is to identify phones within a certain area – like those of protesters marching through a city centre. More sophisticated grabbers can track a phone’s location, and intercept calls, texts, chats, emails and internet activity.
Although the use of grabbers, just like the NCC, can be strictly monitored within the law enforcement environment, oversight ultimately depends only on honest state actors.
Grabbers have been around for almost three decades. Documents released by the US Federal Bureau of Investigation show that the bureau was already using grabbers in 1995 – perhaps earlier. Rohde & Schwarz unveiled their first grabber in 1996.
However, the SALRC didn’t make specific recommendations for state use of devices such as grabbers. It was, however, concerned with the private security sector performing illegal interceptions, and looked into regulating the “manufacture, distribution, possession and advertising of wire or oral communication intercepting devices”.
But ultimately, the SALRC took its cue from the Intelligence Ministry, which advised that separate legislation should deal with such equipment, arguing that “the matter has policy implications, which require further discussion with the Security Ministers and the Joint Standing Committee on Intelligence”.
Once again, this separate legislation never saw the light of day.
‘Moonlighting without permission’
Back in 2015, the JSCI considered tightening up Rica’s regulations to address the grabber issue. This happened only after police crime intelligence officer Paul Scheepers had been suspended for allegedly “moonlighting without permission” (as the JSCI effectively put it) with a state-owned grabber. As with the 2008 attempt to legislate the NCC, nothing came of it. Scheepers is yet to be prosecuted.
The JSCI did not respond when we reached out for comment. The SSA’s Scott said, however, that the “matter is currently receiving attention at the level of the JSCI and with the joint participation of all the law enforcement agencies and intelligence structures”.
Up next: Spyware – software designed to surreptitiously infiltrate your computer or smartphone. It gives the spies access to your information, communications and much more. In 2021, it emerged that Pegasus, spyware from Israel’s NSO Group, may have been used to target President Cyril Ramaphosa’s phone. The European Parliament launched an inquiry into the software’s use in the EU earlier in 2022, and in June, NSO Group told an EU parliamentary committee that at least five EU nations had used Pegasus. The spyware is supposedly only sold to government agencies.
Closer to home, in 2016, Canadian research entity Citizen Lab discovered a master server of the powerful spyware product, FinFisher, in South Africa. We also know, thanks to Wikileaks that the South African government has bought FinFisher licences in the past.
Cyberspying is old. In the 1980s, Russia’s KGB roped in Markus Hess, a German hacker, to break into computers at US universities and military facilities. The first smartphone virus surfaced in 2004, well predating Rica’s promulgation in 2009.
During the consultative processes, the South African Banking Council told the SALRC that hacking should be included in interception legislation, advising that the hacking of computer networks often “involves illegal interception of legal transmissions over telecommunications networks, and in almost all cases telecommunication networks are used to perpetrate the crime”. However, after considering input from private IT consultants, the SALRC recommended that the issue be dealt with in separate legislation dealing with the internet and computer-related crimes. That legislation would take another two decades to fully materialise, in the form of the Cybercrimes Act of 2020.
Despite the SALRC’s recommendations, in 2005, spyware and the grabber did make it into Rica. Sort of. Then justice and constitutional development minister Brigitte Mabandla gazetted a schedule of “listed equipment” in terms of Rica. Although neither spyware nor the grabber is explicitly named, the schedule contains broad descriptions of interception technologies that could include them.
Yet the schedule didn’t prescribe what legal state use should look like; it only makes it illegal for anyone to manufacture, assemble, possess, sell, purchase or advertise listed equipment without a certificate of exemption gazetted by the justice minister (after approval by the National Assembly). Yet, to this day, no such exemption certificates have been issued.
The SALRC’s recommendations, however, were just that. Its final 350-page report contained mountains of information to guide the Justice Department. When we asked the department about the shortcomings of the SALRC’s recommendations, it pointed out – correctly – that the commission had got a lot right: For one, its recommendations emphasised that the state should never be allowed to intercept without a warrant, and that no agencies other than state intelligence and law enforcement should ever be allowed to do so. (It was suggested during consultation processes that the President’s office, as well as private investigators, should have interception powers. The commission shot that down.) Notably, the SALRC also recommended that the act make special provisions to protect attorney-client privilege. That idea never made it into Rica, and it was one of the changes ordered by the ConCourt in 2021.
Now, the Justice Department is once again rewriting the country’s interception legislation to bring it on par with powerful modern surveillance technologies. Although the SALRC will not be assisting it this time, the department has two other major advantages that weren’t available 20 years ago: the benefit of hindsight, and Google. Let’s hope it has used them. DM
*We sent detailed questions to the Department of Justice and Constitutional Development. Spokesperson Steve Mahlangu said the department was in the process of finalising the bill to update Rica and did not want to comment at this stage.
Heidi Swart is a journalist who reports on surveillance, security and data privacy. This report was commissioned by the Media Policy and Democracy Project, an initiative of the University of Johannesburg’s Department of Journalism, Film and TV and Unisa’s Department of Communication Science.
Daily Maverick © All rights reserved