SPIES IN DISGUISE ANALYSIS
Rica and Gilab – the two surveillance bills before Parliament that should give every freedom-loving South African pause for thought
If the two pieces of legislation currently before Parliament are passed into law as they now stand, the government will be able to monitor en masse the communications of every South African, behind a veil of secrecy in the name of ‘national security’.
By May 2024, two new laws could allow state intelligence forces to conduct unfettered mass surveillance of all South Africans’ private communications. If the two bills currently before Parliament are passed into law as they now stand, the government will be able to mass monitor the phone conversations, emails, private messenger services and web browsing logs of every South African behind a veil of secrecy in the name of “national security”.
What makes this scenario all the more disturbing is that a recent Constitutional Court ruling was widely celebrated by privacy activists as a major step forward in curtailing illegal government surveillance of citizens – a problem that has been plaguing the country’s intelligence services since apartheid, and which has continued well into the post-1994 dispensation.
In 2021, the Constitutional Court made a historic ruling and ordered some very specific changes to the country’s main interception law, the Regulation of Interception of Communications and Provision of Communication-related Information Act – aka Rica. Now, in what can at best be described as an exhibit of unprecedented mediocrity, the Department of Justice (DOJ) has submitted a Rica amendment bill to Parliament in an apparent attempt to meet the Constitutional Court’s demands.
These demands include amending Rica to:
- Safeguard the independence of the special designated judge issuing interception warrants (for instance, by having such a judge appointed by the judiciary instead of the minister);
- Compensate for the fact that one cannot defend oneself when state intelligence agencies apply for a surveillance warrant, since that warrant is sought in secret;
- Create special protections when the surveillance subject is a lawyer or a journalist (two professions where confidentiality is key to upholding democracy);
- Better regulate the storage and deletion of the intercepted communications and data; and
- Compel intelligence services to notify all surveillance targets – after the fact – that they were spied on (as long as that notification doesn’t jeopardise any ongoing investigation).
Tragically, the DOJ’s minimalistic stab at enforcing hard-won human rights has created an opening for South Africa’s secrecy-obsessed securocrats to quietly infiltrate the process and completely wipe out any gains made by privacy activists through the amaBhungane case.
General Intelligence Laws Amendment Bill (Gilab)
Enter the second bill that is now before Parliament, which, along with the Rica amendment bill, could become law before 1 May 2024 when Parliament dissolves: the General Intelligence Laws Amendment Bill of 2023, aka Gilab.
Gilab should primarily have addressed corruption, factionalism and a general disregard for the law within the State Security Agency (SSA), the country’s lead intelligence organisation. These issues became evident following the findings of the Judicial Commission into State Capture and a 2018 High Level Presidential Review Panel investigation of the SSA.
However, it seems the spooks saw this as an opportunity to take advantage of the Rica Constitutional Court judgment to conjure their own minimalistic surveillance laws through Gilab.
This was possible since, apart from the changes ordered to Rica, the Constitutional Court made another historic decision: to declare the State Security Agency’s mass surveillance facility, the National Communications Centre (NCC), unlawful. No single law mentions the NCC or mass surveillance. The result was that the Constitutional Court ordered the NCC shut down.
The Rica amendment bill gave the DOJ a golden opportunity to finally define mass surveillance and stipulate regulations suited to governing it. Bizarrely, the department left it to the spies – with their chequered record of cadre deployment, State Capture, theft of secret intelligence funding and illegal interception – to keep watch over themselves. And so, the securocrats concocted, within Gilab, a cluster of vague clauses paving the way for potentially unfettered surveillance without independent oversight – something that the Rica Amendment bill, as you will recall, is expressly trying to remedy.
Such neglect from the DOJ is even more exasperating when one takes into account what mass surveillance actually means for South Africans’ rights to communicate privately. It’s time to get slightly technical, but please bear with me.
Lawful interception versus bulk surveillance
Rica regulates an explicit, globally recognised, standardised category of communications surveillance known as lawful interception – LI for short. South Africa subscribes to the LI standards set by the European Telecommunications Standards Institute (ETSI). SA’s primary LI facility, the Office for Interception Centres (OIC), is explicitly named and defined in Rica, and the OIC is also a member of the ETSI. Rica clearly sets out the legal obligations of service providers (for instance MTN and Vodacom), law enforcement (the South African Police Service’s Crime Intelligence division and the Financial Intelligence Centre) and state intelligence agencies (the SSA and Defence Intelligence) with regard to LI.
However, the bulk communications surveillance conducted by the NCC differs significantly from the standardised LI conducted by the OIC.
First off, LI is targeted, meaning that it is typically used to monitor or gather information about a specific person who is already a suspect in a criminal case. Bulk surveillance, however, is used by intelligence agencies to detect suspicious communication patterns, keywords and key phrases as part of an intelligence operation.
Bulk surveillance thus allows the SSA to detect potential suspects (who may otherwise not have been identified) to be targeted for interception. The purpose of such bulk surveillance is the prevention of terror attacks or criminal activities, rather than the investigation of a specific crime that has already occurred or is in the process of occurring (as is the case with LI).
Thus far, the NCC has been able to scan vast volumes of private communications without obtaining warrants. The management and oversight of interception processes within the NCC have always been kept secret. The public has never been told what factors constitute grounds for mass interception or what the legal authorisation requirements for mass interception are. There’s also the issue of refining data until a specific person or group of people can be identified to conduct targeted interception. It’s unclear what checks and balances are in place to prevent the misuse of such targeted interception capabilities at the NCC.
This lack of transparency is likely to have contributed to the misuse of the NCC’s facilities when the voice communications of at least 13 people within the borders of South Africa were intercepted back in the early 2000s in what came to be known as the “hoax email saga”. Those targeted for surveillance included members of the ruling and opposition parties, business persons and public officials. This targeted interception was carried out despite the NCC’s official mandate to intercept only communications that occur outside the country’s borders.
With Gilab 2023 and the Rica amendment bill, we’re still in the dark as to how internal regulation at the NCC will play out.
To make things worse, the processes involved in bulk surveillance are complex and certainly need regulating. Bulk surveillance differs from LI in terms of stages of execution. For instance, in the United Kingdom, bulk interception (as legally authorised in terms of the UK Regulation of Investigatory Powers Act) has three stages: first, communications and call record data are intercepted (collected); second, this information is filtered; third, the information identified through the filtering is investigated further. Analysis through artificial intelligence (AI) is usually needed, given the massive amounts of data.
These processes give rise to several issues in terms of personal privacy: How is information filtered? What keywords are utilised to search such collected data and how are they authorised? Is it really necessary to collect all that data? And what about AI – can we trust it? Gilab and the Rica amendment bill’s current state means we may never be able to answer these questions, let alone ask them.
But there’s a third major difference between bulk surveillance and LI that makes the NCC’s omission from Rica even more alarming: targeted LI, as regulated by ETSI, simply cannot happen without the knowledge and cooperation of the service provider. It’s technically not possible. This is an additional safeguard for privacy protections, since service providers are loath to provide customer information – let alone access to actual voice conversations – without a court order.
But bulk surveillance can take place without technical assistance – and therefore without the knowledge – of the service provider. In other words, it gives the state secret, direct access to private communications; judges, mobile operators and internet service providers have no way of knowing that bulk interception is occurring, because of certain technical aspects (the details of which I won’t subject you to at this point). Thus, both the legal and technical protections of LI fall away with bulk surveillance.
The Russian system– Sorm
Naturally, such direct access surveillance practices are more vulnerable to abuse than targeted lawful interception. This increased risk was acknowledged by the European Court of Human Rights in its comments on the Russian state interception system, Sorm (Systema Operativno-Razisknikh Meropriatiy – the System of Operative-Search Measures on Communications). Sorm is operated by Russia’s Federal Security Service. (In Russian, that’s the Federalnaya Sluzhba Bezopasnosti, or FSB. Its Cold War predecessor was the Komitet Gosudarstvennoy Bezopasnosti, or KGB).
“…the Court considers that a system, such as the Russian one, which enables the secret services and the police to intercept directly the communications of each and every citizen without requiring them to show an interception authorisation to the communications service provider, or to anyone else, is particularly prone to abuse. The need for safeguards against arbitrariness and abuse appears therefore to be particularly great.”
Needless to say, the safeguards in the legislative husk that is Gilab didn’t turn out to be particularly great. In essence, it establishes the NCC in law, and then leaves a gap for the President to say what goes. To oversee the NCC’s work, a judge responsible for issuing interception warrants will be appointed by the President. Notably, this judge will be appointed in addition to and separately from the judge appointed to issue warrants in terms of Rica. Thus, a separate, parallel process to seek interception warrants will be available exclusively to the SSA.
To aid the NCC judge, two “bulk interception experts”, will be appointed by the minister in charge of intelligence. (Just what makes you an expert in bulk interception is as yet unclear. The bill simply doesn’t say.) In essence then, the President and the minister will control who oversees interception via the NCC, thus obliterating any chance of judicial independence (which, if you’ll recall, was another problem that the Rica amendment bill was supposed to fix).
As for the rest of the provisions in the Rica amendment bill? Gilab simply doesn’t bother.
Adding insult to all of these injuries is the fact that Gilab was drawn up by the Minister in the Presidency, where the SSA was relocated subsequent to its descent into mayhem during the State Capture years. The idea was originally that President Cyril Ramaphosa would be able to keep the SSA in check while it was going through a clean-up. Instead, the spooks are churning out laws to avoid accountability right under his nose.
As long as South African laws fail to comprehensively and specifically regulate mass surveillance, the public will remain at risk of having their communications secretly and illegally intercepted. It has happened in the past. It can happen again. Thanks to the DOJ, the spooks and an apparently oblivious president, this status quo is likely to remain. DM
Heidi Swart is a senior investigative journalist specialising in intelligence and security and the research and journalism coordinator for Intelwatch, a non-profit organisation based in South Africa and dedicated to strengthening public oversight of state and private intelligence actors in Africa and around the world.
Join Daily Maverick, the amaBhungane Centre for Investigative Journalism and Intelwatch on Thursday, 5 October (from noon to 1pm), for an in-depth discussion about the shortfalls of Rica. Register for our free webinar here.