South Africa

SPIES IN DISGUISE ANALYSIS

Rica and Gilab – the two surveillance bills before Parliament that should give every freedom-loving South African pause for thought

Rica and Gilab – the two surveillance bills before Parliament that should give every freedom-loving South African pause for thought
(Image: iStock | Unsplash / Alex Knight)

If the two pieces of legislation currently before Parliament are passed into law as they now stand, the government will be able to monitor en masse the communications of every South African, behind a veil of secrecy in the name of ‘national security’.

By May 2024, two new laws could allow state intelligence forces to conduct unfettered mass surveillance of all South Africans’ private communications. If the two bills currently before Parliament are passed into law as they now stand, the government will be able to mass monitor the phone conversations, emails, private messenger services and web browsing logs of every South African behind a veil of secrecy in the name of “national security”.

What makes this scenario all the more disturbing is that a recent Constitutional Court ruling was widely celebrated by privacy activists as a major step forward in curtailing illegal government surveillance of citizens – a problem that has been plaguing the country’s intelligence services since apartheid, and which has continued well into the post-1994 dispensation.

In 2021, the Constitutional Court made a historic ruling and ordered some very specific changes to the country’s main interception law, the Regulation of Interception of Communications and Provision of Communication-related Information Act – aka Rica. Now, in what can at best be described as an exhibit of unprecedented mediocrity, the Department of Justice (DOJ) has submitted a Rica amendment bill to Parliament in an apparent attempt to meet the Constitutional Court’s demands.

These demands include amending Rica to:

  • Safeguard the independence of the special designated judge issuing interception warrants (for instance, by having such a judge appointed by the judiciary instead of the minister);
  • Compensate for the fact that one cannot defend oneself when state intelligence agencies apply for a surveillance warrant, since that warrant is sought in secret;
  • Create special protections when the surveillance subject is a lawyer or a journalist (two professions where confidentiality is key to upholding democracy);
  • Better regulate the storage and deletion of the intercepted communications and data; and
  • Compel intelligence services to notify all surveillance targets – after the fact – that they were spied on (as long as that notification doesn’t jeopardise any ongoing investigation).

For a detailed analysis of the Bill’s shortcomings, you can read my colleague Murray Hunter’s analysis. The public has until 6 October to submit their comments on the bill to Parliament

Tragically, the DOJ’s minimalistic stab at enforcing hard-won human rights has created an opening for South Africa’s secrecy-obsessed securocrats to quietly infiltrate the process and completely wipe out any gains made by privacy activists through the amaBhungane case.

General Intelligence Laws Amendment Bill (Gilab)

Enter the second bill that is now before Parliament, which, along with the Rica amendment bill, could become law before 1 May 2024 when Parliament dissolves: the General Intelligence Laws Amendment Bill of 2023, aka Gilab.

Gilab should primarily have addressed corruption, factionalism and a general disregard for the law within the State Security Agency (SSA), the country’s lead intelligence organisation. These issues became evident following the findings of the Judicial Commission into State Capture and a 2018 High Level Presidential Review Panel investigation of the SSA.

However,  it seems the spooks saw this as an opportunity to take advantage of the Rica Constitutional Court judgment to conjure their own minimalistic surveillance laws through Gilab.

This was possible since, apart from the changes ordered to Rica, the Constitutional Court made another historic decision: to declare the State Security Agency’s mass surveillance facility, the National Communications Centre (NCC), unlawful. No single law mentions the NCC or mass surveillance. The result was that the Constitutional Court ordered the NCC shut down.

The Rica amendment bill gave the DOJ a golden opportunity to finally define mass surveillance and stipulate regulations suited to governing it. Bizarrely, the department left it to the spies – with their chequered record of cadre deployment, State Capture, theft of secret intelligence funding and illegal interception – to keep watch over themselves. And so, the securocrats concocted, within Gilab, a cluster of vague clauses paving the way for potentially unfettered surveillance without independent oversight – something that the Rica Amendment bill, as you will recall, is expressly trying to remedy.

Such neglect from the DOJ is even more exasperating when one takes into account what mass surveillance actually means for South Africans’ rights to communicate privately. It’s time to get slightly technical, but please bear with me.

Lawful interception versus bulk surveillance

Rica regulates an explicit, globally recognised, standardised category of communications surveillance known as lawful interception – LI for short. South Africa subscribes to the LI standards set by the European Telecommunications Standards Institute (ETSI). SA’s primary LI facility, the Office for Interception Centres (OIC), is explicitly named and defined in Rica, and the OIC is also a member of the ETSI. Rica clearly sets out the legal obligations of service providers (for instance MTN and Vodacom), law enforcement (the South African Police Service’s Crime Intelligence division and the Financial Intelligence Centre) and state intelligence agencies (the SSA and Defence Intelligence) with regard to LI.

However, the bulk communications surveillance conducted by the NCC differs significantly from the standardised LI conducted by the OIC.

First off, LI is targeted, meaning that it is typically used to monitor or gather information about a specific person who is already a suspect in a criminal case. Bulk surveillance, however, is used by intelligence agencies to detect suspicious communication patterns, keywords and key phrases as part of an intelligence operation.

Bulk surveillance thus allows the SSA to detect potential suspects (who may otherwise not have been identified) to be targeted for interception. The purpose of such bulk surveillance is the prevention of terror attacks or criminal activities, rather than the investigation of a specific crime that has already occurred or is in the process of occurring (as is the case with LI).

Thus far, the NCC has been able to scan vast volumes of private communications without obtaining warrants. The management and oversight of interception processes within the NCC have always been kept secret. The public has never been told what factors constitute grounds for mass interception or what the legal authorisation requirements for mass interception are. There’s also the issue of refining data until a specific person or group of people can be identified to conduct targeted interception. It’s unclear what checks and balances are in place to prevent the misuse of such targeted interception capabilities at the NCC.

This lack of transparency is likely to have contributed to the misuse of the NCC’s facilities when the voice communications of at least 13 people within the borders of South Africa were intercepted back in the early 2000s in what came to be known as the “hoax email saga”. Those targeted for surveillance included members of the ruling and opposition parties, business persons and public officials. This targeted interception was carried out despite the NCC’s official mandate to intercept only communications that occur outside the country’s borders.

With Gilab 2023 and the Rica amendment bill, we’re still in the dark as to how internal regulation at the NCC will play out.

To make things worse, the processes involved in bulk surveillance are complex and certainly need regulating. Bulk surveillance differs from LI in terms of stages of execution. For instance, in the United Kingdom, bulk interception (as legally authorised in terms of the UK Regulation of Investigatory Powers Act) has three stages: first, communications and call record data are intercepted (collected); second, this information is filtered; third, the information identified through the filtering is investigated further. Analysis through artificial intelligence (AI) is usually needed, given the massive amounts of data.

These processes give rise to several issues in terms of personal privacy: How is information filtered? What keywords are utilised to search such collected data and how are they authorised? Is it really necessary to collect all that data? And what about AI – can we trust it? Gilab and the Rica amendment bill’s current state means we may never be able to answer these questions, let alone ask them.

But there’s a third major difference between bulk surveillance and LI that makes the NCC’s omission from Rica even more alarming: targeted LI, as regulated by ETSI, simply cannot happen without the knowledge and cooperation of the service provider. It’s technically not possible. This is an additional safeguard for privacy protections, since service providers are loath to provide customer information – let alone access to actual voice conversations – without a court order.

But bulk surveillance can take place without technical assistance – and therefore without the knowledge – of the service provider. In other words, it gives the state secret, direct access to private communications; judges, mobile operators and internet service providers have no way of knowing that bulk interception is occurring, because of certain technical aspects (the details of which I won’t subject you to at this point). Thus, both the legal and technical protections of LI fall away with bulk surveillance.

The Russian system– Sorm

Naturally, such direct access surveillance practices are more vulnerable to abuse than targeted lawful interception. This increased risk was acknowledged by the European Court of Human Rights in its comments on the Russian state interception system, Sorm (Systema Operativno-Razisknikh Meropriatiy – the System of Operative-Search Measures on Communications). Sorm is operated by Russia’s Federal Security Service. (In Russian, that’s the Federalnaya Sluzhba Bezopasnosti, or FSB. Its Cold War predecessor was the Komitet Gosudarstvennoy Bezopasnosti, or KGB).

The court stated: 

“…the Court considers that a system, such as the Russian one, which enables the secret services and the police to intercept directly the communications of each and every citizen without requiring them to show an interception authorisation to the communications service provider, or to anyone else, is particularly prone to abuse. The need for safeguards against arbitrariness and abuse appears therefore to be particularly great.”

Needless to say, the safeguards in the legislative husk that is Gilab didn’t turn out to be particularly great. In essence, it establishes the NCC in law, and then leaves a gap for the President to say what goes. To oversee the NCC’s work, a judge responsible for issuing interception warrants will be appointed by the President. Notably, this judge will be appointed in addition to and separately from the judge appointed to issue warrants in terms of Rica. Thus, a separate, parallel process to seek interception warrants will be available exclusively to the SSA.

To aid the NCC judge, two “bulk interception experts”, will be appointed by the minister in charge of intelligence. (Just what makes you an expert in bulk interception is as yet unclear. The bill simply doesn’t say.) In essence then, the President and the minister will control who oversees interception via the NCC, thus obliterating any chance of judicial independence (which, if you’ll recall, was another problem that the Rica amendment bill was supposed to fix).

As for the rest of the provisions in the Rica amendment bill? Gilab simply doesn’t bother.

Adding insult to all of these injuries is the fact that Gilab was drawn up by the Minister in the Presidency, where the SSA was relocated subsequent to its descent into mayhem during the State Capture years. The idea was originally that President Cyril Ramaphosa would be able to keep the SSA in check while it was going through a clean-up. Instead, the spooks are churning out laws to avoid accountability right under his nose.

As long as South African laws fail to comprehensively and specifically regulate mass surveillance, the public will remain at risk of having their communications secretly and illegally intercepted. It has happened in the past. It can happen again. Thanks to the DOJ, the spooks and an apparently oblivious president, this status quo is likely to remain. DM

Heidi Swart is a senior investigative journalist specialising in intelligence and security and the research and journalism coordinator for Intelwatch, a non-profit organisation based in South Africa and dedicated to strengthening public oversight of state and private intelligence actors in Africa and around the world.

Join Daily Maverick, the amaBhungane Centre for Investigative Journalism and Intelwatch on Thursday, 5 October (from noon to 1pm), for an in-depth discussion about the shortfalls of Rica. Register for our free webinar here.

Gallery

Comments - Please in order to comment.

  • Cheryl Siewierski says:

    Well this is damned scary. Thank you for the clearly-explained threat to both the public and to our democracy, Heidi Swart. Is there any chance Gilab will get nuked in Parly? Or do we simply have to suck it up?

  • Johan Buys says:

    How would they intercept end to end encrypted communications? There are / were ways to capture what appears on a targeted screen remotely, but not sure this still applies nowadays with flat screens and cannot work for mass comms. Even if google or apple or whatsapp would cooperate – on many platforms the vendors themselves cannot decrypt the content.

    • Louise Louise says:

      Hi Johan, I recently saw information on the Israeli spyware called “Pegasus”. Now this is where your question is answered. It’s software that a country can buy in order to spy on its citizens and it seems that even the “end to end” encryption can be broken. The software can be installed on your phone without you even knowing it. If you search for Pegasus spyware I’m sure you will find the information on this horrific subject.

      • J W says:

        Pegasus can only be installed if you fall for a phishing attack. There is no way for the government to do widespread monitoring of encrypted traffic.

  • William Kelly says:

    Well, this is likely to end well isn’t it? We have such a competent state as it is.

  • Louise Louise says:

    Thank you Heidi, for a very comprehensive review of this dystopian subject. This type of surveillance has been predicted for several decades, if not more (just read Orwell’s “1984” which he wrote in 1948 to see how far back this goal has been in place). Governments are literally salivating at the prospect of bulk surveillance via our communication devices, most notably our “smart phones”. It is a politician’s wet dream to monitor, track and trace every citizen. It’s for our own good though, didn’t you know?!

    Heidi, please also investigate the Israeli product “Pegasus”, which is a spyware program that can be installed on your cellphone without your knowledge. This software program is being sold to various countries who want to destroy the freedom of their citizens.

    Apart from signing a petition or responding to the call for public input (both of which appear to have absolutely zero effect on the government), perhaps there is hope that our Constitutional Court might be on the side of the citizens. But “hope” is not usually a good plan. Another option would be to just ditch your cell phone but the system has made us so dependent upon these flippin’ things that this is going to prove difficult for most people.

    It’s scary indeed and sadly too many people are fast asleep with regard to the dire consequences of these agendas.

  • David Wingfield says:

    @Heidi, surely the bills can then be challenged in the Con Court?

  • Louis Potgieter says:

    I wonder what it would take to have tracking of attackers of one’s bank balance to source? (Phone the centre, giving your cell number and time of attempt.)

  • Lisbeth Scalabrini says:

    That’s exactly what Stalin would have done if he had had our technological means😠

  • Derek Jones says:

    From now on we have to treat every thing this government does with suspicion. We also need to get more money behind those already in the trenches. They have declared war on us.

  • District Six says:

    It’s a pity the security webinar is on the 6th October, the date on which public comments on the RICA Amendments and GiLab close.

    Nonetheless, an article like this is a gift for all the “the government wants to track you,” people. It might be a case of “cry wolf, before they take this down!”

Please peer review 3 community comments before your comment can be posted

We would like our readers to start paying for Daily Maverick...

…but we are not going to force you to. Over 10 million users come to us each month for the news. We have not put it behind a paywall because the truth should not be a luxury.

Instead we ask our readers who can afford to contribute, even a small amount each month, to do so.

If you appreciate it and want to see us keep going then please consider contributing whatever you can.

Support Daily Maverick→
Payment options

Become a Maverick Insider

This could have been a paywall

On another site this would have been a paywall. Maverick Insider keeps our content free for all.

Become an Insider
Daily Maverick Elections Toolbox

Download the Daily Maverick Elections Toolbox.

+ Your election day questions answered
+ What's different this election
+ Test yourself! Take the quiz