The Bugging of South Africa

By Jane Duncan · 29 Jul 2013

A+ A= A-
    Print this page      0 comments
0
     
Picture: politicalblindspot.org
Picture: politicalblindspot.org
Recent revelations by former National Security Agency (NSA) computer analyst Edwin Snowden that the NSA was undertaking unwarranted mass surveillance of Americans has thrown the communications surveillance activities of governments into sharp relief.

Can the abuses that are taking place in the United States (US) happen in South Africa too? The communications of South Africans are probably already being caught in the NSA dragnet, given that cloud services like Google, Microsoft and Yahoo store their information on US servers.

However, locally, the country does not have a provision in its law similar to that of the US law, which allows for mass surveillance of people even if they are not considered suspects. Neither is there evidence of the South African government accessing the servers of communications service providers directly, as is the case in the US Prism programme. But nevertheless, recent events suggest that this question should not be dismissed out of hand as alarmist.

The resignation of South African Revenue Service Chief Oupa Magashula happened because he was caught on tape making an improper offer of employment to a young woman. While clearly some good came out of this interception, the fact that it appears to have been part of an illegal bugging operation is worrying.

Reportedly, the tapes were intercepted as part of a Crime Intelligence investigation into former police chief Bheki Cele. According to the amaBhungane Centre for Investigative Journalism, in 2010, the-then head of the Crime Intelligence Division of the police, Richard Mdluli, approved communications interception applications which the police made under false pretences, as they smuggled in the phone numbers of Cele and two Sunday Times journalists into the direction, and then duped the designated judge into approving it. However, amaBhungane does note that it is not clear if Mdluli was aware of the deception when he approved the applications.

This incident gives a rare glimpse into just how corruptible the state’s interception capacities are. The fact that this evidence has emerged from the beleaguered Crime Intelligence Division should sound alarm bells, given the evidence of other sorts of abuses in the Division during Mdluli’s time. Furthermore, Crime Intelligence is the biggest user by far of interception directions, issued in terms of the Regulation of Interception of Communications Act (Rica).

Why was there a huge 231 percent increase in interception directions requested by Crime Intelligence between April 2009 and March 2010? Given that this spike in requests coincided largely with Mdluli’s appointment, it is not unreasonable to harbour the fear that these abuses may have been more widespread.

However, it is extremely difficult to establish the facts, as there are unacceptable levels of secrecy surrounding these directions that would not be acceptable even in the US. For instance, the designated judge should indicate in his/ her annual report how many directions resulted in arrests and convictions. This information would allow the public to assess whether the directions have actually brought down crime levels, or whether the law enforcement agencies were on fishing expeditions.

There is also no requirement for members of the public to be informed of the existence of interception directions once the investigations are concluded, or if the application was rejected by the designated judge (and between 8 and 17 percent are). Yet this is a requirement of the US system in relation to criminal matters, which increases transparency.

Then there is the fact that vulnerabilities are architected into lawful interception systems. Both the US and South African communications networks have been built to ensure that they are capable of surveillance, and in the wake of the September 11 attacks on the US, more countries have followed suit.

In the US, Congress passed the Communication Assistance for Law Enforcement Act (Calea) in 1994, to respond to law enforcement concerns that their ability to monitor networks was declining (or ‘going dark’) as more networks were digitised. The Act required network operators to use digital switches that have surveillance capabilities built into them: a requirement that was subsequently incorporated into EU regulatory frameworks as well.

The US telephone industry developed a handover interface standard for these purposes (the Calea standard), which allows communications to be routed to government interception centres. According to communications security expert Susan Landau, while this interface has made surveillance of digital networks easier, it has also introduced security vulnerabilities that have been exploited by intelligence agencies and criminals alike. In spite of these vulnerabilities, Calea has become internationalised as the surveillance standard for many countries, as has the European Telecommunications Standards Institute (ETSI) standard.

Between 2004 and 2005, still-unidentified individuals exploited the inherent weaknesses in these interfaces to intercept the communications of senior Greek government officials for ten months, until the vulnerability was discovered. Over 6000 Italians, including judges, politicians and celebrities, also had their communications intercepted by criminals over a period of a decade. Yet in spite of these problems, South Africa adopted Calea and ETSI standards in 2005, allowing users’ data to be routed to interception centres.

Last year, in the wake of massive abuses of internet freedom in the Middle East and North Africa, the Directorate General for External Policies of the European Parliament called for a reconsideration of some of the very ETSI standards that South Africa adopted, as they were simply too vulnerable to abuse and enabled mass surveillance. It is not clear whether these interfaces have been misused in South Africa too, but the point is that potential exists, as it has been architected into the network.

Last month, several organisations released a set of international principles on the application of human rights to communications surveillance. According to the principles, ‘…in order to ensure the integrity, security and privacy of communications systems, and in recognition of the fact that compromising security for state purposes almost always compromises security more generally, states should not compel service providers or hardware or software vendors to build surveillance or monitoring capability into their systems’.

Then there are provisions in South Africa that are worse than those of the US. In the US, the collection of foreign intelligence is meant to be approved by a special secret court, although there has been warrantless surveillance too. But in South Africa, the collection of foreign intelligence is not regulated by law, which is probably unconstitutional as there are no real checks on executive authority.

Sim cards need to be registered in South Africa (and several other African countries), in spite of the fact that a clear case has never been made for registration bringing down crime. In fact, the practice has led to an increase in certain crimes, such as identity theft. Furthermore, serious criminals can and do circumvent the registration process. As a result, according to an investigation by The Star in 2012, police often did not bother to use records obtained through the Rica registration process because they were so unreliable.

The upshot is that South Africa is as open to surveillance abuses as the US, and probably more so. The US did not set out to make its own citizens the targets of surveillance (although they have become caught in the dragnet), but South Africa did.

Given the potential for abuse, it remains to be seen if the soon-to-be promulgated Protection of Personal Information Bill could be used to protect data privacy. The Act states that it does not apply to national security or criminal-related matters, but it also provides a loophole in that this exemption only applies if adequate privacy safeguards already exist in legislation, which clearly they don’t.

In reviewing the ‘lawful’ interception system in South Africa, the words of Howard Zinn come to mind:

"We seem to have reached a moment in the United States when the suspicion arises that law is congealed injustice, that the existing order hides an everyday violence against body and spirit, that our political structure is fossilized, and that the noise of change, however scary, may be necessary."

Duncan is a Professor of Journalism at the University of Johannesburg.

Should you wish to republish this SACSIS article, please attribute the author and cite The South African Civil Society Information Service as its source.

All of SACSIS' originally produced articles, videos, podcasts and transcripts are licensed under a Creative Commons license. For more information about our Copyright Policy, please click here.

To receive an email notification when a new SACSIS article is published, please click here.

For regular and timely updates of new SACSIS articles, you can also follow us on Twitter @SACSIS_News and/or become a SACSIS fan on Facebook.

You can find this page online at http://sacsis.org.za/site/article/1739.

A+ A= A-
    Print this page      0 comments
0
     

Leave A Comment

Posts by unregistered readers are moderated. Posts by registered readers are published immediately. Why wait? Register now or log in!