Plans by the Communications Authority of Kenya (CAK) to install a Device Management System on the country’s telecommunications infrastructure have sparked protests from telecom companies reluctant to plug into a third-party portal and users worried about their privacy.
The CAK says the system, which allows it to remotely identify communications devices and their users, will keep unregistered devices off the network and help in the fight against terrorism and tax evasion through unmonitored telephone calls. Privacy campaigners worry that the system could be used to intercept and collect voice and text data, reports CAK says are “misleading”.
The truth is somewhere in-between. SIM-card registration across the region has been driven in part by anti-terrorism efforts after attacks in Uganda in 2010 and in Kenya starting with Westgate in 2013. Authorities in Uganda are also keen to better monitor traffic on the telephone networks to stop telecoms from under-declaring their revenues and tax obligations.
However, evidence from across East Africa shows governments are investing heavily in their technical capability to snoop on and control their citizens’ communications. Documents and emails published by the whistle-blower website, Wikileaks, shows that Kenya’s intelligence services held conversations with the Hacking Team, a firm based in Italy, about buying a cyber-spying system.
Officials from the Hacking Team told Kenyan government officials that their Galileo Remote Control system could be used to access information in Skype, Facebook, WhatsApp, Line and Viber accounts.
War on narcotics merely perfunctory
The motivation behind the procurement were made clear when Kenyan officials asked the Italian firm to demonstrate the efficacy of their system by bringing down or defacing a critical local blog that carried controversial content, including claims of corruption in the government.
The Italian firm refused the request but it is not clear whether the system was eventually installed.
The integrity of Kenyan mobile phone telecommunications had already been brought into question earlier. Edward Snowden, the American security contractor who is currently a fugitive in Russia, had released secret documents showing that the United States’ National Security Agency (NSA) ran a phone interception programme in Kenya. According to The Intercept website, the programme allowed NSA to “scrape mobile networks for meta-data information that reveals time, source, and destination of calls” on mobile phone networks in Kenya, Philippines and Mexico.
The Intercept noted: “The operation in Kenya is ‘sponsored’ by the CIA, according to the documents, and collects ‘GSM metadata with the potential for content at a later date’.”
An advanced version of the same programme allowed NSA to secretly intercept, record and archive all audio calls in the Bahamas, a small island nation, and another unnamed country, and store them for up to 30 minutes.
State agencies in most countries have always had the capacity to intercept telephone calls. But the proliferation of smartphones and the rise of in-app communications have forced a new scramble by intelligence agencies to catch up and by-pass the encryption used in some of the apps. This has led to the development of a new high-tech spying industry whose annual value is estimated to be more than a billion dollars.
Ability to spy
It has also given state agencies the ability to spy on private communications, including of political rivals, civil society actors and journalists, sometimes outside the law.
Privacy International, a London-based charity that investigates the subject, found that military intelligence in Uganda bought FinFisher, an intrusive malware, from a German firm, Gamma International GmbH, after protests broke out in the aftermath of the disputed 2011 election.
“FinFisher was the ‘backbone’ of a secret operation to spy on leading opposition members, activists, elected officials, intelligence insiders and journalists following the 2011 election which President Museveni [won] following evidence of vote-buying and misuse of state funds,” the charity noted in its report, For God and my President: State Surveillance in Uganda.
President Museveni signed off on ‘Operation Fungua Macho’ as the mass surveillance programme was called on January 13, 2012.
Thereafter, covert access points were set up, usually in the form of compromised Wi-Fi hotspots, within Parliament, in high-end hotels in Kampala and Entebbe, and in the homes of targeted officials.
Officials who kept away from public Wi-Fi hotspots had close associates compromised in order to infect their laptops, smartphones and other communication devices, with the extracted information often used to blackmail the regime critics.
“Covert, extra-judicial surveillance projects like those documented in our investigation have contributed towards making Uganda a less open and democratic country in the name of national security,” Privacy International noted.
Countries in the region have passed laws to shield the interception of communications, often in the aftermath of terrorism incidents.
In Uganda the July 2010 bombings in Kampala in which 76 people were killed led to the swift passing of the Regulation of Interception of Communications Act.
The Act gives powers to security officials to listen in on private communications if they suspect the communication is in aid of criminal activity but, as the evidence from Operation Fungua Macho shows, often the targets are political rivals and dissenters or journalists and civil society workers, not criminals.
In addition, while the law allows for the regulated interception of communications, it does not regulate the use of intrusion malware, such as that the intelligence agencies used in Fungua Macho.
Similarly, requirements for judicial oversight to ensure that intercepts are justified in a balance of probability with privacy concerns are not always followed.
PI found no evidence of court-issued warrants in the Uganda mass surveillance programme while in Kenya intelligence services have previously asked Parliament to amend the law and allow them to tap phone calls without court warrants.
These efforts run counter to the Universal Declaration of Human Rights, which states, “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence.”
In some cases, lawmakers are willing to lean on privacy safeguards at the earliest opportunity. In Rwanda, for instance, a 2013 law that allows phone tapping requires security agents to apply for pre-intercept warrants from the public prosecutor’s office.
However, frustrated by the failure to always prove corruption allegations, Rwanda’s Parliament in March 2016 discussed advising the government to start listening in on civil servants’ private communications and “plant moles” in offices in order to find evidence of graft.
For all the frustration expressed by the legislators, Privacy International says a court trial in 2014 showed that Rwanda already runs a fairly efficient interception programme, including of supposedly encrypted platforms.
“It was reported that Rwanda authorities had intercepted the communications of two suspects in a treason trial,” PI noted in a briefing report on the country.
“According to reports, private messages sent over the phone, WhatsApp and Skype were presented in court as evidence to show conspiracy to topple the government.”
Citizens in the region have tried to respond to the cyber spying and censorship either by going low-tech and not using vulnerable communications, or by going high-tech and, for instance, bypassing restrictions on social media platform use.
This is what happened in Uganda in February 2016 when the shutting down of social media platforms in the aftermath of another contested election saw a surge in downloads of virtual private networks which successfully bypassed the blockade.
Such high-end digital manoeuvres are, however, no match for good old-fashioned snooping or smash-and-grab operations.
In June 2016 31 civil society organisations in Uganda wrote an open protest letter to the Inspector General of Police after the offices of at least two dozen NGOs were broken into in the space of three years by unknown people.
The burglars often took away computers and hard disks, and the affected NGOs all happened to be involved in governance or human rights projects. Needless to say, no arrests were ever made.