The right to privacy has been making big news globally. In the wake of US whistleblower Edward Snowden’s revelations, more people have been clamouring for stronger privacy protections. So why has there been so little debate about the state of this right in South Africa? Is it because there is nothing to be concerned about here?
In fact, the right is under attack in South Africa, too, but local outrage is muted. Some sceptics have argued that the only people who have anything to fear are those who have something to hide — but the problem with privacy is that you never know when you may need it. Privacy violations are also irreversible; when the wrong people access your personal data and misuse it, they cannot unlearn what they have learnt.
In the North, the focus has been on the privacy-eroding nature of mass surveillance. Citizens appear to have concluded that targeted, lawful surveillance is the least of their worries, as this practice is already highly regulated. As a result, they are focusing on legal controls of mass surveillance and technical solutions such as mass encryption.
Governmental mass surveillance champions have argued that this practice does not violate privacy as the initial data mining is undertaken by computers, not humans. This argument is flawed, as people have a right to control who or what has access to their personal data.
By allowing governments to search and seize their data — practices that should require reasonable suspicion of guilt and a targeted warrant — users lose control of their data, which damages collective privacy rights. It is only a matter of time before some court declares mass surveillance unconstitutional, as the practice is disproportionate to the aim of ensuring national security. And, in any event, a coherent case for mass surveillance still has to be made.
Yet in South Africa, even targeted surveillance — which is regulated in terms of the Regulation of Interception of Communications Act (Rica) — does not protect privacy adequately. Even worse, the available evidence points to mass surveillance being, to all intents and purposes, unregulated. Snowden has shown that, where there is a lack of accountability, abuses will inevitably follow.
One of Rica’s most serious weaknesses is that no one is ever informed that their communications have been intercepted, even after the investigation is complete — the authorities are given a power that is largely hidden from the public eye.
In the US, to protect the rights of the people under surveillance in criminal matters, a judge must ensure that the person whose communications were intercepted is informed about the court order within 90 days of its termination. In Canada, the lack of “after the fact” notification has been declared unconstitutional.
The grounds for issuing interception directions in terms of Rica are speculative. Directions may be issued in relation to serious offences that may be committed in future, which may not be constitutional. The designated judge’s report is threadbare, which makes it impossible to assess whether the Act is actually being used for pressing public purposes (a requirement for practices that violate privacy). For instance, no information is provided about how many interception directions have led to arrests and convictions.
The granting of Rica directions is also an inherently one-sided process, which means that the judge has to take the information that is given to him or her on trust. No ombudsman is present to represent users’ interests. As a result, the process lacks an adversarial component, which also predisposes it to abuse.
Rica requires cellphone users to register their names and addresses when buying a Sim card. Many democracies don’t require their citizens to do so, because it is a de facto violation of the right to privacy. They look with horror at countries such as South Africa, and ask why its citizens simply go and register their Sim cards unquestioningly like sheep and risk having their personal information misused by unaccountable authorities. The available evidence points to Sim card registration being useless as a crime-fighting tool, as criminals merely acquire preregistered Sim cards.
Rica is silent on whether it regulates foreign signals intelligence (or intelligence gathered from communications passing across South Africa’s borders), and the government has maintained that it does not. This leaves foreign communications data wide open to abuse, especially given the global nature of cloud computing.
Other countries have instituted special courts for these activities. Yet, typically, these courts lack transparency and accountability. They also tend to subject nonnationals to lower levels of privacy protections than nationals, which is discriminatory. The law that governs monitoring and surveillance of nationals should apply to non-nationals too.
South Africans should be particularly concerned about the lack of regulation for foreign signals intelligence, as the centre that has undertaken this form of surveillance has also housed the country’s mass surveillance capacity (and probably still does). This was confirmed by the inspector general of intelligence in 2005, who found that the country’s bulk scanning facilities had been used to keep citizens under surveillance during the country’s bruising presidential succession battle.
So, the organ of state that has the greatest potential for mass surveillance is also the one that is least regulated by law. This capacity is so intrusive that its use should be authorised by primary legislation. South Africa’s case for mass surveillance is likely to be even weaker than countries such as the US, given that the country faces no major terrorist threats to national security.
Wikileaks has revealed how South Africa manufactured and exported mass surveillance technology, including to authoritarian regimes such as Muammar Gaddafi’s Libya. Privacy International has also publicised the fact that the government has provided funding to local company Vastech for rights-violating technology dressed up as a public good, and that this problem has not been addressed with export controls.
It is also important that communications network operators speak out against abusive practices. To this end, more companies abroad are beginning to issue transparency reports detailing government spying.
But South Africans cannot rely on local companies to blow the whistle on dodgy surveillance practices. Although Rica forbids companies from saying anything about these practices, there is no evidence of companies pushing back and challenging the lawfulness of this clearly over-broad gag. Passing the buck and blaming the government for secrecy is simply too easy.
Little has been made of the implications of other privacy insensitive technologies, too, such as the e-tolling system in Gauteng. Road users should have a right to travel to their chosen destination without having their locational privacy violated, which is perfectly possible in more dynamic systems.
The government intends biometrics to be the technology of choice in its transactions with citizens. It is establishing centralised biometric databases for its social security system and identity cards, in spite of the major concerns globally about the integrity of such databases. Now, legislation authorising surveillance drones is also being considered, but if past precedents are anything to go by, the privacy implications may not receive a grilling.
South Africa has globalised national security worst practices in the digital space, but it is failing to globalise best practices. The upcoming review of intelligence policy provides the country with an opportunity to revisit some of the questionable practices it allowed to slip through the first time round.
Also, a largely excellent Protection of Personal Information Act may offer some respite, and an information regulator is being set up to enforce peoples’ data rights. Only time will tell, though, whether it is an effective watchdog or a lame duck. The regulator will have its work cut out for it in the coming years, as so many privacy eroding measures have already been introduced.
South Africans have been sleepwalking through many privacy issues that have made people elsewhere take to the streets in protest. The country needs a dedicated privacy champion in civil society, in the way that it has for freedom of expression or access to information. The issues are specialist and global in nature, but they also require a locally rooted mass movement that pushes back against privacy erosions.
Giving up personal liberties for security is a false and dangerous trade-off that no one should make, as they are likely to achieve neither freedom nor security.
- Jane Duncan teaches at the University of Johannesburg. Her book, The Rise of the Securocrats, has just been published by Jacana
- This column was first published in the Mail & Guardian, the smart news source