The South African Government accesses tens of thousands of people’s sensitive communications information every year using a loophole in surveillance policies, according to the Right2Know (R2K) Campaign.
The R2K released statistics from MTN, Vodacom, Cell C and Telkom that show that, at a minimum, law enforcement agencies are spying on the communications of at least 70,000 phone numbers each year.
In May 2017, R2K asked the big four mobile operators how many warrants they received in terms of section 205 of the Criminal Procedures Act, in 2015, 2016 and 2017.
The organisation said these requests aimed to understand how a legal loophole has allowed surveillance operations to take place using the Criminal Procedures Act, rather than the RICA law.
RICA is meant to be South Africa’s primary surveillance law.
It requires law enforcement and intelligence agencies to get the permission of a special judge, appointed by the president, to intercept a person’s communications. In order to apply for this warrant, they need to provide strong reasons because such interceptions threaten peoples’ right to privacy so much.
R2K said but policymakers have wrongly assumed that the information about the communication (such as the identity of who you have communicated with, when, and your location) is less sensitive than the content of the communication.
This has led to a ‘loophole’ in our surveillance laws: section 205 of the Criminal Procedures Act allows law enforcement officials to bypass the RICA judge to get access to get your phone records – who you have communicated with, when, and where.
What Vodacom, MTN, Cell C and Telkom revealed
All four companies complied with R2K’s information requests.
R2K said that the mobile phone operators answers show that law enforcement get call records for a minimum of 70,960 phone numbers every year.
Due to incomplete records (only Vodacom and Telkom could say how many phone numbers were contained in the warrants it received) the actual number is estimated to be much higher. Extrapolating from this data, Daily Maverick journalist Heidi Swart points out the estimated total could be as high as 194,820 phone numbers each year.
All together, these numbers tell a staggering story about surveillance practices in South Africa.
In 2016, MTN received 23,762 warrants for customers’ call records, while Vodacom got 18,594 warrants. Cell C got 6455 warrants and Telkom got 1,271.
These statistics confirm for the first time that the vast majority of ‘authorised’ surveillance operations are happening outside of the RICA judge’s oversight, with no transparency or accountability.
R2K said it is clear that urgent reforms are needed for South Africa’s surveillance policies.
R2K has already pointed out that RICA does not do enough to protect people’s privacy — weak safeguards and a lack of transparency have enabled surveillance abuses. In fact, RICA already faces a legal challenge from investigative journalists whose phones were tapped by government agents.
Among the Right2Know Campaign’s demands for surveillance reform:
1) Call records must be given better protection
Metadata about your communication – information about who you contacted, when and where – must be given the same level of protection as the content of your communication. Interception of this information should only be authorised by a specially appointed judge with special insight on privacy protections and digital rights. The RICA judge is a specialist judge who must be specially positioned to weigh the interests of justice against the right to privacy. Magistrates and ordinary judges, on the other hand, may not be as sensitised to the privacy issues involved in deciding whether or not to release metadata records. This should not be authorised at the lower levels of our court system. The ‘section 205’ loophole should be closed immediately.
2) An end to mass storage of customers’ data
RICA requires telecommunications and internet service providers to store all users’ metadata (a detailed record of all messages and calls sent and received, all internet traffic, etc) for three to five years. This means even people who are not suspected of any crime are already being treated with suspicion.
3) An end to SIM card registration
SIM card registration violates privacy in that it limits the ability of citizens to communicate anonymously. It also facilitates the tracking and monitoring of all users by law enforcement and intelligence agencies.
4) Greater transparency
We should not have to resort to legal action to get this information. Private companies should be publishing regular, detailed transparency reports about their role in interceptions, and the RICA judge must publish a much more detailed report, and it must be tabled in open Parliament.
Users must also be notified when their data has been intercepted. This is a legal requirement of many surveillance laws across the world. The current situation is ripe for abuse, as people who are targeted for surveillance have no way of knowing that their rights have been violated. Only under exceptional circumstances should the judge have the power to delay notifying a user that their data has been intercepted.