Baba Jukwa saga

via Baba Jukwa saga | The Zimbabwean 30 June 2014

Press Reports of the arrest of the Sunday Mail Editor, Edmund Kudzayi and other Press Reports on the repeal of the Telecommunications Regulations which compelled Mobile Telephone Service providers to compile subscribers’ database and allowed third parties to access subscribers’ personal data without a court search warrant, brings to bear the question of state surveillance and the right to privacy in the digital age in Zimbabwe.

While the state is currently taking criminal due process measures to address what it perceives to be a real threat to national security, it must avoid taking further reactionary measures that reverses constitutional gains relating to the right to privacy and civil liberties. In addition, in a country where the ruling political party has completely captured all state organs, thus leading to conflation and creation of party- state, it is crucial to make a distinction on whether the government is taking measures to protect national, state or political party interests. Without any doubt, the real current threat to national security in Zimbabwe is food and water insecurity, an economy nearing a state of deflation, widespread poverty and diseases.

This article gives the state the benefit of the doubt by making an assumption that indeed Zimbabwe is facing cybersecurity threats and goes on to spell out recommendations to the Government of Zimbabwe, in particular it urges the government to look beyond the current criminal prosecutions in addressing cybersecurity concerns but to adopt far-reaching measures in compliance with international law to protect human rights online. The article argues that coming up and enforcing the correct level of human rights protection is very often a matter of jurisdictional reach. In the cyberspace, there could be two obvious alternatives to create a separate jurisdictional space: the technological option and the legal option. In the case of Zimbabwe, government must lead efforts towards the establishment of a civilian-led Computer Emergency Response Team (CERT), which should ideally be based within Post & Telecommunications Regulatory Authority of Zimbabwe (“Potraz”). The current piecemeal response to cybersecurity threats which is being jointly undertaken by the Ministry of Defence, the Police and the President’s Office does not meet international standards relating to governance of cyber-related issues. This article recommends the establishment of a CERT that meet the international internet governance discursive framework based on inclusion, neutrality, transparence, openness, pluralism, diversity while acknowledging the role of judiciary authorities.

From the two twin developments in Zimbabwe, questions that demand attention have emerged. What is the meaning of ‘privacy’ or ‘private communication’, in the digital age? What are the privacy interests inherent in communications data transmitted over the internet or by mobile phone? What technological and legal measures should states adopt to protect the integrity and privacy of data in storage, transit, in cloud and at rest? How can privacy be adequately protected when the increasing convergence of civilian communications and intelligence collection is considered? The last question is particularly pressing considering the growing focus on threats to national security, the scope of which has been repeatedly expanded to justify an increasing number of infringements upon citizens’ rights. That same question recently screamed for answers in the U.S in the wake of the Edward Snowden revelations. According to the U.S Report and Recommendations of? The President’s Review Group on Intelligence and Communications Technologies titled ‘Security and Liberty in a Changing world’ published on 12 December 2013 (“U.S Report”), one of the government’s most fundamental responsibilities is to protect [national security], broadly understood. At the same time, the idea of security refers to a quite different and equally fundamental value, for example, captured in the Fourth Amendment to the United States Constitution: “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated . . . ” (emphasis added). Both forms of security must be protected, the U.S Report added. This form of security is synonymous with the ‘right to privacy’. Both forms of security must be protected. The right to privacy is essential to a free and self-governing society. The rise of modern technologies makes it all the more important that democratic nations respect people’s fundamental right to privacy, which is a defining part of individual security and personal liberty. This right has recently received wide and far-reaching international attention. On 26 June 2014, The United Nations Human Rights Council (“HRC”) adopted resolution (A/HRC/26.L.24 ) on “Internet and Human Rights” by consensus. The resolution advances protections for human rights online, building upon the landmark 2012 resolution which affirmed “the same rights that people have offline must also be protected online, in particular freedom of expression” (HRC Res 20/8).

The twin developments in Zimbabwe and at the Human Rights Council implicate the issue of state mass surveillance, especially in the context of modern digital technologies. In our recent submissions to the Africa Commission on Human and Peoples’ Rights, we scrutinized the role of modern technologies in shaping both the development and human rights agenda on the continent of Africa. While we extolled the virtues of modern technologies to the development agenda, we also sounded a note of caution that technological developments have increased opportunities for State surveillance and intervention into individuals’ private communications. Intelligence communities in various states have embraced state of the art technology to achieve their objectives without conducting a robust impact assessment of the technological impacts on society and civil liberties. For instance, the mass surveillance practices conducted by Western Nations as revealed by former NSA contractor Edward Snowden poses a clear threat to the enjoyment of the rights to privacy and free expression of millions of Internet users across the globe, and undermines the very nature and proper functioning of the internet. This worldwide trend is also seen in African countries, where there has been an unchecked rise in state surveillance and censorship with the corresponding shrinkage in the operating space for human rights defenders and journalists.

In the case of Zimbabwe, according to our Submissions at a side event during the 23rd Session of the Human Rights Council, many Zimbabweans are used to living with their rights to free expression and privacy repressed. In many ways, surveillance in the digital age in Zimbabwe is simply an extension of the monitoring, which political activists and Human Rights Defenders face in everyday life. This is despite the fact that, on paper, Zimbabwe has an extensive set of constitutional rights. In theory, the twin rights of privacy and freedom of expression are protected. Under Article 17 of the Lancaster House Constitution individuals were protected from arbitrary searches and entry onto their property. Article 20 protected a person’s private correspondence, and also enshrined freedom of opinion and the free exchange of information. However, the widely reported political violence, which followed the 2005 election, showed that, in practice, these rights are often not respected.

Zimbabweans waited with baited breath and expectation that perhaps the digital age could finally bring real change in Zimbabwe when a new constitution was adopted on 22 May 2013. The rights to expression, assembly and association are reaffirmed in articles 58 to 60. More significantly, the language of privacy has finally entered into constitutional discourse. Privacy stands as a right on its own through Article 57, which protects Zimbabweans against arbitrary searches of their person and prevents unlawful entry into their homes, premises or property. It prevents disclosure of health conditions to third parties and, most importantly for our purposes; it also seeks to the infringement of private communications.

However the revelations coming from the Baba Jukwa’s case, especially admissions that indeed the state was involved in the hacking of emails, dampens the hope that had been raised by the passage of the new constitution. Having emerged on Facebook in January 2013, Baba Jukwa rapidly became established as a major source of online political news in Zimbabwe. The Baba Jukwa handle was thought to be run by a member of the ruling ZANU-PF party. Many of the posts centred on accusations of state corruption and violence. Reportedly, the government then undertook an intense campaign to find the poster’s identity. On May 31st the State Security Minister publicly announced his worries that ‘Zimbabwe is under cyber attack’. These fears were reiterated in the Sunday Mail (11-17 May) 2014 in a Sunday Mail article ‘Internet Security Policy Urgently Needed’ which was written in the wake of the first attempts to unmask Baba Jukwa. The accuracy of Baba Jukwa’s reports were difficult to confirm or deny, because anonymity meant that ‘Baba Jukwa’ was virtually unaccountable.

Despite unconfirmed media reports that the Zimbabwean Government had sought Chinese assistance to try to increase its ICT monitoring capacity in technical fields such as cryptologic linguists and signals intelligence analysis, the fact that the state had to hire Edmund Kudzayi to unmask Baba Jukwa, as reported in the media, raises questions regarding the state’s ability to deal with other forms of encryption and anonymity.

However, the reported breakthroughs towards the unmasking of Baba Jukwa confirms that Zimbabwe has increased its technical capabilities, and that in Zimbabwe, communications surveillance is becoming the main tool for cutting across the anonymity, rapid information sharing and cross-cultural dialogues of the digital age. Legally, though old in the context of technological innovation, the 2007 Interception of Communications Act (ICA) has kept pace thanks to extremely wide drafting and the creation of blanket powers. Though designed primarily for post and telephone, ICA’s long title states that it can still be applied to ‘any other related service or system’. This provides broad powers to intercept any kind of communication, no matter how technologically advanced it is.

Just as post is intercepted or a phone line is monitored, the state also has the power to snoop on communications travelling by email or across a social network. Having set up a Monitoring of Interception of Communications Centre, manned by ‘technical experts’, and appointed by the Minister of Transport and Communications, the state has the legislative and institutional apparatus in place to subject Zimbabwean’s digital communications to the same surveillance as any other. As the UN Special Rapporteur (A/HRC/23/40) notes, the inspection of emails prior to reaching the desired recipient is still a breach of the right to private communications.

It must be noted however that, with an Opennet estimation of about 11% in 2009, internet penetration in Zimbabwe, though relatively high in Africa, is low by world standards. In 2007 Opennet found no evidence of the state filtering websites. However, a more recent 2012 report by Freedom House reports a huge increase in smart phone usage, especially amongst young people. Between 2006 and 2011 it is estimated that growth of mobile phone has gone from 6.8% to 72.1%. Many Zimbabweans use their phones and laptops to browse facebook, the country’s most popular website, and to use whatsapp, a kind of internet text message service.

However, most Zimbabweans have not fully taken advantage of the worldwide trend of social media being used to express political opinions, and even to form campaigns online, but only generalised political discussions and gossip circulation. Freedom on the Net reports that, ‘the lack of anonymity…and fear of repercussions limit politically oriented statements, which can be traced back to those expressing them’. Facebook is of course a largely public forum, and there have been instances of Zimbabweans being arrested because of their posts. Where facebook is concerned the state can still make use of human surveillance techniques. Employing state agents to monitor the pages of human rights defenders and activists, in the form of what the UN Special Rapporteur calls ‘mass communications surveillance’, might still be an effective tool.

These worries are compounded by the complicity of Zimbabwean Internet Service Providers (ISPs). ISPs are required, under section 9 of ICA, to put in place the hardware and software required for the state to carry out surveillance. Reports in Zimbabwe suggest that at least three of the main Internet Service Providers – Econet, TelOne and Telecontract – have complied with this requirement. Other reports, which cannot be confirmed, suggest that the state is buying surveillance technologies from a number of repressive regimes and even UK internet security companies. According to Freedom on the Net 2012 the Postal and Telecommunications Regulatory Authority of Zimbabwe banned the use of Blackberry Messenger because the service uses encrypted messages. This does not comply with the requirement in ICA that ‘all telecommunication services should have the capability of being intercepted.’

Technological change has not only increased the speed of communications within Zimbabwe. It has also connected Zimbabwe to the rest of the world. Since many eminent Zimbabwean commentators are based abroad they are not under the same danger of arrest as those based domestically, and so can express themselves with more freedom. Furthermore, the news cycle now moves so quickly now that big news in one part of the world is big news all over. This was the case with the Arab Spring, videos of which made it into Zimbabwe and became a topic for discussion by opposition activists.

The fact that the Arab Spring videos made it into the country shows the difficulty of preventing information sharing over the internet. However, equally the work of the police breaking up the lecture shows that human surveillance can still play a part in preventing the dissemination of information within Zimbabwe’s borders.

How cans political power be restrained and human rights protected in the cyberspace?

According to Go Zhao of the University of Groningen, ‘Enforcing the correct level of human rights protection is very often a matter of jurisdictional reach. In the cyberspace, there could be two obvious alternatives to create a separate jurisdictional space: the technological option and the legal option. In Europe, the Germans and French spoke on the possibility of creating the foundations of a “protected” EU Internet, and the EU-funded MAPPING project spelt out its plan of researching if “parallel universes” in cyberspace could be a solution for promoting human rights. This objective of creating spaces within cyberspace where European values on privacy and other human rights may be applied could conceivably be created by technological or legal means.

The U.S Report (ibid) explains these dual legal and technical routes by stating that there is need to take substantial steps to protect networked world. A free and open Internet is critical to both self-government and economic growth. Internet governance must not be limited to governments, but should include all appropriate stakeholders, including businesses, civil society, and technology specialists. In the case of the U.S, the Report made specific recommendations that the US Government should take additional steps to promote security, by (1) fully supporting and not undermining efforts to create encryption standards; (2) making clear that it will not in any way subvert, undermine, weaken, or make vulnerable generally available commercial encryption; and (3) supporting efforts to encourage the greater use of encryption technology for data in transit, at rest, in the cloud, and in storage.

Finally and even more importantly, the Report urged the U.S Government, among other measures relevant to the Internet, to support international norms or agreements to increase confidence in the security of online communications.

The U.S Report has been followed by very progressive court decisions; for example, the U.S. Supreme Court issued two big rulings in important technology cases on 26 June 2014. In a groundbreaking decision on cell phone privacy, the court set powerful limits for police searches of cellphones, ruling in two consolidated cases that law enforcement must get a warrant before accessing the data on an arrested person’s cell phone. In Canada in the case of R. v. Spencer, 2014 SCC 43, the Supreme Court of Canada found voluntary sharing of ISP Subscriber information unconstitutional. In this case, the court held that, ‘Some degree of anonymity is a feature of much Internet activity and depending on the totality of the circumstances, anonymity may be the foundation of a privacy interest that engages constitutional protection against unreasonable search and seizure’.

In the case of Zimbabwe, the new regulations S.I 95 of 2014, which bar the release of subscriber information to law enforcement agents without a court warrant, is a step in the right direction. Section 9 (3) of the new regulations reads: “Notwithstanding the foregoing provisions of this section, subscriber information shall not be released to law-enforcement agencies or any other person, where such release of subscriber information would constitute a breach of the Constitution of the Republic of Zimbabwe, any other enactment or where such release of subscriber information would constitute a threat to national security.” The repealed regulations allowed Potraz to give information in its central database to a law-enforcement agent only if it was requested in writing by an officer of or above the rank of Assistant Commissioner of Police or an equivalent rank in another force, but must not do so if the disclosure would constitute a breach of the Constitution or any other enactment, or constitute a threat to national security. According to Privacy International Blog , the new law raised new challenges to the already embattled rights to privacy and free expression in Zimbabwe, increasing the potential that the repressive state would spy on its citizens and further clamp down on free speech.

Zimbabwe should take additional steps in protecting the right to privacy and restraining political power in the cyberspace.

Firstly, the government should fully implement all the recommendations made in the Parliament Legal Committee Adverse Report, in particular by amending the Interceptions of Communications Act to ensure that judicial authorisation is made necessary for all forms of communications interception. Zimbabwe could also progressively implement some of the recommendations we make in our report ‘Communications and Political intelligence Surveillance on Human Rights Defenders in Zimbabwe’.

At the international level, the government should cooperate with the Office of the High Commissioner on Human Rights towards the implementation of General Assembly Resolution 68/167. The government could do this by making submissions on the steps it has taken towards the realisation of the rights contained in the resolution. This could be done in response to Zimbabwe Civil Society Submissions.

Notwithstanding the above, security threats are real, and some of them are new. The personal data obtained through surveillance and monitoring of telecommunication networks are valuable for criminal and other investigations. Legitimate national security considerations and the necessities of law enforcement may justify, in well-defined cases and under specific circumstances, limitations to the right to privacy. However, activities that restrict the right to privacy, including communications surveillance, can only be justified when prescribed by the law, they are necessary to achieve a legitimate aim, and are proportionate to the aim pursued As the Norwegian Ambassador to Geneva, once stated, ‘It is [however] unclear how beneficial massive sets of data can be for law enforcement and other government agencies. What is clear is that it represents access to the most personal and intimate information, including about an individual’s or group’s past or future actions’.

The current revelations relating to Baba Jukwa makes a strong case for the fortification of national security within legitimate, necessary and proportionate limits, therefore Zimbabwe should take measures to establish a Computer Emergency Response Team (CERT). Although such structures might already be in existence both in the President’s Office and Ministry of Defence, what is needed is a civilian-led CERT. The Baba Jukwa revelations reveal that the Ministry of Defence is currently handling the cybersecurity issues. For instance, Edmund Kudzayi confesses “I immediately changed the password to the email account, the account recovery phone number and the account recovery email address to my personal and alias (Mai Jukwa) details”; “I managed to regain access to the account using my mobile number since I had setup two step verification”; “I passed on the IP addresses to the Ministry of Defence contact.” and “Through social engineering I managed to persuade Google to restore the deleted emails. The original incriminating emails are back in the account and I remain in control of the email.” Given the MOD’s close ties with the ruling party and calls for the security sector reform, this is not an ideal situation, as personal liberty would be sacrificed in their quest to protect the ruling party. Commenting on a similar issue, for example, the U.S Report says, ‘Internet governance must not be limited to governments, but should include all appropriate stakeholders, including businesses, civil society, and technology specialists’. Zimbabwe could get support from the African Internet Governance Ecosystem (AF*) family of groups, in setting up a CERT that protects both national security and the security of the individual, that is, ‘the right of the people to be secure in their persons, homes, and correspondence, against unreasonable interference’. This is also broadly called the ‘right to privacy’. Both forms of security must be protected.

The right to privacy is essential to a free and self-governing society. During the recent Africa Internet Summit in Djibouti on 29 May 2014, Dr Hashem, one of the elders in the AF* ecosystem, pledged to support countries like Zimbabwe to set up CERTS, and in so pledging, he underscored the importance of transparency, ‘Transparency is now being defined by multistakholders and there is need for more multistakholders approach to the issue of Internet governance. We need to work together with NGOs, academics and other sectors to address this issue, in order to balance these four needs’. The involvement of civilians in setting up a CERT in Zimbabwe is necessary due to the conflation of the state and the ruling party into a party state. For instance, in the current Baba Jukwa-related prosecutions, it is not clear what interests are being protected, as it is not clear whether these are national, state or political party interests.

The article is written by Arthur Gwagwa as part of the joint project between The Zimbabwe Human Rights NGO Forum and Privacy International under the Global Surveillance and Safeguards Project. For more information on the project please write to intlo@hrforumzim.com