Hiding Behind Laws to Accomplish Digital Surveillance
By Gregory Gondwe
For close to ten years now, the Government of Malawi has been gathering personal information of its citizens and stockpiling it elsewhere. Citizens are now at the mercy of those in custody of such personal data as they could use it against them or worse still, pawn it for a profit. This has been possible through the passing of pieces of legislation that have strengthened its grip on its digital surveillance undertakings.
With such laws, that include the National Registration Act (2010),Electronic Transactions and Cyber Security Act, (2016), and Communications Act of 2016, Government has managed to put all its citizens in its pockets in as far as their personal data is concerned.
The Malawi government also rolled out the Consolidated ICT Regulatory Management System (CIRMS), – famously known as the spy machine – nine years ago, which had surveillance capabilities.
The National Statistics Act, 2013 also empowers the National Statistics Organisation (NSO) to collect all types of information, including personal information, nationwide on behalf of the government.
The way everything has legally been put in place, there is no way that people would escaped or chose not to partake in the information collection process.
Using law to snoop on citizens
Take for example the legal surveillance tools like the National Registration and Identification System (NRIS) which the United Nations Development Programme (UNDP) says has registered 9 million Malawians as of August 2019. This also came at the back of a 2018 Malawi government enforcement, through the Malawi Communication Regulatory Authority (MACRA), of mandatory SIM Card registration.
In all this, the major weakness of the current legal and policy framework is the lack of a dedicated data governance framework. The only glimmer of hope could perhaps be that a data protection law that will prescribe what Government can do and not do with this personal information will be put in place, now that a new Government was ushered into office on June 23, 2020.
Jimmy Kainja, Lecturer in Media, Communication and Cultural Studies at University of Malawi who has done extensive studies in this respect hopes that judging from the inaugural speech of newly elected President Lazarus Chakwera, it looks like the new government is set to put things straight.
“The mention of getting rid of bad laws and operationalizing Access To Information law, for example, makes one hope that data protection law will also see the light of the day,” says Kainja.
“With full and open public consultations,” Kainja says, “there’s a draft in place already.”
There is also SADC model law on this which he says the government can simply localise.
“Having said this, I think it will still need a push from the civil society and all stakeholders to ask and push the government for it,” he says.
Mandatory personal data collection exercises such as SIM card registration and biometric data collection as part of the national identification programme against the right to privacy which is enshrined in the Malawi Constitution is the line that stakeholders need to take in order to push for change.
The Malawi Constitution stipulates that “Every person shall have the right to personal privacy, which shall include the right not to be subject to: (a) searches of his or her person, home or property; (b) the seizure of private possessions; or (c) interference with private communications, including mail and all forms of telecommunications”.
However, Kainja observes that there have been incidences where this has been violated by ensuring that the other legislation override such constitutional provisions through digital surveillance that has been used to affect arrests since Malawi does not have a standalone data protection law.
More Digital Surveillance Suspicions
As if all this is not even enough, in August 2016 MACRA unveiled plans to undertake an initiative that would have facilitated the development of a Smart City in Malawi, dubbed ‘Making a City Smart’, that sought to mitigate problems generated by what they called growing urban population.
The authority had said the Smart City Initiative would be piloted in Blantyre City before being replicated in other cities upon the successful completion of the pilot phase and that it would rely on, among others, a collection of smart ICT technologies and solutions that are applied to critical infrastructure components and services.
Macra and the City councils were considering broadband connectivity through creation of Wi-Fi zones in identified recreation areas, parks, streets, hospitals, ICT innovation and tech hubs. One of the component would have been the establishment of cameras in the country’s cities and towns that would have been observing activities of the citizens.
Several weeks of seeking MACRA’s input on this project as well as its role in ensuring that there is data protection law, bore no fruits as personnel through their communication chain was reluctant to react in any manner or feedback.
Recently, twenty-six African youths from eight African countries completed training in construction and piloting drones meant to integrate them into a supply chain system and analyse drone data in line with the demand for drone and data expertise in the region. They graduated from African Drone and Data Academy (ADDA) in Lilongwe, Malawi.
Some analysts were also suspicious as regards to how much Government intended to make use of these drones, fearing that they may be used as part of digital surveillance.
Vice President Saulos Chilima once accused the previous Peter Mutharika Government of using MACRA to eavesdrop on people and using the information to prosecute them to stifle their political aspirations.
In March 2018, the then Minister of ICT, Nicholas Dausi, announced that drafting of a bill on data protection in response to the changing media and technological landscape was in process.
Bram Fudzulani ICT Association of Malawi (ICTAM) President corroborated that indeed Malawi is in the process of drafting its data protection and privacy laws. However, in the meantime, the Electronic Transaction and Cyber Security Act 2016 deals with the issue of data protection and privacy in one sub-section.
“It simply calls on data controllers to ensure that personal data is processed fairly and legally but also collected for an explicit and legitimate purpose. Under this section MACRA is able to ensure that service providers collecting data via SIM registration comply with the law and also that data subjects are protected,” says Fudzulani.
Of Malawi’s two mobile phone service providers only Airtel Malawi was willing to speak about its position in this respect while TNM refused to comment.
Airtel Malawi’s Corporate and PR Manager Nora Chavula Chirwa says her company ensures that it keeps its customers’ information confidential ‘pursuant to our license obligations, Communications Act, Electronic Transaction and Cyber Security Act, the Constitution of Malawi and any other applicable laws and regulations’.
Law that is acting in Place Data Protection Legislation
The Electronic Transactions and Cybersecurity Act which provides for data protection establishes the Malawi Computer Emergency Response Team (CERT) as a unit under MACRA.
Section 6(2) provides that the “Malawi CERT shall take charge of its information infrastructure protection actions and serve as a base for national coordination to respond to information and communication technology threats.”
It is Section 4 of the Act stipulates that it is the duty of MACRA to ensure that the Malawi CERT executes several services.
However, since the Act came into force, although in March 2018, MACRA Director of Finance, Ben Chitsonga told the local media that the communications regulator had engaged experts from the International Telecommunication Union (ITU) to help get Malawi CERT off the ground.
ICTAM’s Fudzulani observes that although the establishment of the CERT is indeed enshrined in the electronic transaction that mandates MACRA to establish CERT there was a need to do a lot of ground work in order to get several things to start working.
“For example, there was need for us as a country to formulate a strategy but also for MACRA to draft regulations which would then operationalize the act,” he observes.
Another thing, Fudzulani said was the need for capacity building and sensitization among key stakeholders ‘which is what has been happening for the past two years in partnership with a number of international partners line ITU etc.’
“I can confirm now that we have a functional CERT in Malawi and has a portal where stakeholders can report security incidents and other CERT functions,” he says.
Exerting Pressure to have Data Protection Law in Place
Kainja expresses his surprise about SIM card registration especially on how easily Malawians accepted it, the same way they did with the biometrics ID cards.
“We needed data protection law before rolling out these programmes,” he insists.
He says it would be difficult for citizens to stop it because it means they would have their SIM cards deactivated and now the best way would be to lobby parliament to either come up with data protection law or review the SIM card registration altogether.
“Mind you, this is likely to be unpopular opinion with the public because the public has been told that SIM card registration is their own security so the public has opted for security and not their rights. We need civil society organisations, academia, media etc. to start paying attention to these pertinent issues,” advises Kainja.
Law Expert, Edge Kanyongolo, University of Malawi’s Associate Professor of Law, and specialized in constitutional law and jurisprudence believes the pressure for data protection legislation would probably be effective if it took the political route involving lobbying involving smart partnerships among human rights advocates, groups with special professional interests in confidentiality (doctors, lawyers etc.), opposition.
The opposition that Kanyongolo was referring to at the time of the interview was the Malawi Congress Party of President Chakwela and Vice President Saulos Chilima’s United Transformation Movement.
Now that it is the one in power, it should perhaps be not difficult to put in place personal data protection legislation.
This article on digital surveillance was supported by the Media Policy & Democracy Project, jointly run by the University of Johannesburg and University of South Africa