Today R2K releases statistics from MTN, Vodacom, Cell C and Telkom that show that government accesses tens of thousands of people's sensitive communications information every year using a loophole in South Africa's surveillance policies. These numbers show that, at a minimum, law enforcement agencies are spying on the communications of at least 70,000 phone numbers each year. As our analysis below shows, the actual number could be much higher.
Background to the requests
In May 2017, R2K asked MTN, Telkom, Vodacom and Cell C how many warrants they received in terms of section 205 of the Criminal Procedures Act, in 2015, 2016 and 2017 (statement here).
These requests aimed to understand how a legal loophole has allowed surveillance operations to take place using the Criminal Procedures Act, rather than the RICA law.
RICA is meant to be South Africa's primary surveillance law. It requires law enforcement and intelligence agencies to get the permission of a special judge, appointed by the president, to intercept a person's communications. In order to apply for this warrant, they need to provide strong reasons because such interceptions threaten peoples' right to privacy so much. But policymakers have wrongly assumed that the information about the communication (such as the identity of who you have communicated with, when, and your location) is less sensitive than the content of the communication.
This has led to a 'loophole' in our surveillance laws: section 205 of the Criminal Procedures Act allows law enforcement officials to bypass the RICA judge to get access to get your phone records - who you have communicated with, when, and where. According to this law, any magistrate can issue a warrant that forces telecoms companies to give over a customer's call records and metadata. Policymakers are wrong to assume this information is less sensitive or private than the contents of the communication: metadata can reveal as much, if not more, about a person's contacts, interests and habits than what they say over the phone or in a text message. When a person's communications information is handed over using the Criminal Procedures Act, they are never notified, even if the investigation is dropped or if they are found to be innocent.
In one recent case, former SAPS Crime Intelligence officer Paul Scheepers faces charges in the Western Cape for allegedly using this legal loophole to spy on the communications of various people who were not under legitimate investigation.
What Vodacom, MTN, Cell C and Telkom revealed
All four companies complied with R2K's information requests. Their answers show that law enforcement get call records for a minimum of 70,960 phone numbers every year. Due to incomplete records (only Vodacom and Telkom could say how many phone numbers were contained in the warrants it received) the actual number is estimated to be much higher. Extrapolating from this data, Daily Maverick journalist Heidi Swart points out the estimated total could be as high as 194,820 phone numbers each year.
All together, these numbers tell a staggering story about surveillance practices in South Africa.
In 2016, MTN received 23,762 warrants for customers' call records, while Vodacom got 18,594 warrants. Cell C got 6455 warrants and Telkom got 1,271. Due to the fact that in some cases, the same warrant will be sent to several service providers, it is not possible to add these numbers together to get the total number of warrants issued across all service providers, as this would result in 'double counting' of some warrants.
The most recent statistics from the RICA judge's office show that in 2014/2015, the RICA judge issued 760 warrants for interception. At a minimum, in the same year magistrates issued 25,808 warrants in terms of s205 of the Criminal Procedures Act.
These statistics confirm for the first time that the vast majority of 'authorised' surveillance operations are happening outside of the RICA judge's oversight, with no transparency or accountability.
It is clear that urgent reforms are needed for South Africa's surveillance policies.
R2K has already pointed out that RICA does not do enough to protect people's privacy -- weak safeguards and a lack of transparency have enabled surveillance abuses. In fact, RICA already faces a legal challenge from investigative journalists whose phones were tapped by government agents.
Among the Right2Know Campaign's demands for surveillance reform:
1) Call records must be given better protection
Metadata about your communication - information about who you contacted, when and where - must be given the same level of protection as the content of your communication. Interception of this information should only be authorised by a specially appointed judge with special insight on privacy protections and digital rights. The RICA judge is a specialist judge who must be specially positioned to weigh the interests of justice against the right to privacy. Magistrates and ordinary judges, on the other hand, may not be as sensitised to the privacy issues involved in deciding whether or not to release metadata records. This should not be authorised at the lower levels of our court system. The 'section 205' loophole should be closed immediately.
2) An end to mass storage of customers' data
RICA requires telecommunications and internet service providers to store all users' metadata (a detailed record of all messages and calls sent and received, all internet traffic, etc) for three to five years. This means even people who are not suspected of any crime are already being treated with suspicion.
3) An end to SIM card registration
SIM card registration violates privacy in that it limits the ability of citizens to communicate anonymously. It also facilitates the tracking and monitoring of all users by law enforcement and intelligence agencies.
4) Greater transparency
We should not have to resort to legal action to get this information. Private companies should be publishing regular, detailed transparency reports about their role in interceptions, and the RICA judge must publish a much more detailed report, and it must be tabled in open Parliament.
Users must also be notified when their data has been intercepted. This is a legal requirement of many surveillance laws across the world. The current situation is ripe for abuse, as people who are targeted for surveillance have no way of knowing that their rights have been violated. Only under exceptional circumstances should the judge have the power to delay notifying a user that their data has been intercepted.
Time to end surveillance abuses!
This is no time for half measures and cosmetic reforms. Right2Know Campaign will not relent on challenging surveillance abuses. The people of South Africa can and will take back control of their privacy!