When the South African government issued the first batch of regulations just over a week ago enabling it to track the movement of South Africans through their cell phones, it was met with serious concern from legal experts and some civil society organisations. Now government has issued amendments to the initial regulations that have eased some of the concerns.
During a press briefing unpacking the revised regulations, Minister of Communications and Digital Technologies Stella Ndabeni-Abrahams said: "I want to say it up front, that I know that most people have been concerned that 'our government wants to spy on us'. This is not spying on anyone," she said.
Surveillance of this nature is a sensitive issue for its encroachment on people's constitutional right to privacy.
First batch: Too vague
Allowance for using cell phone data was first announced by the Ndabeni-Abrahams and published in the Government Gazette as a set of "directions" on the 26th of March.
The initial direction read: "The Electronic Communication Network Service (ECNS) and Electronic Communication Service (ECS) Licensees, internet and the digital sector in general, must provide location-based services in collaboration with the relevant authorities identified to support designated departments to assist and combat the spread of COVID-19."
Digital Rights Activist Murray Hunter described these first measures as suggesting: "that there will in fact be no transparency, no oversight, and very vague limits on the powers themselves".
Avani Singh, director at ALT Advisory, a public interest advisory firm, shared Hunter's concerns and highlighted the need for clarification.
"We've got very serious concerns about the direction. It is overboard, vague and incredibly intrusive," she said. "That is why it is so urgent that some clarification or amendment or even withdrawal of that provision and a reissuing of clearer directions be made available as soon as possible."
Amendments are 'progressive'
However, a few of these concerns were addressed in the newest amendments to these regulations, published last Thursday in the Government Gazette. Thami Nkosi, Countering Repression Organiser from Right2Know described the amendments as "progressive" but highlighted that there are still a couple of challenges particularly "about how these regulations are going to be implemented".
Singh shared Nkosi's views that amendments were an improvement. "The amended regulations issued by the Minister of Cooperative Governance and Traditional Affairs (Dr Nkosazana Dlamini-Zuma) are a marked improvement on the previous directions that were issued by the Minister of Communications," Singh said.
Hunter explained that this amendment provides much more detail than the previous direction. "It is very clear what they would do, and why and how, mostly. There are still lots of finicky details (to be worked out) but it's good," he said.
What data will be accessed?
According to the amendment, the National Department of Health will create a database that will store information on everyone who has been confirmed or is suspected to be COVID-19 positive.
"The amended regulations set out in detail how the COVID-19 tracing database will work, and put in place safeguards for the access, use and oversight of the data collected," Singh explained. Data acquired through tracing people who have been in contact with a COVID-19 positive persons or who is "reasonably suspected to have contracted COVID-19" will be stored in this database. Authorities can only trace and use data from 5 March 2020. South Africa reported its first confirmed COVID-19 case on 5 March.
This information will include "the first name and surname, identity or passport numbers, residential address and other address where such person could be located, and cellular phone numbers of all persons who have been tested for COVID-19 as well as their test results, and details of their known and suspected contacts".
Only the Director-General of the national Department of Health can request or authorise a requests to access the locational data from 5 March. The data can only be kept up to six weeks after the State of Disaster has ended, and the information will either be "de-identified" or destroyed.
Hunter weighed in on this. "Every request for information is very specific, rather than the State getting access to everyone's data through direct access to the database and fishing around for whatever they are looking for, the people who hold the data, the telecoms, will provide it on a request by request basis. That really limits the scope for abuse," he explained.
The amendments also provide for the appointment of a COVID-19 designated Judge, who will receive a weekly report from the (acting) Director-General of Health Dr Anban Pillay with the names and details of everyone whose locations or movement were tracked. After the State of Disaster passed all these individuals will be informed that their locational information had been accessed.
The highly respected retired judge Kate O'Reagan was appointed as designated judge. According to a statement released by the Department of Justice O'Reagan will now be able to make recommendations "regarding the amendment or enforcement of this regulation in order to safeguard the right to privacy while ensuring the ability of the Department of Health to engage in urgent and effective contact tracing to address, prevent and combat the spread of COVID-19".
The amendment also makes it clear that these regulations will not allow government or any other party to access someone's personal communications.
According to Singh, however, it is important for the designated judge to "exercise vigilant oversight". "The concern now is primarily in respect of the implementation of the process," Singh said.
Hunter also cautioned for the need to remain vigilant despite the vast improvements to the regulations. "I think that we must always have reservations (about surveillance) and that it's good to stay sceptical about these things," Hunter said.
One thing that is still of concern is how safe the data will be. Singh explained that "careful measures will need to be put in place to ensure the confidentiality of the COVID-19 tracing database". "The database will contain a raft of personal information and will require appropriate technical and organisational measures to be implemented to ensure that no data breaches occur," she said.
Professor Co-Pierre Georg, an associate Professor at the University of Cape Town (UCT), is concerned about government's plan to collect the data in a centralised data base. "If you collect all of this data in a central database, you create a massive cyber security risk... you will make it a very appealing target for any hacker out there," Georg said.
He also noted that data collected from cell phone companies aren't always accurate.
Georg explained that there are other ways to store data in a decentralised way. He and a team at UCT are working on an App, called CoviID, that seeks to achieve just that. He explained that the data collected will be stored on the user's phone and encrypted using blockchain technology to make the data much more secure.
The App will also provide for ways that allow people who do not have cell phones to keep a record of their movements and COVID-19 status. The team is working with various companies and organisations to assist with this and expect to have the App finished by the 16th of April (when the 21-day lockdown is supposed to end). George also wrote about this App in Business Day.
"What the government wants to do (with a centralised database) is to plant a giant, monoculture forest and hope that no one will light a spark anywhere. As soon as it burns somewhere, the whole forest will burn down. We're building a small system with healthy ecology and sufficient fire breaks in between," Georg said.
Another concern is whether or not the data could be de-identified (make it anonymous) easily.
"The fact that they think they can de-identify location data shows that they have not understood the scale of the problem. It is well known that anonymisation is close to impossible for geolocation data," said Georg.
Hunter also noted this concern.
"There has been a lot of research and thinking in public health about how anonymised data is not actually as anonymised as one would think and that it can be identifiable information even if good faith efforts have been made to anonymise that data," Hunter explained. "That's just an ethical issue that needs to be dealt with by the authorities."
Nkosi stressed the need for civil society to ensure that the process is transparent and that the government is held accountable if the access to data is abused.
"So it's a positive move to say 'we're going to appoint a designated judge to oversee the roll-out... but the most important thing for civil society, specifically from this country, is to hold the government accountable, and (demand) transparency in how these things are done," Nkosi said.
"One of the accountability mechanisms is for the government to make it (the information) available, to say such and such a number of people were under surveillance for the suspicion that they came into contact with someone positive for COVID-19. We need that transparency in order to hold them accountable, should the State then extend the surveillance beyond the COVID-19 specifics," he said.
Another concern was raised by Associate Professor at the University of Witwatersrand's School of Law, Victoria Bronstein. "I think a huge challenge is that this doesn't become the new normal. That when this emergency is over that people are aware of how we have made incursions onto human rights and how we can't continue with them, and how they (the regulations) have to be rolled back," she said.
Cell phone operator's responses
Spotlight also contacted the cell phone operators MTN, Vodacom, Telkom and Cell C regarding the amendments, and what information they had been asked to provide. Telkom had not responded by the time of publication. Vodacom and Cell C both stated that they were in the process of either reviewing the regulations or discussing it with the Department of Health. MTN provided more information on their response to the amendments.
"Chapter 3 (10) of the privacy laws gives an idea of the kind of information. Cell C are yet to supply information as company is still in discussions with the Ministry of Health on the support needed in fighting COVID-19, and further enquiries must be directed to the Ministry."
"Vodacom is reviewing amended regulations published in the Government Gazette yesterday regarding the Disaster Management Act, 2002. As a responsible corporate citizen, Vodacom remains committed to abiding by applicable South African laws and will act accordingly."
"On March 27 Government Gazette No. 43164 was issued by the Minister of Communications and Digital Technologies under Regulation 10(8) of the regulations made under the Disaster Management Act, 2002 (Act 57 of 2002) (Government Notice No. 318 published in Government Gazette No. 43107 of 18 March 2020). The Government Gazette refers to the use of location-based services as follows:
"The Electronic Communication Network Service (ENCS) and Electronic Communication Service (ECS) Licensees, internet and digital sector in general, must provide location-based services in collaboration with the relevant authorities to support designated department to assist and combat the spread of COVID-19".
"On April 2, Government Gazette No. 11078, was issued by the Minister of Cooperative Governance and Traditional Affairs. The Government Gazette refers to further specifics on the use of location-based data.
MTN will respond to the regulation, as contained in Government Gazette No. 11078, as follows:
MTN will provide location-based information to the Director General of Health, if requested to do so.
MTN will observe this protocol and will not provide to any other party but the Director General of Health.
MTN will share requested location-based information to the Director General of Health leveraging the current Law Enforcement Process (LEA).
Government will ingest the requested location-based information into a secured Covid-19 database; Government will treat the Covid-19 database in line with best-practice information management principles.
Government will disseminate and model the location-based information received from MTN.
MTN will not have access to the Covid-19 database, nor the result of the data models.
Government will, post the Covid-19 disaster, de-identify the location-based information in line with the provisions as provided by the new regulation.
Government will be contacting citizens and enforcing the results of the COVID-19 Track and Trace models. MTN will have no view of this."
*Note: Singh, who is quoted in this article, has in the past provided legal assistance to Spotlight.