Across East Africa, Big Brother is watching your every move

A surveillance camera.

Photo credit: Pool

Motorists driving on any of the major roads in Uganda, or in the capital Kampala, will not fail to notice the white gantries overhead from which CCTV cameras hang, quietly observing and recording proceedings.

The first cameras in Uganda went up around 2014 when Chinese telecommunications behemoth Huawei donated 20 units worth $750,000 to the government to keep an eye on the streets.

When the deputy police chief was shot dead outside his house in a Kampala suburb in 2017, the government accelerated its surveillance plans. 

Technicians install CCTV cameras in Nairobi city.

Photo credit: File | Nation Media Group

In 2018 authorities in Kampala signed a ‘safe city’ project with Huawei worth $126 million. Today about 5,000 CCTV cameras keep an eye on movements on Ugandan roads, part of a ‘smart cities’ project pushed by Huawei in many countries.

Footage from the cameras flows through a network of dedicated fibre-optic cables to 11 monitoring centres, and into a $30 million data hub at the police headquaters in Kampala.

Equipped with facial-recognition technology, the CCTV project is meant to improve safety by giving the police the tools to identify and solve crime.

"[The Uganda Police Force] has an existing contract with Huawei to install CCTV cameras countrywide as a measure to strengthen law and order," police spokesman Fred Enanga said in a statement when the project was launched.

"The cameras are already transforming modern-day policing in Uganda, with facial recognition and artificial intelligence as part of policing and security."

Indeed, footage from the CCTV camera project has been used successfully to identify suspected criminals and solve some crimes. 

Technicians install CCTV cameras in Mombasa.

Photo credit: File | Nation Media Group

But apart from reports of police officers selling incriminating footage to criminals, concerns are growing about who else has access to this information, and how they are using it.

Uganda is just one of a growing number of countries in the region and elsewhere ramping up surveillance of public spaces.

Kenya has, since 2015, had a Huawei-supplied surveillance network of 1,800 cameras and 195 monitoring centres across Nairobi and major roads.

In 2019 then-President Uhuru Kenyatta signed on to a plan in which Huawei would expand the project to include a $173 million data centre and surveillance hub in Konza City. 

Technicians install CCTV cameras in Eldoret town on June 2, 2022.

Photo credit: Jared Nyayata | Nation Media Group

The company has also supplied and installed similar surveillance infrastructure in Zambia, Egypt, Pakistan, Rwanda, and Algeria, among others.

Other African countries also known to have similar surveillance projects include Nigeria, Equatorial Guinea, Morocco, and Zimbabwe.

There are growing concerns, however, that these projects, which combine video surveillance, internet monitoring and mobile phone meta-data collection, are giving governments the ability not just to go after criminals but also to illegally spy on and monitor political opponents, activists, and journalists.

A digital bounty

As more interactions between individuals, private firms and governments move to digital spaces, citizens are creating ever bigger pools of personal data online.

In addition, regulatory requirements like SIM card, national ID, and other biometric-data registrations are making this data ever more personalised and traceable to individuals.

The privacy of this information in an increasingly digital age is key to allowing individuals to exercise their freedoms of expression, information, assembly and association.

In countries with repressive regimes, the ability by citizens to communicate anonymously is essential to the enjoyment of these freedoms, and to their personal safety.

Yet the expansion of personal digital data that is identifiable to individuals makes it easier for governments and private contractors to pinpoint, mine, and exploit, sometimes for the wrong reasons.

In August 2019 the Wall Street Journal reported that Huawei’s employees had personally helped African governments, including in Uganda and Zambia, spy on political opponents by intercepting encrypted communications and social media conversations.

They also used cell tower data to track their whereabouts and facilitate their arrests.

In Uganda, the newspaper reported that government officials had tried and failed to intercept encrypted communications between musician-turned-politician Bobi Wine (real name Robert Kyagulanyi) and his allies ahead of a concert, before turning to officials of the Chinese firm.

“The Huawei technicians worked for two days and helped us puncture through,” a senior Ugandan surveillance official told the WSJ.

After the Huawei engineers used spyware to penetrate Mr Wine’s WhatsApp chat group, security nipped in the bud his plans to organise street rallies by arresting him and many of his supporters.

Save the date! Join Nation.Africa as experts dissect concerns around digital surveillance this Thursday, December 8, 2022 from 1930hours EAT. GRAPHIC | NATION

Huawei is ubiquitous, given its spread of influence and infrastructure, but it is not the only firm helping governments violate their digital privacy of their citizens. Around 2012, the Ugandan government booby-trapped the public Wi-Fi networks of hotels around Kampala using FinFisher, a spyware sold to it by Lench IT Solutions/Gamma Group, a British-German firm.

According to Amnesty International, which tracks the spyware, FinFisher is also known to have been deployed in attacks on politicians, human rights defenders and journalists in other countries including Ethiopia, Egypt, the United Arab Emirates, and Bahrain.

Of all the spyware whose deployment has been made public, the most insidious appears to be Pegasus, which was developed by the Israeli firm NSO Group and can be injected into a target phone by text or WhatsApp.

First uncovered in 2016, Pegasus had, by 2018, been traced to at least 45 countries, according to Citizen Lab, a technology and global affairs think tank at the University of Toronto. These included Algeria, Egypt, Ivory Coast, Kenya, Morocco, Rwanda, South Africa, Togo, Uganda, and Zambia.

“At least six countries with significant Pegasus operations have previously been linked to abusive use of spyware to target civil society,” Citizen Lab noted.

“Pegasus also appears to be in use by countries with dubious human rights records and histories of abusive behaviour by state security services.

“In addition, we have found indications of possible political themes within targeting materials in several countries, casting doubt on whether the technology is being used as part of ‘legitimate’ criminal investigations.”

State intelligence agencies were using Pegasus to not only spy on their own dissidents but also on senior political and military officials from other countries.

As recently as December 2021, it was revealed that Ugandan security agents had used Pegasus to spy on journalists and 11 US diplomats in the country.

Sometimes the vacuuming up and exploitation of data is at a continental level.

In 2018, the French newspaper Le Monde revealed that servers in the Chinese-built African Union HQ in Addis Ababa, Ethiopia, had been configured to upload data from listening devices across the building to servers in Shanghai.

Both the AU and representatives of the Chinese government denied the report.

Legal loopholes

Protections for digital data go back at least two decades. European Union directive 95/46/EC required sufficient legal protections to be in place before any transfer of personal data to developing countries.

International law has since evolved to recognise the importance of, and provide safeguards for, the protection of personal data and digital rights.

The International Covenant on Civil and Political Rights, and the Universal Declaration of Human Rights provide for the right to privacy.

Article 9 of the African Charter on Human and Political Rights requires state parties to protect and promote citizens’ digital rights.

The closest to a model law for the continent is the African Union Convention on Cybersecurity and Personal Data Protection, but only 13 of the body’s 55 member countries have ratified it. Of the seven East African Community member states, only Rwanda has ratified it.

About one in two African countries have enacted privacy laws and policies. But these are often countermanded by parallel laws that make it easier for state surveillance and collection of biometric data, and limit the use of encryption for more secure communications.

As a result, threats to data privacy are evolving faster than regulations to safeguard the right to privacy, argues Juliet Nanfuka of the Collaboration on International ICT Policy for East and Southern Africa (Cipesa), an ICT think tank.

For instance, even as countries put in place data privacy laws, laws permitting interception of communications by state agencies in Benin, Cameroon, Chad, Ivory Coast, Malawi, Mali, Niger, Nigeria, Rwanda, Senegal, Tanzania, Togo, Tunisia, Uganda, Zambia, and Zimbabwe require communication service providers to be able to hand over any communications.

In some cases, the service providers are required to be able to decrypt and hand over unencrypted data.

In November, Tanzania became one of the latest countries to take a step forward towards safeguarding digital privacy when its Parliament passed the Personal Information Protection Bill. It joined Kenya and Uganda in the EAC that have already passed data privacy laws and rolled out regulations, including data protection officers, to make them operational.

Teething problems

Yet implementing data protection and privacy laws isn’t always straightforward. The Kampala-based Unwanted Witness, an NGO, and the Centre for Intellectual Property and Information Technology Law at Kenya’s Strathmore University analysed the data policies and practices of half a dozen private companies in each of the two countries.

They found that many firms still rely on voluntary disclosures, not compliance with the law.

Some of the companies assessed did not indicate what data is collected, why, how long it is kept, and how people can access, amend or erase their data held by such firms.

All the companies assessed scored zero percent on accountability because they did not publish transparency reports to answer these questions about the data they collect, which is good industry practice.

“For data controllers or processors to be entrusted with handling personal data they must [demonstrate] capacity to comply with the applicable laws in the countries,” the joint report by the two organisations noted.

“The rights of a data subject should be adequately provided for in the companies’ privacy policies so that they can feel comfortable when sharing their personal data. This should not be taken as a matter of charity but a legal obligation.”

Recommendations for private firms:

Companies should be mandated by law to adopt privacy policies that conform to the data protection legal frameworks.

Companies that process users’ personal data should be transparent about their practices and inform users about how they handle their personal data through a prominently displayed and sufficiently noticeable privacy policy.

Companies should include in their privacy policies a detailed and easily understood information that specifies the type of data being collected, the duration of data storage, contact information, and the rights of the data subject.

Data transfers to third parties must be mentioned in the privacy policy to ensure that the data transferred between the company and a third party, where the transfer is necessary, is secure, the data subjects are fully informed, and the purpose and parameters are adequately explained.

The privacy policy should outline the physical, technical, and procedural safeguards that comply with applicable legal and technical standards. The robust security measures outlined should correspond with actual security procedures.

Businesses must publish transparency reports to indicate their compliance with data protection regulations.