Editors PickWeekend Investigate

Hiding behind laws to accomplish digital surveillance

For close to 10 years now, the Malawi government has been gathering personal information of its citizens and stockpiling it elsewhere.

Citizens are now at the mercy of those in custody of such personal data as they could use it against them or worse still, pawn it for a profit.

Data governance framework is weak in Malawi

This has been possible through the passing of pieces of legislation that have strengthened government’s grip on its digital surveillance undertakings.

With such laws, that include the National Registration Act (2010), Electronic Transactions and Cyber Security Act, (2016), and Communications Act of 2016, government has managed to put all its citizens in its pockets in as far as their personal data is concerned.

The government also rolled out the Consolidated ICT Regulatory Management System (Cirms),—famously known as the spy machine—nine years ago, which had surveillance capabilities.

The National Statistics Act, 2013 also empowers the National Statistics Office (NSO) to collect all types of information, including personal information, nationwide on behalf of the government.

The way everything has legally been put in place, there is no way that people would escape or choose not to partake in the information collection process.

Nine million Malawians were registered for national identity cards by August 2019

Snooping on citizens

Take, for example, the legal surveillance tools like the National Registration and Identification System (NRIS) which the United Nations Development Programme (UNDP) says has registered 9 million Malawians as of August 2019.

This also came at the back of 2018 government enforcement, through the Malawi Communication Regulatory Authority (Macra), of mandatory mobile phone SIM card registration.

In all this, the major weakness of the current legal and policy framework is the lack of a dedicated data governance framework.

The only glimmer of hope could perhaps be that a data protection law that will prescribe what government can do and not do with citizens personal information will be put in place, now that a new government was ushered into office on June 23, 2020.

Jimmy Kainja, lecturer in Media, Communication and Cultural Studies at University of Malawi’s Chancellor College, who has done extensive studies in this respect, hopes that judging from the inaugural speech of newly-elected President Lazarus Chakwera, it looks like the new government is set to put things straight.

“The mention of getting rid of bad laws and operationalising Access To Information law, for example, make one hope that data protection law will also see the light of the day,” says Kainja.

“With full and open public consultations,” Kainja says, “there’s a draft in place already.” There is also the Sadc model law on this which he says the government can simply localise.

“Having said this, I think it will still need a push from the civil society and all stakeholders to ask and push the government for it,” he says.

Mandatory personal data collection exercises such as SIM card registration and biometric data collection as part of the national identification programme against the right to privacy which is enshrined in the Malawi Constitution is the line that stakeholders need to take in order to push for change.

The Malawi Constitution stipulates that “Every person shall have the right to personal privacy, which shall include the right not to be subject to: (a) searches of his or her person, home or property; (b) the seizure of private possessions; or (c) interference with private communications, including mail and all forms of telecommunications”.

However, Kainja observes that there have been incidences where this has been violated by ensuring that the other legislation overrides such constitutional provisions through digital surveillance that has been used to effect arrests since Malawi does not have a standalone data protection law.

Digital surveillance suspicions

As if all this is not even enough, in August 2016 Macra unveiled plans to undertake an initiative that would have facilitated the development of a Smart City in Malawi, dubbed ‘Making a City Smart’, that sought to mitigate problems generated by what they called growing urban population.

The authority had said the Smart City Initiative would be piloted in Blantyre City before being replicated in other cities upon the successful completion of the pilot phase and that it would rely on, among others, a collection of smart ICT technologies and solutions that are applied to critical infrastructure components and services.

Macra and the city councils were considering broadband connectivity through creation of Wifi zones in identified recreation areas, parks, streets, hospitals, ICT innovation and tech hubs.  One of the component would have been the establishment of cameras in the country’s cities and towns that would have been observing activities of the citizens.

Several weeks of seeking Macra’s input on this project as well as its role in ensuring that there is data protection law, bore no fruits, as personnel through their communication chain were reluctant to comment.

Recently, 26 African youths from eight African countries completed training in construction and piloting drones meant to integrate them into a supply chain system and analyse drone data in line with the demand for drone and data expertise in the region. They graduated from African Drone and Data Academy (ADDA) in Lilongwe.

Some analysts were also suspicious as regards to how much government intended to make use of these drones, fearing that they may be used as part of digital surveillance.

Vice-President Saulos Chilima once accused the previous Peter Mutharika government of using Macra to eavesdrop on people and using the information to prosecute them to stifle their political aspirations.

In March 2018, the then minister of Information, Nicholas Dausi, announced that drafting of a bill on data protection in response to the changing media and technological landscape was in process.

Bram Fudzulani ICT Association of Malawi (Ictam) president corroborated that indeed Malawi is in the process of drafting its data protection and privacy laws. However, in the meantime, the Electronic Transaction and Cyber Security Act 2016 deals with the issue of data protection and privacy in one sub-section.

“It simply calls on data controllers to ensure that personal data is processed fairly and legally but also collected for an explicit and legitimate purpose. Under this section Macra is able to ensure that service providers collecting data via SIM registration comply with the law and also that data subjects are protected,” he says.

Of Malawi’s two mobile phone service providers, only Airtel Malawi was willing to speak about its position in this respect while TNM refused to comment.

Airtel Malawi’s corporate and public relations manager Nora Chavula Chirwa says her company ensures that it keeps its customers’ information confidential ‘pursuant to our license obligations, Communications Act, Electronic Transaction and Cyber Security Act, the Constitution of Malawi and any other applicable laws and regulations’.

Data protection legislation

The Electronic Transactions and Cybersecurity Act which provides for data protection, establishes the Malawi Computer Emergency Response Team (Cert), as a unit under Macra.

Section 6(2) provides that the “Malawi Cert shall take charge of its information infrastructure protection actions and serve as a base for national coordination to respond to information and communication technology threats.” 

It is Section 4 of the Act stipulates that it is the duty of Macra to ensure that the Malawi Cert executes several services.

However, since the Act came into force, although in March 2018, Macra director of finance, Ben Chitsonga told the local media that the communications regulator had engaged experts from the International Telecommunication Union (ITU) to help get Malawi Cert off the ground.

Ictam’s Fudzulani observes that although the establishment of the Cert is indeed enshrined in the electronic transaction that mandates Macra to establish Cert there was a need to do a lot of ground work in order to get several things to start working.

“For example, there was need for us as a country to formulate a strategy but also for Macra to draft regulations which would then operationalise the act,” he observes.

Another thing, Fudzulani said was the need for capacity building and sensitisation among key stakeholders ‘which is what has been happening for the past two years in partnership with a number of international partners line ITU etc.’

“I can confirm now that we have a functional Cert in Malawi and has a portal where stakeholders can report security incidents and other Cert functions,” he says.

Push for data protection law

Kainja expresses his surprise about SIM card registration especially on how easily Malawians accepted it, the same way they did with the biometrics ID cards.

“We needed data protection law before rolling out these programmes,” he insists.

He says it would be difficult for citizens to stop it because it means they would have their SIM cards deactivated and now the best way would be to lobby Parliament to either come up with data protection law or review the SIM card registration altogether.

Law expert, Edge Kanyongolo, University of Malawi’s Associate Professor of Law, believes the pressure for data protection legislation would probably be effective if it took the political route involving lobbying for smart partnerships among human rights advocates, groups with special professional interests in confidentiality such as doctors, lawyers, among others and the opposition political party. n

—This article on digital surveillance was supported by the Media Policy & Democracy Project, jointly run by the University of Johannesburg and University of South Africa.

Related Articles

Back to top button