Nine years of a ‘Spy Machine’
Back in October 2011, all Malawi’s four telecommunication service providers, sent identical text messages to subscriber Alick Kimu on his mobile phones. The companies stated that they would “no longer be in a position to safeguard the privacy and confidentiality of customers’ communication activities”.
In a swift reaction, Kimu sued the four companies, namely: Access Malawi, Airtel Malawi, Malawi Telecommunications Limited (MTL) and Telecom Networks Malawi Limited (TNM).
He argued in his submissions, that his right to privacy must be safeguarded by the four companies as provided for in the Constitution of Malawi as well as the companies’ individual telecommunications licenses.
Apparently, between April 2009 and September 2010, Malawi Communications Regulatory Authority (Macra) had procured a Consolidated ICT Regulatory Management System (Cirms) equipment. Upon commissioning the system, which came to be known as the ‘Spy Machine’, the regulator requested, from the four companies, various detailed information.
Purportedly, Macra bought the Cirms to monitor provision of telecommunication services and obtain real time Call Detail Records (CDRs) from telecommunication service providers.
According to a bid document issued by the regulator, the system was capable of conducting lawful interception that includes internet interception; Global System for Mobile communication (GSM) and Code-Division Multiple Access (CDMA) interceptions, General Packet Radio Services (GPRS) interceptions, as well as equipment identity registry.
Kimu submitted that the four companies would be in breach of his right to privacy if they were to comply with the directive to surrender to Macra their subscribers’ call detail records.
At first, the four companies were reluctant to comply with the request from Macra. They told the court that compliance would compromise the confidentiality and privacy of their subscribers in addition to breaching constitutional guarantees of privacy.
However, following the service providers’ various exchanges with Macra, they had no choice but to surrender to the directive from the regulator. And they decided to inform their subscribers, which led to the identical text messages that Kimu received from the four service providers.
Macra wins court challenges
In June 2017, the Supreme Court of Appeal cleared Macra to start implementing the Cirms. The clearance came two years after another legal challenge when service provider, TNM applied to the High Court for review of Macra’s decision to connect the Cirms. TNM had argued that there would be no framework to protect customer confidentiality.
Around the same time, two concerned citizens, Hophmally Makande and Eric Sabwera, also sued Macra, barring it from using the so-called ‘spy machine’. They argued that it will infringe on consumers’ privacy. The court also dismissed this application. Macra announced back in 2018 that it had started implementing the Cirms the same year that State Vice-President, Saulos Chilima, accused his own Government of planning to use the ‘Spy Machine’ for eavesdropping on people’s private conversations on mobile phones.
Government dismissed Chilima’s claims, describing the contents of his speech as a ‘package of lies’.
At the same time communications law expert, Innocent Kalua, told The Daily Times that, so far, there is no law mandating the government to eavesdrop on citizens conversations.
“The right to privacy is not absolute; it can be limited. But there are thresholds that must be made. The limitations must be prescribed by law. There was a bill called National Intelligence Service. It was referred back to the Legal Affairs Committee of Parliament, which means we do not have a law mandating the government to eavesdrop on our conversations,” Kalua was quoted saying.
Macra’s expenditure on Cirms extravagant
Eric Priezkalns, editor for Commrisk, a communication risk management publication, described as weak, an argument by Macra and Malawi Government that it will have more control necessary to assure taxes, that include international termination fees and Value Added Tax (VAT) paid by telecommunication companies. In contrast, telecommunication companies argued that audits had shown no evidence of underpayment of taxes.
When Macra acquired Cirms at a cost of $14m (K10.3bn), it dismissed accusations of wastage of funds and argued that it will recover the money through international termination fees. Macra also argued that the benefits from utilizing the system outweighed the anticipated costs.
In his March 16, 2015 write up, Priezkalns argued that it was frustrating to see government and regulator make such claims without showing any evidence.
“You do not need to examine every CDR in the country to do a tax audit. If taxes are being cheated, a competent auditor should be able to find sufficient evidence from sample checks,” he argued.
He also contended that Macra’s persistence with the Cirms suggests that its decisions are driven by dogma instead of data.
“If they are wrong in their calculations, then every penny of the $14 million cost will ultimately be paid by ordinary people, through higher call charges,” he argued.
For weeks, Macra ignored a questionnaire that sought for information regarding the current status of Cirms. Priezkalns said, even if for the sake of argument that a central repository of CDRs will encourage a higher quality of service, he found that to be laughable as there was no magic that Macra would produce to demonstrate what to do with all those CDRs, other than adding them up and reconciling them to the amounts of money they have received.
Macra stated at the time, that the system was unique with no off-shelf alternative but Priezkalns argued that the reason it was unique was because governments and regulators in other countries see no reason to collect every single CDR for every single call.
“If others do not have a system like this, how can Malawi’s authorities make extraordinary promises about improving services as well as gathering more taxes?” he queried.
He said the awareness of the perils of CDR collection had moved on since Macra initiated their project.
Priezkalns said in the USA, for example, authorities were compelled to justify blanket collection of CDRs after a leak of secret court orders revealed that the National Security Agency (NSA) was gathering huge swathes of call data.
The subsequent justification offered by the NSA was that the data was needed to identify relationships between potential terrorists.
“In other words, the NSA gathers CDRs for the purpose of surveillance,” expounded Priezkalns who is also chief executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.
Priezkalns said Malawi government’s excuse that it will implement a comprehensive centralized database of CDRs, but will not use it for surveillance purposes was not holding.
“Does this sound even remotely plausible?” he challenged. “If they cannot audit a tax return without such an extensive data gathering operation, why would they deny themselves the opportunity to use the same data to fight terrorists, combat organized crime, or spy on customers for any other reason they see fit?”
He said much as he does not doubt that the Malawi government and Macra are legally entitled to do what they are doing, they should treat the citizens and phone subscribers with more respect by giving a proper explanation of why Malawi needs this system when other countries do not.
Can Macra be legally challenged?
Macra had promised that a report on how the ‘Spy Machine’ is performing would likely be issued by end March, 2018.
“This will give a clear picture of taxes, charges, how many services have been generated and how many subscribers are there in Malawi,” Broadcasting Technical Manager Zadziko Mankhambo had said during a sensitization meeting of heads of sectors on mandatory simcard registration in Dowa district in 2018.
Since then, Macra has kept people in the dark as it is yet to start releasing Cirms performance reports despite promising to do so two years ago.
Considering that people have been silent over the matter, it is still not known how much surveillance this machine is making over subscribers’ affairs. There is need, however, for populist actions to seek protection against infringement of privacy considering that the subscribers and the service providers have resigned to their fate.
Edge Kanyongolo, University of Malawi’s Associate Professor of Law, and specialized in constitutional law and jurisprudence asserts that all government actions are governed by a variety of laws, including administrative law, one of whose fundamental principles require that legal powers must be exercised for the purposes for which they were granted by Parliament.
“Spying on citizens for political reasons is not a purpose intended by Parliament and, therefore, can be challenged through judicial review,” he argued.
Jimmy Kainja, Lecturer in Media, Communication and Cultural Studies at University of Malawi opines that Government will always have the means to monitor activities of its citizens, with or without Cirms.
“I think what matters is that this should be done legally, without infringing on people’s rights and freedoms,” maintains Kainja. “One thing that we have not paid attention to in this country is the absence of Data Protection Law, yet we have willingly been giving away our personal data to private and public institutions.
“All this enhances surveillance. We need to think about surveillance beyond Cirms,” he emphasises.
While Macra as a regulator needs to have information about the regulated firms in order to make critical decisions, in terms of Cirms, Kainja thinks there are two problems:
“Macra’s lack of independence—the regulator is captured by the state—and in Malawian politics this means the ruling party.
“It brings fears that those in power can use Macra to monitor activities of the opposition, government critics and dissidents in general,” he says.
Kainja also says that these things have to be clear because as a public institution, Macra must be answerable to a public body such as Parliament, not the executive arm of the government as it is currently the case.
“If public institutions can’t release information they must be compelled to do so. This is why we really [need] the Access to Information law to be effected,” he explained
The second problem that Kainja pointed out is lack of Data Protection Law which he affirms is “a big problem because there are no legal parameters on how people’s data is handled”.
Monitoring Macra’s Cirms
ICT Association of Malawi (Ictam) President Bram Fudzulani says his understanding is that CIRMS is largely used to monitor quality of service rendered by providers to ensure that they are in compliance with their license.
“Using the Cirms to spy on the citizens would be illegal especially in the absence of the data protection and privacy laws which are currently being drafted,” he explained.
On who is monitoring Macra in order to ensure that it issues monthly reports of how the ‘spy machine’ is performing to give a clear picture on taxes, charges and how many services generated as a subscribers base, Fudzulani said they have been keenly following up with the Consumer Affairs Unit within Macra which is mandated to promote awareness, protect the interests and rights of consumers through an effective regulatory and licensing framework.
“The releasing of the report on the performance of the Cirms would not only help vindicate consumer complaints on the quality of service be it voice or data, but it will also help the regulator to ensure the service providers adhere to their license rules and requirements,” he insisted. n
This article on digital surveillance was supported by the Media Policy & Democracy Project, jointly run by the University of Johannesburg and University of South Africa