Discussion Prompt: What existing national security legislation, new bulk analysis efforts, and emergency measures have different states deployed to curb the spread of Covid-19?
See all contributions to this question.
In light of South Africa’s history and its weak metadata controls, concerns were strong that the government’s intention to use location data in the fight against Covid-19 would lean authoritarian. Yet, the fairly comprehensive regulations added to the Disaster Management Act on April 2 have been seen as a welcome change and glimmer of hope. Arguably, this is due to the pressure civil society had put on the country’s surveillance regime before the crisis.
Last month, the South African government announced its intention to follow other governments around the world and use mobile phone location data in the fight against the Covid-19 pandemic.
At the time of writing, South Africa had recorded 1655 cases of Covid-19 and 11 deaths: thankfully, below what the government had projected for this stage of the pandemic. Yet, the country is the most affected by the pandemic in Africa. There is the real possibility that infections may rise massively if the virus sets into the country’s densely-populated low-income or no-income areas.
Instead of wasting crucial time by fumbling its response, the government moved quickly and decisively to counter the pandemic. South Africa has been in a police– and military-enforced lockdown for a week, and faces at least another two weeks before the lockdown is lifted.
It is in these conditions that South Africa announced its intention to use location data: a move that has triggered privacy concerns. However, significantly, the government has declared a national state of disaster, rather than a national state of emergency. So, rights such as privacy have not been suspended.
How does the government intend to use location data, and what do these intentions tell us about how autocratic or democratic its response is to the pandemic? This question matters because emergency powers have a nasty tendency of sticking around long after the emergency that necessitated them has passed. In the case of South Africa, in the wake of the attacks on September 11, 2001, and as part of its contribution to the ‘War on Terror’, Parliament passed a basket of anti-terror laws, including the Regulation of Interception of Communication and Provision of Communication-Related Information Act (RICA), that has remained largely unrevised in spite of the overbroad powers it gave to the country’s security services.
South Africa has a terrible history of a securocracy, in which members of the military and the police helped to govern the country and invoked emergency powers to crush mass opposition to apartheid. More recently, the country has emerged from a decade where the security and intelligence apparatuses of the state were misused to benefit a corrupt political elite. If South Africa is to put this history behind it once and for all, then the government needs to ensure that any emergency measures lapse after the pandemic has abated. Thus, the declaration of the state of disaster must lapse as soon as possible after the pandemic subsides, as the declaration of a lockdown allows the security services to wield extraordinary powers such as prohibiting gatherings.
Intelligence uses and abuses of metadata
There is a spectrum of uses for location data in the fight against the virus, ranging from non-intrusive to highly-intrusive. The least intrusive way is to use aggregated and anonymised location data to model population density in the spread of the Covid-19 virus. Governments intent on more intrusive measures can obtain location data to track the movements of people infected with Covid-19, to establish who they have been in proximity to, and to isolate those people. People who violate lockdowns can also be traced and graded according to the public health risks they pose. South Korea, China, and Israel have been using location data in such ways.
Even before the pandemic began, South Africa had a cavalier approach towards using metadata in intelligence operations, with the number of requests into the thousands. A new research report by information rights researcher and activist Murray Hunter shows how useful metadata (and especially location data) is to the police for investigating and solving crimes, but how they also prefer to use the least transparent route for obtaining it.
There are two main routes that state intelligence agencies can use to access metadata: a more stringent procedure set down in RICA and the Criminal Procedures Act.
RICA is used mainly by the Crime Intelligence Division of the South African Police Service. The State Security Agency (the civilian intelligence agency), the Defence Intelligence Division of the South African Defence Force, and the Financial Intelligence Centre are less frequent users.
While RICA is used mainly for accessing communication content, the state agencies can also use it to access metadata in real-time. Both, however, require authorisation by a special judge. The applicants must show that there are reasonable grounds to believe that a serious crime has been, is being, or will probably be committed. RICA requires that the cell phone companies store metadata for between three to five years. The Act also sets out procedures for the intelligence agencies to access archived metadata, but these are less stringent than for content or real-time metadata. However, the intelligence agencies prefer to use the Criminal Procedures Act, which merely requires that a judge needs to be satisfied that the metadata is relevant to a case. Its usage is not restricted to serious crimes. Furthermore, even a magistrate can issue a subpoena in terms of the Act; it does not have to be a High Court judge.
While RICA is slightly stronger than the Criminal Procedures Act on controls and oversight, neither Act provides sufficient protections for metadata. These weaknesses are premised on the outdated view that communication metadata is less privacy-sensitive than communication content.
Currently, the South African Constitutional Court is considering whether RICA is even constitutional. An investigative journalism organisation, the amaBhungane Centre for Investigative Journalism, challenged the constitutionality of RICA on several grounds, including privacy. The case followed a revelation that amaBhungane’s managing partner, Sam Sole, was spied on by the state, presumably to uncover his sources in a state institution. The Constitutional Court heard the case in February and judgement is reserved.
Some of the key problems that amaBhungane is challenging are the lack of post-surveillance user notification, the lack of independence of the special judge, the lack of procedures for the processing of personal information, and the fact that the State Security Agency’s bulk signals intelligence agency, the National Communications Centre, has no founding statute and is, therefore, in its entirety a rogue entity.
While the amicus curiae applicants in the case raised the lack of controls over metadata usage, the issue was not central to the case and is unlikely to be ruled on. So in other words, South Africa announced its intention to use location data in the fight against Covid-19 in a context where metadata oversight and controls were already weak. Therefore, it was widely expected (and understandably so) that the government’s plans would lean towards the authoritarian end of the spectrum.
South Africa’s approach to using location data
The government’s evolving position on this is clear from the changes between an initial set of directions issued on 26 March and new regulations issued on 2 April. On 26 March, the Department of Telecommunications and Postal Services released a direction in terms of the Disaster Management Act, covering communications and media-related issues. Under the heading ‘individual track and trace’, the cell phone operators, and in fact ‘the digital sector in general’, are required to provide location-based services ‘to support government departments to assist and combat the spread of Covid-19’. The regulation provided important clues to the government’s intentions, in that they appeared to extend beyond obtaining aggregate information and into using location data to track those infected with Covid-19, to see who they had been in the vicinity of. This was in spite of the fact that according to South Africa’s largest mobile operator, Vodacom, their understanding was that the government was only after aggregate data.
Then, on 2 April, the government released revised regulations, with much more elaborate procedures for location tracking. In important respects, they even exceed the privacy protections for metadata provided in RICA and the Criminal Procedures Act. According to the regulations, the Department of Health will maintain a Covid-19 database of those infected or reasonably suspected of being infected. The Department can direct the cellphone companies to provide location data for the database about the Covid-19 carriers or people who have been in close proximity to them. Furthermore, the Department can only request data between 5 March (when the pandemic really picked up) and when the state of disaster finally lapses through a declaration by the Minister of Cooperative Governance and Traditional Affairs, and they can only use the data strictly for the purpose of countering the virus. They, and anyone else for that matter, are not allowed to use these procedures to intercept any other communication content, allaying fears that the state of disaster would be used to spy on what people are saying.
The regulations envisage the appointment of a special Covid-19 judge, appointed by the Minister of Justice. The Department of Health, on a weekly basis, needs to provide the judge with a list of people whose details were obtained, and these people need to be informed six weeks after the state of disaster has lapsed that their location data was obtained. The Covid-19 judge can also make recommendations to the relevant cabinet members regarding the amendment or enforcement of the regulations in order to safeguard privacy, while not compromising the fight against the virus.
The regulations also incorporate basic data protection principles, such as purpose specification and time limit principles. They require that within six weeks after the lapsing of the state of disaster, all information in the Covid-19 database should be de-identified, retained and used for research purposes. The designated judge can give directions if s/he isn’t satisfied about these new storage arrangements.
Most surprisingly, the regulations recognise the principle of user notification: surprisingly because the government had opposed user notification in the amaBhungane case. In its constitutional challenge to RICA, amaBhungane argued that RICA is incorrect in not allowing people whose communications have been intercepted to be notified after investigations have reached a non-sensitive stage. This secrecy prevents interception subjects from contesting abusive government interceptions.
One disappointing aspect of the regulations is that they do not envisage judicial authorisation. If the judge has any reservations about decisions taken, then s/he only has the powers to recommend remedial action, not review the decisions. This part of the regulations should be reconsidered, as it turns the judge into a rubber stamp for the executive. RICA does contain similar emergency procedures where the authorities can notify the judge after the fact if they have intercepted communications when life and limb is threatened. While not the subject of the constitutional challenge, that procedure is unsatisfactory, too, as it doesn’t spell out what happens if the judge disagrees with the authorities’ decisions. The intelligence agencies have used this emergency power thousands of times, simply because it was easier than the conventional procedure involving prior judicial authorisation.
The reporting requirements in the regulations mitigate the potential for abuse, but the absolute baseline for individual cell phone tracking should be that the authorities must apply for a warrant, which a judge must issue.
Making the securocrats blink
People around the world are scared of the pandemic and the uncertainty it has created. These are times when people are least likely to resist the removal of democratic rights and freedoms. After all, what is the point of having rights when the most important right of all, namely life, is at risk. Autocrats could quickly take advantage of the fact that protests have been shut down and popular counter-power is weak.
The South African government’s enforcement of the lockdown has been highly uneven, and has revealed existing cracks in policing. Members of the public have laid scores of complaints against the police and military for violent enforcement of the lockdown, including three deaths, allegedly as a result of police action. The situation is precarious and may lead to reactive protests: the very thing the country can do without at the moment. Therefore, it is of the utmost importance that the lockdown be enforced using the least intrusive and coercive means possible. It is commendable that the government moved with great speed on clarifying their intentions with location tracking, put their powers in writing, limited their scope (although there is room for improvement), and subjected themselves to a sunset clause restricting the Department of Health to use these powers until the State of Disaster has lapsed or has been terminated through a gazetted official notice.
The fact that the regulations are driven by public health officials and not the police or the spy agencies is a significant strength. They imply that the government has actually conceded deficiencies in its metadata interception practices. It is doubtful that they would have done so had the amaBhungane case not happened. This case demonstrates the power of one of the most unrecognised forms of intelligence oversight, namely public oversight. But, at least it is clear now that it is possible to stare down the securocrats and make them blink.