MISA Zimbabwe takes note of the chain of events that have transpired in these last few months in Zimbabwe, which seem to point to increased attempts by the government to promote and entrench mass surveillance of citizens.
The recent press statement released by the Minister of Home Affairs and Cultural Heritage, Kazembe Kazembe, on the alleged abduction of three MDC Alliance Activists Joana Mamombe, Cecilia Chimbiri and Netsai Marova raised alarm on government surveillance of citizens.
In his statement, the Minister gave a detailed narration of the purported movements of the three abductees, which included their precise locations and times on the day in question.
And recently, in March 2020, the Zimbabwe National Army (ZNA) Commander Lieutenant-General Edzai Chimonyo, addressing senior military commissioned officers at the Zimbabwe Military Academy in Gweru, said the military would soon start snooping into private communications between private citizens to “guard against subversion,” as social media has become a threat to national security.
In his post-cabinet briefing on the 21st of April 2020, Finance Minister Mthuli Ncube said the government used a sophisticated algorithm to select beneficiaries of the ZW$180 COVID-19 pocket money. A social media report also elaborated that the Finance Minister claimed that “they looked at how much money is in your bank account, mobile wallet, and using your cell phone number, figured out where you really stay”.
What is alarming is what appears to be a combined operation of excessive use of personal information, by public and private actors, government, and mobile network operators. This raises several issues of concern around data protection, surveillance and the right to privacy.
Surveillance laws in Zimbabwe
It is not in dispute that rights can be limited and in terms of Section 85 (2) of the Constitution. Fundamental rights and freedoms set out in the Constitution may be limited only in terms of a law of general application and to the extent that the limitation is fair, reasonable, necessary and justifiable in a democratic society based on openness, justice, human dignity, equality and freedom, taking into account all relevant factors.
Principle 8 of the African Declaration on Internet Rights and Freedoms which focuses on privacy and personal data protection also provides that:
The right to privacy on the Internet should not be subject to any restrictions, except those that are provided by law, pursue a legitimate aim as expressly listed under international human rights law, (as specified in Article 3 of this Declaration) and are necessary and proportionate in pursuance of a legitimate aim.
Meanwhile, taking note of the sensitivity of the matter at hand, being an alleged abduction, it was expected that the government would institute investigations to uncover the truth and the criminals behind that abduction.
With the advancement in technology, geo-location data of persons and call records among other tools can be relied on to track persons and their locations. Such innovations in information technology have also enabled previously unimagined forms of collecting, storing, and sharing personal data. This, therefore, poses the urgent need to jealously guard the right to privacy and to increase State obligations related to the protection of personal data.
As highlighted above, any infringement of the right to privacy should be prescribed by law, necessary to achieve a legitimate aim, and proportionate to the aim pursued. The Interceptions of Communications Act is the statute that sets out the legal basis for the government or rather State authorities to conduct communications surveillance.
In terms of the Act, an application for the lawful interception of any communication may be made by the Chief of Defence Intelligence or his or her nominee; the Director-General of the President’s department responsible for national security or his or her nominee, and in this case the Commissioner of the Zimbabwe Republic Police or his or her nominee.
As part of the application, full particulars of all the facts and circumstances alleged by the applicant in support of his or her application and also whether other investigative procedures have been applied and have failed to produce the required evidence. Or, the reason why other investigative procedures appear to be unlikely to succeed if applied, or whether they involve undue risk to the safety of members of the public or to those wishing to obtain the required evidence.
The law also requires that the Minister should issue the warrant if there are reasonable grounds for the Minister to believe that any of the listed offences has been or is being or will probably be committed and this includes kidnapping or unlawful detention involving the infliction of grievous bodily harm.
MISA Zimbabwe position
The Executive’s access to private data of citizens, use and storage should be prescribed by law and through lawful procedures that are in line with international human rights frameworks.
MISA Zimbabwe, therefore, reiterates that the Interception of Communications Act, enacted in 2007, needs to be reviewed and aligned with the 2013 Constitution. The Act infringes on the exercise of rights and is not in keeping with international human rights standards through various aspects which include the following:
- Authorities may obtain warrants to intercept private communications through a process that is controlled by members of the Executive and not subject to independent scrutiny and oversight, whether from a judicial or other monitoring body or the public.
- The Act does not require authorities to notify individuals that they are or have been subject to surveillance and there are insufficient avenues for victims of unlawful surveillance to seek redress.
- The Act places wide-ranging duties on telecommunications providers to facilitate State surveillance.
- Key terms in the Act, such as “monitoring,” are not clearly defined, opening the door to abuse, especially in relation to the collection and analysis of metadata.
MISA Zimbabwe also takes note of the gazetting of the Cybersecurity and Data Protection Bill which seeks to put in place mechanisms for the protection of data in line with the Declaration of Rights.
Having noted the extensive involvement of the executive in surveillance issues, MISA Zimbabwe also reiterates its position in the analysis of the Bill, that the proposal to make Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ), the Cybersecurity Centre and Data Protection Authority, is inappropriate.
The conflation of these three institutions poses a dual crisis, with POTRAZ, on one hand, becoming the surveillance arm of the state while also having access to the large volumes of data collected by the Mobile Network Operators (MNOs) and Internet Service Providers (ISPs). This, therefore, compromises data protection and the right to privacy.
The proposed Bill should be reviewed to ensure that it is in keeping with the promotion of the right to privacy and data protection. A separate and independent body should also be set up to handle all cybersecurity issues, comprising stakeholders who advocate for internet freedom and protection of digital rights.
Where interception is required, there is a need for judicial oversight, protection of the metadata obtained and clearly laid out procedure on the retention of the metadata. Further, there should be parameters set on the scope of interception, rather than an open wide interception, similar to search and seizure powers, which are broad and open for abuse. In the absence of such safety nets, mass surveillance of citizens becomes a free reign for the ruling elites to abuse the vulnerable citizens. This is in violation of the constitution of Zimbabwe’s section 57, which states that: Every person has the right to privacy, which includes the right not to have:
- their home, premises or property entered without permission;
- their person, home premises or property searched;
- their possession seized;
- the privacy of communications infringed; or
- their health condition disclosed