Across East Africa, Big Brother is watching your every move

Motorists driving across any of the major roads in Uganda, or across the capital Kampala, will not fail to notice the white gantries overhead from which CCTV cameras hang, quietly observing and recording proceedings.
The first cameras went up around 2014 when Chinese telecommunications behemoth Huawei donated 20 units worth $750,000 to the Ugandan government.
When police spokesperson Andrew Felix Kaweesi was shot dead outside his house in a Kampala suburb in 2017, the government accelerated its surveillance plans. In 2018, authorities in Kampala signed a ‘safe city’ project with Huawei worth $126m. Today about 5,000 CCTV cameras keep an eye on movements across Ugandan roads, part of a ‘smart cities’ project pushed by Huawei across many countries.

Footage from the cameras flow through a network of dedicated fibre-optic cables to 11 monitoring centres, and into a $30 million data hub at the police headquarters in Kampala. Equipped with facial-recognition technology, the CCTV project is meant to improve safety by giving the police the tools to identify and solve crime.

“[The Uganda Police Force] has an existing contract with Huawei to install CCTV cameras countrywide as a measure to strengthen law and order,” police spokesman Fred Enanga said in a statement when the project was launched. “The cameras are already transforming modern-day policing in Uganda, with facial recognition and artificial intelligence as part of policing and security.”
Footage from the CCTV camera project has been used to identify suspected criminals and solve some crimes. But apart from reports of police officers selling incriminating footage to criminals, concerns are growing about who else has access to this information, and how they are using it.

Uganda is just one of the countries in the region ramping up surveillance of public spaces. Kenya has, since 2015, had a Huawei-supplied surveillance network of 1,800 cameras and 195 monitoring centres across Nairobi and major roads. In 2019, then-President Uhuru Kenyatta signed a plan in which Huawei would expand the project to include a $173m data centre and surveillance hub in Konza City. The company has also supplied and installed similar surveillance infrastructure to Zambia, Egypt, Pakistan, Rwanda, and Algeria, among others.
African countries also known to have similar surveillance projects include Nigeria, Equatorial Guinea, Morocco, and Zimbabwe.
There are growing concerns, however, that these projects, which combine video-surveillance, internet monitoring and mobile phone meta-data collection, are giving the government the ability, not just to go after criminals, but to also illegally spy and monitor political opponents, activists, and journalists.

A digital bounty
As more interactions between individuals, private firms and governments move to digital spaces, citizens are creating ever bigger pools of personal data online. In addition, regulatory requirements such as SIM card, national ID, and other biometric-data registrations are making this data ever more personalised and traceable to individuals.
The privacy of this information in an increasingly digital age is key to allowing individuals exercise their freedoms of expression, information, assembly and association. In countries with repressive regimes, the ability by citizens to communicate anonymously is essential to the enjoyment of these freedoms, and to their personal safety.
Yet the expansion of personal digital data that is identifiable to individuals makes it easier for governments and private contractors to pin-point, mine, and exploit, sometimes for the wrong reasons.

In August 2019, the Wall Street Journal (WSJ) newspaper reported that Huawei’s employees had personally helped African governments, including Uganda and Zambia, spy on political opponents by intercepting encrypted communications and social media conversations. They also used cell tower data to track their whereabouts and facilitate their arrests.
In Uganda, the newspaper reported that government officials had tried and failed to intercept encrypted communications between musician-turned-politician Bobi Wine and his allies ahead of a concert, before turning to officials of the Chinese firm.
“The Huawei technicians worked for two days and helped us puncture through,” the WSJ quoted a senior Ugandan surveillance official. After the Huawei engineers used spyware to penetrate Mr Wine’s WhatsApp chat group, security nipped in the bud his plans to organise street rallies by arresting him and many of his supporters.

Huawei is ubiquitous given its spread of influence and infrastructure, but it is not the only firm helping governments violate their digital privacy of their citizens. Around 2012, the Ugandan government booby-trapped the public Wi-Fi networks of hotels around Kampala using FinFisher, a spyware sold to it by Lench IT Solutions/Gamma Group, a British-German firm.
According to Amnesty International, which tracks the spyware, FinFisher is also known to have been deployed in attacks on politicians, human rights defenders and journalists in other countries, including Ethiopia, Egypt, the United Arab Emirates, and Bahrain.
Of all spyware, whose deployment has been made public, the most insidious appears to be Pegasus developed by the Israeli firm, NSO Group, and which can be injected into a target phone by text or WhatsApp.

First uncovered in 2016, Pegasus had, by 2018, been traced to at least 45 countries, according to the Citizen Lab—a technology and global affairs think tank at the University of Toronto. These included Algeria, Egypt, Ivory Coast, Kenya, Morocco, Rwanda, South Africa, Togo, Uganda, and Zambia.
“At least six countries with significant Pegasus operations have previously been linked to abusive use of spyware to target civil society,” Citizen Lab noted. “Pegasus also appears to be in use by countries with dubious human rights records and histories of abusive behaviour by state security services. In addition, we have found indications of possible political themes within targeting materials in several countries, casting doubt on whether the technology is being used as part of ‘legitimate’ criminal investigations.”

State intelligence agencies were using Pegasus to not only spy on their own dissidents, but to also spy on senior political and military officials from other countries. In December 2021, it was revealed that Ugandan security agents had used Pegasus to spy on journalists as well as 11 US diplomats.
Sometimes, the vacuuming up and exploitation of data is at a continental level. In 2018, the French newspaper, Le Monde, revealed that servers in the Chinese-built African Union (AU) HQ in Addis Ababa, Ethiopia, had been configured to upload data from listening devices across the building to servers in Shanghai. Both the AU and representatives of the Chinese government denied the report.

Legal loopholes
Protections for digital data go back at least two decades. European Union directive 95/46/EC required sufficient legal protections to be in place before any transfer of personal data to developing countries.
International law has since evolved to recognise the importance of, and provide safeguards for the protection of personal data and digital rights. The International Covenant on Civil and Political Rights, and the Universal Declaration of Human Rights provide for the right to privacy. Article 9 of the African Charter on Human and Political Rights requires state parties to protect and promote citizen’s digital rights.
The closest to a model law for the continent is the African Union Convention on Cybersecurity and Personal Data Protection, but it has been ratified by only 13 of 55 countries. Of the seven EAC member states only Rwanda has.
About one in two African countries have enacted privacy laws and policies. But these are often countermanded by parallel laws that make it easier for state surveillance, collection of biometric data, and limit the use of encryption for more secure communications.

As a result, threats to data privacy are evolving faster than regulations to safeguard the right to privacy, argues Juliet Nanfuka of the Collaboration on International ICT Policy for East and Southern Africa (Cipesa), an ICT think tank.
For instance, even as countries put in place data privacy laws, permitting interception of communications by state agencies in Benin, Cameroon, Chad, Ivory Coast, Malawi, Mali, Niger, Nigeria, Rwanda, Senegal, Tanzania, Togo, Tunisia, Uganda, Zambia, and Zimbabwe require communication service providers to be able to hand over any communications. In some cases, the service providers are required to be able to decrypt and hand over unencrypted data.
In November, Tanzania became one of the latest countries to take a step forward towards safeguarding digital privacy when its Parliament passed the Personal Information Protection Bill. It joined Kenya and Uganda in the EAC that have already passed data privacy laws and rolled out regulations, including data protection officers, to make them operational.

Teething problems
Implementing data protection and privacy laws isn’t always straight-forward. The Kampala-based Unwanted Witness, an NGO, and the Center for Intellectual Property and Information Technology Law at Kenya’s Strathmore University, analysed data policies and practices of half a dozen private companies in each of the two countries.
They found that many firms still rely on voluntary disclosures, not compliance with the law. Some of the companies assessed did not indicate what data is collected, why, how long it is kept, and how people can access, amend or erase their data held by such firms.

All the companies assessed scored zero percent on accountability because they did not publish transparency reports to answer these questions about the data they collect, which is good industry practice.
“For data controllers or processors to be entrusted with handling personal data they must illustrate capacity to comply with the applicable laws in the countries,” the joint report by the two organisations noted. 

“The rights of a data subject should be adequately provided for in the companies’ privacy policies so that they can feel comfortable when sharing their personal data. This should not be taken as a matter of charity but a legal obligation.”

Recommendations for private firms
Companies should be mandated by law to adopt privacy policies that conform to the data protection legal frameworks.
lCompanies that process users’ personal data should be transparent about their practices and inform users about how they handle their personal data through a prominently displayed and sufficiently noticeable privacy policy.  
lCompanies should include in their privacy policies a detailed and easily understood information that specifies the type of data being collected, the duration of data storage, contact information, and the rights of the data subject. 

lData transfers to third parties must be mentioned in the privacy policy to ensure that the data transferred between the company and a third party, where the transfer is necessary, is secure. The data subjects are informed, and the purpose and parameters are adequately explained.
lThe policy should outline physical, technical, and procedural safeguards that comply with applicable legal and technical standards. The robust security measures outlined should correspond with actual security procedures.
lBusinesses must publish transparency reports to indicate their compliance with data protection regulations.