Pegasus Spyware is just the tip of the surveillance iceberg
State surveillance of citizens extends far beyond Pegasus spyware, the software developed by the Israeli surveillance firm NSO Group. There is a multi-million-pound global market in which companies compete to profit from helping states to illegally spy on their own citizens.
Rightly there has been shock and outrage globally as citizens learn that their governments are buying Israeli malware to hack the mobile phones of political opponents, judges and journalists. But the revelations have not come as a surprise to the members of the African Digital Rights Network (ADRN), who earlier this year discovered disturbing examples of surveillance technologies being used by the state against its citizens in every one of the ten countries in Africa we studied.
Citizens in every country are guaranteed the right to private communication in their constitutions, domestic laws, and in international conventions that their government has signed up to. The use of bulk interception and mass surveillance technologies, scanning mobile phone messages, hacking encrypted communications, and intercepting internet traffic in attempts to close down civic space and suppress opposition, is a clear breach of these rights. Yet, governments routinely sign export licences for companies in their country to assist in illegal activity in other countries. On occasion providing staff to help states perpetrate crime and violate citizen’s rights.
The Pegasus malware was used to hack phones in four of the countries that we studied: Egypt, Kenya, South Africa and Zambia. The Citizen Lab investigation found Pegasus used in many more. However, evidence from ADRN reports shows that Pegasus software is just one product in a booming commercial market in surveillance technologies and services to enable states to illegally spy on their own citizens.
We found many others, such as the Italian company Hacking Team that supplied similar mobile phone intercept technologies to the governments of Uganda and Sudan (despite sanctions against Sudan) and the UK/German company FinSpy sold spying software to the government of Egypt and Ethiopia.
The majority of the countries that we studied as part of the ADRN Digital Rights Landscape reports were also buying artificial intelligence-enabled mass surveillance technologies from the USA or China. China and the US supply surveillance technologies to many African countries including Nigeria, South Africa, Sudan, Egypt, Cameroon, and Zambia.
China is ahead in this market providing total surveillance infrastructure solutions including “safe city” CCTV and facial recognition solutions complete with soft loan financing. Similar systems are also available US companies IBM, CISCO and Palantir and from European vendors from France, Germany and Israel.
The Chinese company Cloudwalk is supplying facial recognition technology to the state in Zimbabwe. Companies from Israel and Italy are providing mobile hacking tools. And Cambridge Analytica type political marketing companies help states to use Facebook surveillance data to manipulate elections.
The Kenya country report documents funding from the US and China to build mass surveillance infrastructure (Nyabola 2018) and the intervention of Cambridge Analytica in Presidential elections. In South Africa another UK company, Bell Pottinger, used social media bots to foment ethnic hatred on social media.
The Zimbabwe report revealed that while Mugabe was still in office he received a ‘gift’ of monitoring and surveillance technology from Iran that included mobile phone scanners, enabling his government to intercept citizens’ private communications and locations.
To extend their ability to spy on their citizens all of the African governments that we studied had made the registration of mobile phone SIM cards compulsory. Many had enacted laws requiring mobile phone and internet companies to save all mobile communication data to enable state surveillance, and there is also evidence of states buying technologies to enable internet shutdowns in specific districts and of particular platforms (Taye 2020).
All surveillance is a violation of human rights. We allow legal surveillance only in narrowly targeted instances to prevent the most serious crimes. Surveilling political opponents, journalists, judges or peaceful campaigners is illegal whoever it is carried out by. The selling of spy technologies to violate citizens’ rights must be made illegal with jail terms for the executives of offending companies.
To end state spying on political opponents and citizen activists we need to raise public awareness about privacy rights and digital rights. Building advocacy and legal capacity is necessary to challenge surveillance in constitutional, international and domestic courts and expanding knowledge about anonymisation and encryption technologies that mitigate risks (e.g., VPNs, Tor and Signal).
Unfortunately, relatively little is known about the use of surveillance technologies outside of North America and Europe. And there is currently insufficient capacity in civil society to effectively monitor, analyse, and effective end illegal surveillance and violation of rights.
The African Digital Rights Network is continuing to address these issues and is close to completing a review of existing surveillance laws in six African countries. In 2022 the network is planning to begin research by activists, lawyers and researchers in 14 countries to learn more about the drivers, tactics and technologies of state surveillance.
This blog was first published in the IDS website here.