On 3rd November this year, I attended a master class facilitated by Privacy International and subsequently a panel discussion on private-public surveillance partnerships during the fast-growing Pan-Africa Privacy symposium-Privacy symposium Africa, organised by Unwanted Witness and hosted by Strathmore University-Nairobi.
Throughout the discussion, the issues of accountability, and transparency in such partnerships came through; states deploying surveillance tools were implored to make partnership agreements accessible to the members of the public, for two reasons, one, the legitimate privacy concerns stemming from the questions of why and how arguably private information is obtained, managed and safeguarded against abuse, two, the argument that public funds spent on such partnerships make them matters of public interest and therefore, the public has a right to access information including the partnership agreements.
These are very sound arguments, but states, including Uganda that have procured mass surveillance tools like Cellebrite's UFED, and facial recognition-enabled CCTV cameras for example, have ‘hidden’ the agreements under the pretext of security.
Further, there are several other surveillance and spyware tools procured with the sole purpose of conducting clandestine surveillance activities on human rights activists, journalists and political dissidents and no matter the advocacy for accountable and transparent deployment of these tools, repressive states procuring and deploying them will not heed.
Whereas some states outside some repressive regimes in Africa have the capacity to develop these tools, evidence is still on the (potential) victims’ side that most of the states like Uganda deploying these surveillance tools have not yet acquired the technical capacity to develop them, therefore, they have to bank on private companies based in Europe and Asia.
Some regional blocks have taken remedial steps in the form of regulation. European Union with 27 member states out of 50 countries, has come up with a legal framework that flags the exportation of these surveillance tools commonly known as dual use tools (for their character of being able to be used for both legitimate and illegitimate purposes) through the European Union’s Dual Use Regulation aimed at preventing human rights harm resulting from digital surveillance by establishing export controls for surveillance technology exported by EU-based companies, but it must be noted that almost 23 European countries are not parties and not bound by this agreement.
This, and the fact that the rest of the regional blocks do not have an equivalent policy framework and standards, are a setback to the fight-back against dual use surveillance tools in human rights abuse in repressive governments.
The absence of a normative framework is not to say exacerbates the deployment of these tools; even the European member states have not gone hard on the exportation of these tools, for example, since the military junta took over power in a coup in Myanmar on 1st February 2021, it is reported to have used military-grade surveillance technology, such as surveillance drones, phone cracking, and computer hacking software, from Western companies, to track citizens and steal data despite restrictions on their export and use.
The result has not only been unjustifiable stifling of basic freedoms and human rights, but also enhanced architecture for state violence against citizens. Therefore, while the EU has taken important steps to improve how member states deal in dual-use technologies, in general, countries are not bound by dedicated international rules to stop domestic companies from selling this kind of tech to repressive regimes.
Like European companies, it has been reported that Asian tech companies are exporting artificial intelligence surveillance tech to dozens of countries like Uganda, fueling digital authoritarianism. For example, during the November 18th and 19th demonstrations against the arrest of Robert Kyagulanyi Sentamu aka Bobi Wine, surveillance tools like CCTV cameras were used to target both legitimate and illegitimate demonstrators on the streets of Kampala, just a month before the foregoing, a drone had been captured hovering over his home in the middle of the night.
On February 24, 2022, Gen Muhoozi Kainerugaba posted a video of the Hermes 900 MALE drone, which is part of a two-dozen haul reported to have been supplied in 2019 from Israel. Whereas these tools are acquired for military purposes, our intelligence security’s antecedents indicate that these tools are capable of being deployed on private citizens.
Other surveillance tools including Cellebrite's UFED and Pegasus, designed to sneak into a user’s phone and give the invader access to its contents without being detected are reported to have been procured and used by the government. Most of the foregoing tools operate after and under unconscionable procurement, deployment and management terms.
Where is the solution?
The solution is in the continental bodies like the African Union and international bodies like the United Nations designing continental and international binding standards regulating the development, procurement, deployment of these Dual-Use surveillance tools under the international human rights legal framework however much the framework predates most of the sophisticated surveillance technologies.
The lack of binding international regulations on surveillance technology is a serious problem, as without clear rules—and international coordination on their implementation—it is likely that abusive governments will continue to acquire and abuse the technology.
The author is a digital rights and cyber law lawyer and works at Unwanted Witness