Honourable Advocate Jacob Mudenda
Speaker of the National Assembly
Parliament of Zimbabwe
Nelson Mandela Avenue
RE: CONCERN OVER THE ACQUISITION, DEPLOYMENT AND USE OF SURVEILLANCE TOOLS IN ZIMBABWE
MISA Zimbabwe writes to you to express its concern over the acquisition, deployment and use of surveillance tools in Zimbabwe, which use has continued over time, in the absence of adequate and clear data privacy legislation and mechanisms
MISA Zimbabwe raised such concerns earlier in 2018, following reports of undefined facial recognition equipment that was reportedly acquired from China, and the cybersecurity equipment that Japan had pledged to Zimbabwe.
More recently, two reports have emerged indicating that Zimbabwe is a customer of Circles, a surveillance firm that reportedly exploits weaknesses in the global mobile phone system to snoop on calls, texts, and the location of phones around the globe.
Circles is also reported to be affiliated with NSO Group, which develops the often abused Pegasus spyware. Circles, whose products work without hacking the phone itself, says they sell only to nation-states.
MISA Zimbabwe is therefore concerned not only with the use of such tools in the absence of substantive cybersecurity and data protection legislation in Zimbabwe but also with the lack of transparency around the acquisition of this cybersecurity equipment and the conditions under which it is sold to Zimbabwe.
The lack of transparency and information around these deals is against the spirit of good governance and basic principles governing public administration as enshrined in Sections 9(1) and 194(1)(f) and (h) of the Constitution.
MISA Zimbabwe thus urges Parliament to exercise its oversight function by examining how the acquisition and use of unspecified surveillance equipment will influence or curb the lawful enjoyment of the fundamental rights to privacy and free expression.
MISA Zimbabwe notes the importance of promoting national security, and with the increase in the uptake of ICTs, the need to promote cybersecurity. However, such interventions should be informed by a human rights approach, respect of the Constitution and the declaration of rights, espoused therein, and as provided for in terms of Section 44 of the Constitution.
Section 57 of the Zimbabwean Constitution guarantees the right to privacy which right includes the privacy of communications. This right, therefore, also protects citizens from excessive and unjustified State surveillance.
Any limitation of this right should be guided by Section 86 of the Constitution.
The section states that fundamental rights and freedoms may be limited in terms of a law of general application. This is to the extent that the limitation is fair, reasonable, necessary and justifiable in a democratic society based on openness, justice, human dignity, equality and freedom.
It is therefore MISA Zimbabwe’s hope that in the exercise of its mandate, Parliament will inquire into any acquisition or use of surveillance technologies in Zimbabwe to ensure that they are in keeping with the Constitution and the duty to protect, promote and respect human rights.
Further, MISA Zimbabwe also notes with concern the continued operation of the Interception of Communications Act together with its provisions that infringe on the right to privacy.
The Act legitimises surveillance but does not have any oversight mechanisms that prevent over-surveillance and extra-judicial surveillance.
MISA Zimbabwe, therefore, reiterates its long-standing position that the Interception of Communications Act, needs to be reviewed and aligned with the 2013 Constitution.
The Act infringes on the exercise of rights and is not in keeping with international human rights standards through various aspects which include the following:
• Authorities may obtain warrants to intercept private communications through a process that is controlled by members of the Executive and not subject to independent scrutiny and oversight, whether from a judicial or other monitoring body or the public.
• The Act does not require authorities to notify individuals that they are or have been subject to surveillance and there are insufficient avenues for victims of unlawful surveillance to seek redress.
• The Act places wide-ranging duties on telecommunications providers to facilitate State surveillance.
• Key terms in the Act, such as “monitoring,” are not clearly defined, opening the door to abuse, especially in relation to the collection and analysis of metadata.
MISA Zimbabwe, therefore, calls on Parliament to also institute discussions relating to the alignment of the Interception of Communications Act with the Constitution.
The recently gazetted Cybersecurity and Data Protection Bill also has provisions that entrench surveillance as well as its failure to establish an Independent Data Protection Authority and the authorisation of the use of remote forensic tools such as keystroke loggers.
The proposed law seeks to allow for the use of far-reaching technologies without any provision for judicial oversight. There is also no procedure at all relating to how this technology may be used and which state security agents may use it.
In that regard, MISA Zimbabwe is kindly requesting Parliament’s attention to these developments and the potential impacts of the Cybersecurity and Data Protection Bill as it debates the Bill. MISA Zimbabwe also calls on Parliament to be guided by international standards and best practices.
Principle 41 of the Revised Declaration on Principles of Freedom of Expression and Access to Information in Africa of the African Commission on Human and Peoples’ Rights (ACHPR), provides as follows:
1. States shall not engage in or condone acts of indiscriminate and untargeted collection, storage, analysis or sharing of a person’s communications.
2. States shall only engage in targeted communication surveillance that is authorised by law, that conforms to international human rights law and standards, and that is premised on specific and reasonable suspicion that a serious crime has been or is being carried out or for any other legitimate aim.
3. States shall ensure that any law authorising targeted communication surveillance provides adequate safeguards for the right to privacy, including:
i. the prior authorisation of an independent and impartial judicial authority
ii. due process safeguards
iii. specific limitation on the time, manner, place and scope of the surveillance
iv. notification of the decision authorising surveillance within a reasonable time of the conclusion of such surveillance
v. proactive transparency on the nature and scope of its use; and
vi. effective monitoring and regular review by an independent oversight mechanism.
It is therefore MISA Zimbabwe’s hope that the concerns we raise, by virtue of this letter, will actively be considered by Parliament and that effective mechanisms to address them will be put in place.
We, therefore, reiterate that through your good office, you kindly facilitate for the following actions:
• That Parliament probes the acquisition, deployment and use of surveillance tools in Zimbabwe through summoning the relevant authorities before the august house.
• Parliament institutes processes towards ensuring that the Interception of Communications Act (ICA) is aligned to the Constitution of the country; and
• The Cybersecurity and Data Protection Bill strikes a balance between security concerns and respect of human rights in line with best practices.
MISA Zimbabwe Chairperson