Ripe for surveillance abuse – Unpacking Namibia’s SIM card registration limbo

Frederico Links

Namibia is one of the last hold-outs on the African continent when it comes to mandatory SIM card registration, but indications are the country is now moving to officially operationalise such a system, even as the relevant sections of the enabling law remain in contention and state actors appear to be exploiting the partial legal vacuum.

After more than a decade of foot-dragging, Namibian authorities now appear set on formally operationalising a mandatory SIM card registration regulatory mechanism, despite a legal quandary existing.

The dilemma is that Part 6 (Interception of Telecommunications) of chapter five of Namibia’s Communications Act of 2009 has not been gazetted and operationalised to date – more than a decade since the passing of the law and nine years since the operationalising of most parts of the law in 2011 – to enable lawful communications interception and monitoring by state intelligence and law enforcement agencies.

African anomaly

It should be noted that Namibia is an outlier.

According to a June 2019 report of international non-governmental privacy rights group Privacy International (PI), by the start of 2019 about 150 countries worldwide had mandatory SIM card registration systems in place, while 34 countries did not, and a small handful fell somewhere in between. Namibia is one of these in-betweens – having a law prescribing mandatory SIM card registration, but not using it officially.

In Africa, according to another PI report from August 2019, out of 54 countries Namibia was one of only four countries without a legally operational SIM card registration regime.

In the post-9/11 world, mandatory SIM card registration has been hailed as a counter terrorism and crime-fighting must-have – along with increasing recent claims of such systems being a pre-requisite for enabling the effective rollout of all manner of e-services – by both democratic and authoritarian states alike.

Mandatory SIM card registration turns a mobile device (whether phone, tablet or router) into a personal tracking and surveillance device, by allowing telecommunications companies and state security agencies to access the personal communications data of individuals under cover of secrecy provisions.

Counter terrorism, crime-fighting and e-service rollout are the same justifications deployed by the Namibian state in its current push to operationalise mandatory SIM card registration measures in the 2009 Communications Act.

A March 2017 workshop, focused heavily on youth radicalisation, hosted by the Namibia Central Intelligence Service (NCIS) on “preventing and countering of violent extremism” had as one of its recommendations: “iv) There is a need to urgently implement the requirement for telecommunication service providers to register SIM cards against the name of owners.”

And in response to a February 2018 op-ed article, in which I questioned the legality and human rights dimensions of suspected state surveillance practices, the Ministry of Information and Communication Technology (MICT) stated in a March 2018 media release: “The Government of the Republic of Namibia considered the issues surrounding the SIM Card Registration Regulation and is fully aware of the implications of the registration thereof. SIM card registration is not used for or intended for spying purposes but is an exercise that would assist in the curbing of fraudulent activities and crime investigations in order to gain access to private individuals [and] to gain call data records in personal and or legal disputes.”

These days child online safety has become an important cover for pushing for the operationalising of Namibia’s dormant SIM card registration mechanism. At a February 2019 stakeholder meeting labelled an ‘Industry Roundtable Discussion on Combating Online Child Sexual Abuse in Namibia’, which was a collaboration between MICT and the United Nations Childrens Fund (UNICEF), representatives of the United Kingdom’s (UK) National Crime Agency repeatedly emphasised the importance of a mandatory SIM card registration regime to strengthen law enforcement capacity to combat online child sexual abuse. During discussions, the Director of ICT Development in MICT, Linda Aipinge, said the regulations to enable the operationalising of the sections of the Communications Act dealing with SIM card registration would be completed in 2019.

But while all of these might be legitimate justifications for installing a SIM card registration system, there is, of course another, darker, side to how SIM card registration regimes are being used.

For as noted by the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) in its State of Internet Freedom in Africa 2019 report, released in September 2019: “While the commonly held view is that SIM registration is useful to prevent cybercrimes, attention is not paid to the potential of the use of the information for surveillance of key groups such as whistle-blowers, human rights defenders, the political opposition and the media.”

Ripe for abuse

In other words, SIM card registration regimes inadvertently – and advertently in many cases – open the door for unlawful, repressive and abusive state surveillance practices. And on a continent where such practices and tendencies have become somewhat normalised, PI stated in its August 2019 report that SIM card registration “can allow for a more pervasive system of mass surveillance of people who can access prepaid SIM cards, as well as exclusion from important civic spaces, social networks, and education and health care for people who cannot”. The report lays out examples of such practices on the African continent.

Perhaps the best example of the flagrant abuse of a mandatory SIM card registration regime to spy on journalists, civil society activists and political opposition figures is what was exposed during a successful challenge of the constitutionality of sections of South Africa’s Regulation of Interception of Communications and Provision of Communication-Related Information Act (RICA) by the amaBhungane Centre for Investigative Journalism. In its verdict in the case in September 2019, a South African high court declared key sections of the RICA Act unconstitutional, which could have far-reaching implications for state surveillance practices if upheld by the country’s Constitutional Court.

Also worth noting and muddying discussions further are lingering questions about the effectiveness of mandatory SIM card registration in crime-fighting and counter-terrorism.

The evidence seems rather mixed and underwhelming, for while mandatory SIM card registrations appear to have had some successes in bringing down paedophile rings in parts of Europe, it’s less clear that such systems are effective in general crime-fighting and counter-terror activities. And while such systems have been around on the continent for more than a decade, there is almost no evidence publicly available that emphatically makes the case of such systems being effective in crime-fighting and counter-terror activities in the African context.

And yet, as the amaBhungane case in South Africa illustrates, there is evidence of surveillance abuse – unlawful and politically motivated spying on journalists, civil society and political movements – enabled by mandatory SIM card registration regimes.

Such surveillance abuse, in the absence of a legally operational mandatory SIM card registration regime, could also already be a feature of Namibian state surveillance practices.

Problematic parts

In light of all this, the fact is that Part 6 of the Communications Act of 2009 is not operational.

Section 73 of Part 6 is the section that enables SIM card registration, obligating that “prescribed information is obtained from all customers” by mobile service providers in order to “make it possible to intercept the telecommunications of that customer”.

For most of the last decade the Namibian government has maintained that all that was needed to operationalise Part 6 was the gazetting of regulations.

In recent correspondence on this issue, MICT stated: “The Regulations have been finalized, certified by the Ministry of Justice and [are] ready for gazetting.”

As to why it has taken so long to finalise regulations, MICT stated: “When the Act was operationalized, this Part was not commenced at the time because Regulations needed to be developed in consultations with stipulated stakeholders as per the provisions of the Act. The main challenge is the preconceived mischaracterization created before and after the Act became operational that Part 6 authorizes interception.”

And MICT maintained that there was no intention to amend Part 6 of the law, despite longstanding constitutional concerns.

The issue of constitutionality arose even before the law was passed, and Namibian Ombudsman John Walters, with the constitutional mandate to investigate human rights violations, in a March 2020 discussion with me on this topic, noted that Part 6 had never been gazetted precisely because that part of the law was unconstitutional.

“In its current form it will not pass the test,” Walters said, adding that simply gazetting regulations would not suddenly make Part 6 constitutional.

The concern is that Part 6 would enable wholesale violation of the constitutionally enshrined right to privacy in the absence of adequate privacy safeguards.

Namibia does not have a data privacy protection law.

Back in 2009, when the communications law was still being debated in bill form, Walters in a submission before a parliamentary committee, stated of Part 6: “If the State is allowed to arbitrarily intercept our private correspondence, it will no longer be possible to strike a reasonable balance between the citizen’s right to privacy (to be left alone) and the right of the State to interfere in that right to pursue a legitimate objective, notably the need to combat crime and national security.”

Similarly, in a 2015 assessment of Part 6, Privacy International stated: “The obligation the Act places on telecommunications service providers to provide access to their systems and the data of their users without a court order violates the right to privacy. Furthermore, compelling service providers to build into their systems surveillance and monitoring capabilities threatens the integrity, security and privacy of communication systems.”

With this being the situation in Namibia in early 2020, the lawfulness of the conduct and practices of various state authorities and entities remains highly suspect, but Namibians for the most part appear oblivious to the lurking threat of surveillance abuse to their constitutional right to privacy.

Frederico Links is a Namibian journalist and researcher. This article was commissioned by the Media Policy and Democracy Project (MPDP), an initiative of the University of Johannesburg’s department of journalism, film and TV and Unisa’s department of communication science.

Related Posts