South Africans’ love affair with cellphones and the Internet is about to change in a profound yet subtle way: Big Brother will be sharing the fun.

If most South Africans thought the fall of apartheid signalled the end of spying and secret surveillance, they’re in for a shock: it’s becoming even more pervasive, and if anything, more difficult to detect.

From May 28, all fixed-line, cellphone and Internet service providers in SA will be required to provide tap-in links to state intelligence and law enforcement agencies that have a designated judicial warrant to eavesdrop. And these companies are expressly forbidden from telling their customers about it, or even how it is done.

State investigators will be able to secretly monitor the conversations, SMSs, e-mails and Internet meanderings of criminal and security suspects. And, as communications archives grow, they will be able to access records showing who the suspects communicated with, when and for how long — records that the law requires all service providers to keep for up to three years.

Telephone tapping stretches back to colonial and apartheid times, and in 1992 the Interception & Monitoring Act made phone tapping subject to judicial warrant. But that applied only to fixed-line, or ordinary telephone, communications.

The explosion of cellular and Internet technology since then has vastly expanded the possibilities for criminals. Using cellular mobility and the global spread of the Internet, drug lords, money launderers and terrorists are having a field day. As a result their pursuers, the law enforcement and intelligence agencies, are taking the same route.

Security agencies in SA began an extensive review of their capabilities in the mid-1990s. A committee under senior justice official Vusi Pikoli (now national director of public prosecutions) and later telecoms chief officer Andile Ngcaba (now chairman of Dimension Data) recommended a complete overhaul of the intelligence infrastructure. The upshot was a flurry of new intelligence legislation — and the establishment of new signals interception organisations — in the early 2000s.

So, should South Africans feel more secure with all of this newfound Big Brotherly attention? Or should we be more concerned that it may violate our right to privacy? The answer lies somewhere in between.

It’s probably true that the vast majority of law-abiding cellphone and Internet users will never come under intrusive state scrutiny. But it’s also likely they would never know if they did; that some innocent social interaction or business transaction of theirs had attracted the beady eye and hairy ear of state surveillance. And what if such perfectly legal activities ran contrary to government policy or desires? How could these law-abiding citizens be sure they would never be subjected to state harassment — if only subtly, such as a snap tax audit or inexplicable exclusion from government business?

On the other hand, one must ask whether the state can afford not to equip itself with the powers and accoutrements of modern surveillance. Most people agree that organised crime is one of the most serious threats to the country’s economy and people, and that government is duty-bound to fight it. Must they then try to prevent that government from arming itself with the tools of communication that criminals and terrorists use routinely to perpetrate their crimes?

Former intelligence deputy co-ordinator Dennis Dlomo, now seconded to a nascent intelligence committee of the African Union (AU), remarked in a 2004 discussion paper that the debate about intelligence in SA too often revolved around individual privacy and underplayed the right of society to individual and collective protection.

But there’s a thin line between surveillance for state protection and its misuse for the aims of a ruling party or powerful people. The recent disclosure that national intelligence chief Billy Masetlha (since fired) spied on important politicians, businessmen and others for political ends proves the relevance of such concerns.

That is why intelligence minister Ronnie Kasrils recently ordered the co ordinator of intelligence, Barry Gilder, to consider tighter controls on “political intelligence gathering” as he leads a review of intelligence operating procedures and policies.

Gilder is expected to present his review team’s recommendations to the minister in the next week or two. Ministry spokesman Lorna Daniels says Kasrils has promised to make the report’s findings public and release it to parliament’s joint standing committee on intelligence for open debate. He is also expected to broach the matter in his departmental budget speech on June 1.

Transparency and open debate is crucial for intelligence services to work effectively in a liberal democracy such as this, says security analyst Laurie Nathan, a researcher in the University of Cape Town’s and London School of Economics’ joint project on failed states.

Kasrils, himself, is a strong proponent of transparency and limited secrecy in state intelligence operations. In a 2004 speech he said one of the main challenges facing SA in the 21st century was to maintain “the fine balance between secrecy and constitutional rights and responsibilities of our citizens”.

Gilder says current intelligence legislation, policies and operating procedures are in line with the most sophisticated practices internationally: “I don’t know if the intelligence community can get any more transparent than it is.” But secrecy remains an “absolute necessity” for security services because their targets — organised criminals, smugglers and terrorists — operate clandestinely. Nevertheless, such secrecy has to be legitimately applied.

SA’s security services and oversight mechanisms have been harshly criticised by independent security analyst Kevin O’Brien In a September 2003 paper for the Geneva Centre for the Democratic Control of Armed Forces, O’Brien said that though the institutions of oversight and accountability of intelligence in SA “appear to be strong on the surface, upon further examination these can be found to be weak and problematic at best”.

Writing two years ahead of the Masetlha scandal, O’Brien pointed to “a total politicisation of the process” and intelligence agencies riven with distrust, not only between “old guard” and “new guard”, but between individuals formerly linked to rival liberation movements, “with both the intelligence product becoming politicised and the political leadership developing parallel but independent intelligence structures”.

But Nathan sees room for optimism in Kasrils’ decision to release the report of the intelligence inspector-general on the Masetlha affair. The question is whether government would have been quite so generous with the news if Masetlha had been acting in support of the Thabo Mbeki faction of the ANC instead of for rival Jacob Zuma.

To decide on the checks and balances in SA’s intelligence network, one has to know how it works. As the organogram above shows, the services are split between foreign and domestic operations. The SA Secret Services (Sass) is geared exclusively to foreign intelligence, with tentacles in more than 60 embassies abroad. The National Intelligence Agency (NIA) is focused solely on domestic affairs. The National Intelligence Co-ordinating Committee (Nicoc), currently under Gilder, pools the analysis of all intelligence services, from the Sass, NIA, police’s crime intelligence, military intelligence, the Scorpions and the Financial Intelligence Centre, which tracks money movements.

The most important sector, for this article, is the NIA, which contains the National Communications Centre (NCC) and two administratively linked, though separate, organisations, the Office for Interception Centres (OIC) and Electronics Communications Security (Comsec)

The NCC may be the most secretive arm of government. It does not even exist in statute, and the extent of its reach is classified. Its purpose is to monitor the bulk of communications signals entering SA through satellite and cable links from the outside world, and advise the minister on all signals intelligence procurement, management and direction.

The OIC, recently established and yet to begin work, will handle all domestic communications surveillance and serve as a conduit for judicial approval for all intelligence surveillance, and as the primary link to private-sector service providers.

Comsec, a parastatal, has the task of ensuring that all government communications are secure, encrypted and safe from outside interception. Comsec’s original brief was to wean itself away from state funding, since it earns income for its services on a cost-recovery basis. But CEO Taki Netshitenzhe (sister of government communications head Joel Netshitenzhe) says the organisation is still far from self-sustaining and that she can’t see it becoming so at this stage.

On the issue of privacy and state surveillance, South Africans should pay closest attention to the NCC and OIC.

The OIC’s task is to usher in and manage the new regime of cyber surveillance in SA. Based in the northern Johannesburg suburb of Sunninghill, where it will begin operating on July 1, it already has a staff of 32 and will grow to a maximum of about 40 people, says director Mike Sarjoo, former provincial head of national intelligence in Gauteng. Its network will expand over several years, he says, to include five or six regional interception centres, all linked to the OIC, making it easier for security and crime investigators to monitor suspects in remoter parts of the country.

All state security agencies — the police, defence force, Scorpions, NIA and so on — will be expected to channel their surveillance requests through the OIC. It in turn will channel all the agencies’ surveillance requests to a “designated judge”. If the judge approves a request and issues a directive, the OIC will pass on the order to the applicable communications service providers, who will begin the interception.

The OIC operates under the Regulation of Interception of Communications & Communication-Related Information Act (Rica) of 2002. It has taken four years to bring the act into force, as government had to build the necessary capacity, and negotiate regulations with service providers, Telkom and regulator Icasa.

The upshot is an 82-page set of directives detailing the responsibilities and duties of Internet and cellular phone companies, which was gazetted on November 28 last year. Even now, cellphone service providers are squeamish about having to snoop on their customers. Vodacom SA MD Shameel Joosub declined an interview with the FM, preferring instead to channel his replies to questions through a PR company. MTN’s regulatory affairs GM Graham de Vries deflected questions about how his company would carry out the monitoring, suggesting we ask “the relevant law enforcement agencies”.

Sarjoo was far more approachable, and even agreed to discuss his organisation’s work and purpose, though he would not discuss operational details.

The rationale for having an OIC, he says, is to co-ordinate surveillance by the plethora of security agencies, standardise procedures and prevent duplication or conflict of effort. “One of the intelligence community’s biggest problems is people’s perceptions that we are a threat,” he says. “We have to convince people that we are necessary.”

A key part of doing so, he says, is to ensure that all links with service providers and the public are secure and incorruptible. “The OIC’s integrity must be guaranteed. If we are unable to show clear signs of integrity, then we will be in trouble with the law. That’s why the legislation stipulates a clear reporting line to the minister for intelligence, and our annual reporting to parliament.”

Despite the legal safeguards, the ability of the state to tap into private communications is controversial because it is impossible to know what future governments may do with such powers, especially in times of national stress.

In the US, once the paragon of individual liberty, the administration of President George W Bush has reacted with paranoia to the September 11 2001 bombings. Security measures, such as the controversial US Patriot Act, based on a “paradigm of prevention” enunciated by US attorney-general John Ashcroft, have allowed the Federal Bureau of Investigation (FBI) to conduct unauthorised wiretapping of thousands of US citizens, on the pretext that they may pose a threat to national security.

The best that South Africans can hope for is that the legal safeguards in place for domestic interceptions — the new act and the requirement of prior judicial review, post facto oversight by parliament’s joint standing committee on intelligence and review by the inspector-general of intelligence (IG) — are sufficient to prevent the state from misusing its power.

The NCC remains the most contentious agency. It is not constrained by any statute and, according to IG Zolile Ngcakani, it was misused by Masetlha with apparent ease. He allegedly used his position as NCC head to slip the phone numbers of South Africans he regarded as “conspirators” into NCC computers and tap into private communications.

The NCC is not supposed to be used for domestic surveillance. “If the NCC encounters any domestic communications, it is supposed to flush that in accordance with the best international practice,” says Comsec’s Taki Netshitenzhe. The only safeguards for ensuring this are internal controls. Kasrils is certain to strengthen these after the Gilder team presents its recommendations.

The NCC itself has done little to dispel doubts. Attempts by the FM to interview the organisation’s acting executive director for this report were ignored; he did not even provide his name (he succeeds former head Manala Manzini, who has moved into Masetlha’s old position in charge of the NIA).

The intelligence ministry’s Daniels responded to questions directed to the NCC by explaining in an e-mail that its function was to conduct “bulk interception of foreign signals” and to serve as “an advisory structure to the minister for intelligence services on matters related to signals intelligence procurement, management and direction”.

“Our executive and oversight institutions have proven strong enough to expose any deviations or wrongdoing,” the statement said. Referring to the Masetlha affair, it said “measures have been taken to prevent such lapses in future, including criminal proceedings that may arise, and review on policies and operating procedures”.

As to how it is able to separate incoming signals from outgoing ones, to ensure it does not accidentally intercept domestic communications, the NCC refuses to comment on the grounds that the question is “operational”.

Such secretiveness seems excessive and counterproductive, especially in the light of what is already widely known about the NCC’s far bigger and intrusive counterpart in the US, the super-secret National Security Agency (NSA)

Like the NCC, the NSA does not monitor individual communications but is a bulk interceptor of signals entering the country. This it does with an array of sophisticated satellite receiver dishes located near key gateways for satellite signals traffic. It also taps in to fibre optic cable landing sites on the east and west coasts. NSA computers, programmed with key words and phrases, monitor the millions of signals passing through the ether each second, and divert suspect communications to analysis centres for inspection. The most suspicious are passed on the to the FBI or other intelligence agencies.

It is logical to presume that the NCC uses similar, though less elaborate, methods to monitor cable and satellite signals entering SA. More than half of all communications come in through submarine cables that land at Melkbosstrand near Cape Town (SAT 2 and 3 cables) and Mtunzini, north of Durban (the SAFE cable). Telkom also operates numerous satellite stations around the country, with international telecom traffic crossing the borders at several points. These too are natural NCC monitoring sites and, when the second network operator starts work, it will also be expected to provide NCC tapping points.

One reason for the controversy over secret surveillance in the US is that the NSA appears no longer subject to judicial oversight. After the Watergate scandal of the mid-1970s, the US congress subjected the NSA, and other intelligence agencies, to prior judicial consent; the NSA had to clear its surveillance requests through a secret court in the justice department.

But, after the 9/11 bombings, Bush secretly, and apparently in contravention of a criminal prohibition on domestic surveillance, abolished the need for the NSA’s judicial sanction. The agency is now reportedly passing up to 30000 interceptions a year to the FBI.

But it is one thing to collect reams of data, quite another to make sense of it. The New York Times reported recently that the FBI was being swamped with thousands of “leads” that go nowhere. This is a challenge for SA agencies, too, says Sarjoo, though our agencies do not have the capacity to collect anywhere near the volume of data accumulated by the NSA. “We can’t have good signals collection delivery without the analytical skills to sift through it,” he says.

Skills shortages that have undermined service delivery in local government and national governmental agencies, including the police and defence force, suggest that human capacity is a natural limitation also for SA intelligence services.

The security services budget nearly trebled from about R800m in 1998 to R2,4bn in 2001 — mainly because of the capital costs of setting up the NCC and expanding Sass’s operations into Africa and further afield. But in recent years, the budget has stagnated and even slipped back, to R2,2bn this year.

Nevertheless, if government were to come under political or economic pressure at some stage in the future, would it not stoop to the kind of excesses now being perpetrated by Washington? Would there be no temptation to use the NCC’s capabilities, or those of the OIC, to spy on political enemies at home ?

Sarjoo points out that the OIC’s system is rooted in established international practices, more specifically the European Telecommunications Standards Institution Countries such as Belgium and Holland also subscribe to those standards, which prescribe international standards for “lawful interception”. Sarjoo insists that such practices make the OIC system safe from “rogue” intercepts, thus securing the interests of cellphone and Internet users.

But what can South Africans do to ensure that their security structure remains strong enough to fight crime and terrorism but controlled enough to protect citizens’ rights? Strong oversight and transparency are only part of the solution; public opinion, and therefore the media, must also play a role.

The AU’s Dlomo accuses the SA media of almost ignoring the “historic overhaul” of the intelligence community. He has a point. But as Nathan says, “If the system is weak, or has gaps, we are all vulnerable.”

Inet-Bridge ||  Discuss this article