Op-ed | South African ‘Spy Bill’ fails the democratic test on bulk surveillance
This piece by Jane Duncan was first published by Daily Maverick.
It is practically impossible to regulate these spying powers in ways that respect basic rights and freedoms, such as privacy. This is because governments set these centres up to collect communications indiscriminately. In other words, they treat everyone outside the country as a potential criminal suspect.
The 2023 General Intelligence Laws Amendment Bill introduced by the Presidency and relating to the State Security Agency (SSA) is welcome and, in fact, long overdue. It will disestablish the SSA, leading to it reverting to the old model of having separate foreign and domestic branches with their own directors general.
The existing structure is too open to abuse as it centralises intelligence in one agency and concentrates power in a super-director general, making it easier to capture for corrupt purposes.
However, while reducing opportunities for abuse by decentralising intelligence, the Presidency is introducing other opportunities for abuse through the bill. This is by expanding the scope of intelligence massively and failing to regulate and oversee the entities responsible for collecting intelligence adequately.
Nowhere is this failure more apparent than in the Presidency’s approach in the bill to the SSA’s most powerful spying capability, the National Communications Centre. To that extent, the bill fails the democratic test for intelligence.
The controversial National Communications Centre
The centre is run by the SSA and is responsible for bulk surveillance of foreign electronic signals (including communications) for intelligence purposes. From what little is known about it, the centre collects and analyses huge quantities of data from electronic signals on an untargeted basis.
In other words, the centre does not need to have a reasonable suspicion of criminality for peoples’ communications to be scooped up into a dragnet, which means that the dragnet extends to the communications of the innocent and guilty alike.
To that extent, the centre operates very differently from the surveillance undertaken in terms of South Africa’s main communication surveillance law, Rica (the Regulation of Interception of Communications and Provision of Communication-related Information Act). These capabilities can be used only if there is a reasonable suspicion of serious crimes having been planned or committed, and if it is the investigative method of last resort.
In March 2021, the Constitutional Court found that the SSA was running the centre illegally because there was no law establishing it and that they should shut it down until there was.
The bill is meant to address this problem and put the centre on a legal footing by including a section that establishes the centre and sets out its basic functions.
Despite having tried to keep a low profile for many years, the Centre has attracted public attention for all the wrong reasons. It has gone rogue in the past, when it was used to spy on South African politicians, members of the public service, journalists and businesspeople in around 2005.
A subsequent Commission of Inquiry, held in 2008 (called the Matthews Commission) found that the centre was most likely operating illegally and unconstitutionally as it did not have a founding law.
However, the Presidency’s belated attempt to legislate the centre back into being, and only once forced to do so by the Constitutional Court, is dangerously thin. Despite the State Security Agency having claimed that it benchmarked the bill internationally, this benchmarking is highly selective and shows no appreciation of the issues around bulk surveillance, its control and its oversight.
Rationale for bulk signals intelligence collection
Other countries have such incredibly powerful capabilities that use artificial intelligence and keyword search terms (or selectors) to trawl through masses of communication traffic. However, they are meant to use them for foreign intelligence purposes only, particularly for strategic intelligence where they identify longer-term threats to national security on a forward-looking basis.
The rationale intelligence agencies use for doing so is that they do not know what they do not know about looming threats outside their borders, as they lack the investigatory powers that they have inside them. This problem places them at a major disadvantage in detecting such threats until it is too late. They argue that this means they need to use the few investigatory methods at their disposal to do so, even if it means collecting huge volumes of information.
The problem is that it is practically impossible to regulate these spying powers in ways that respect basic rights and freedoms, such as privacy. This is because governments set these centres up to collect communications indiscriminately. In other words, they treat everyone outside the country as a potential criminal suspect.
In doing so, these governments adopt an Animal Farm-like approach towards protecting privacy, where those inside their borders are more deserving of privacy than those outside.
Selective benchmarking
One of the countries the presidency claimed to have looked at in benchmarking the bill is Germany. This is odd as they have ignored important recent developments around the regulation and oversight of bulk surveillance in that country.
Former National Security Agency contractor, Edward Snowden, showed – through the classified documents he leaked – how similar signals had been abused by intelligence agencies in the US and UK. In response to huge public outrage at this massive, unregulated state spying, there have been major moves globally to tighten up how they are regulated.
In 2020, the German Constitutional Court poked holes in the argument that foreigners should be granted weaker privacy protections than nationals. It ordered the government there to revise the law governing the foreign intelligence service, BND, and its bulk collection capabilities to respect the privacy rights of non-nationals. It also found that the grounds for bulk collection were not specific enough, which made proper oversight impossible, and special safeguards for the communications of journalists and lawyers were lacking.
The German Constitutional Court set out six areas the government needed to reform. These involved restricting the volume of data they intercepted and the geographical area covered by surveillance; restricting the transfer of this data to other entities such as foreign governments; retaining data for not more than six months; providing special protections for professional groups that require confidentiality of communications, such as journalists and lawyers; deleting data referring to the highly personal domain; and documenting these deletions to allow an independent oversight body to assess if they were minimising the data they were storing.
Basic safeguards
No legal benchmarking of any worth would be complete without including the principles that have become recognised internationally as the basic standards for strategic surveillance. Known as the “Weber principles”, after the applicant in the case, they were developed as far back as 2006 to prevent abuses.
These principles state that warrants authorising strategic surveillance should contain information on the nature of the offences which gave rise to the application; the categories of people likely to have their communications intercepted; limits on the duration of interception; procedures to be used for examining, using and storing information; precautions to be taken when communicating intercepted information to third parties, and the circumstances in which information may be erased or records destroyed.
These principles imply that the bases of surveillance should be spelt out in a law authorising signals intelligence, which should also be accessible and not buried in secretive, subsidiary regulations. Decisions about surveillance should be taken by an independent body, leading to bulk warrants being issued, preferably by a judge.
The law must state that the duration of the operations should be limited, although bulk surveillance is typically of longer duration than targeted surveillance.
Other safeguards under discussion globally include legislation insisting on bulk warrants containing information on the following:
- The fibre-optic cables that are going to be intercepted
- The expiration dates for particular intelligence operations
- The private entities that will be involved in assisting (if any)
- The search terms or selectors to be used, or if they cannot all be identified in advance, after-the-fact notification of the judge (a feature of the Swedish system)
- Notification of surveillance subjects when individuals become targets (also a feature of the Swedish system and now a requirement in South Africa for Rica intercepts)
- Limitations on the number of people who have been in direct communication with the surveillance target, or the number of “hops” out from the target
- The geographical zones or organisations or groups of people to be placed under surveillance
- Issuing different warrants for the different stages of the signals intelligence process
- Setting quotas for methods used to collect data, to prevent overuse of the most invasive methods
Disappointing shortcuts
The bill is paper thin on the centre’s powers and functions, and there is no real evidence of the Presidency having considered similar safeguards.
On the upside, the bill does provide for a judge to authorise bulk surveillance (not always the case in other jurisdictions), supported by interception experts appointed by the minister. However, the bill does not provide details on the bases the judge will use to make decisions.
This is a concern, as the judge is a presidential appointment, which is remarkable as the Constitutional Court criticised executive involvement in the appointment of the Rica judge, so presumably, the same standard should apply to this judge too.
A judge that takes decisions on even more invasive capabilities than what Rica provides for, should be at least as, and preferably even more, independent than the Rica judge.
The drafters do not seem to have read the Constitutional Court judgment carefully enough. It gave some indication that it would be looking for a bill that sets out “… the nuts and bolts of the [centre’s] functions”, and spells out in “… clear, precise terms the manner, circumstances or duration of the collection, gathering, evaluation and analysis of domestic and foreign intelligence”.
Echoing the Weber principles, it would also be looking for detail on “… how these various types of intelligence must be captured, copied, stored or distributed”.
In fact, to say that the Presidency is attempting an unacceptable shortcut in legislating the centre into being is an understatement.
The Constitutional Court pointed out that the SSA’s general mandate set out in the 1994 National Strategic Intelligence Act does not authorise the centre to conduct bulk surveillance as it is too ambiguous, as the agency had claimed in its responding affidavit at the time.
This mandate, set out in the 1994 Act, gives the SSA the powers to “… gather, correlate, evaluate and analyse relevant intelligence to identify any threat or potential threat to national security”.
Yet despite this criticism, all the Presidency has done is taken that very clause, in all its inadequacy, and copied it into the new bill, subject to the caveats around the judge and experts.
In other words, to all intents and purposes, the government has merely restated the very position the Constitutional Court criticised it for.
The appointment of experts to assist the judge does not address the notorious “ex parte” problem which the Constitutional Court identified as a major weakness of Rica – namely that the judge only gets to hear the applicant’s side of the story. In contrast, in the Swedish system, their foreign signals intelligence court has a Privacy Protection Representative.
Overbroad definitions
The most serious problem with the bill is that it amends basic definitions to broaden the scope of intelligence to the point where intelligence risks losing its distinctiveness when compared to other forms of information collection, research and policymaking.
All manner of issues could potentially be handled by the SSA if certain definitions are broadened, leading to a dangerous and secretive intelligence overreach into more and more areas of open government.
This risk is made worse by the fact that the only limitation placed on the type of foreign intelligence the centre should collect is that it should be relevant.
For instance, the bill defines foreign intelligence – which the centre is meant to confine itself to – as “… any external threat or opportunity or potential opportunity or threat or potential threat to national security”. The inclusion of opportunities, in addition to threats, is so broad and covers so many areas of policy – whether related to national security or not – that intelligence risks becoming everything and nothing.
This overbreadth is repeated in the definitions of domestic intelligence, national security intelligence and intelligence collection. Once intelligence mandates include opportunities and interests, including economic interests, then all manner of abuses become possible and, in fact, likely.
South Africa is not alone in attempting to expand its definition of intelligence, especially for strategic purposes.
More governments want their agencies to provide what would, in spy-speak, be described as improved situational awareness of the world, but which could be boiled down to spying on what other countries are doing to gain competitive advantages.
As they are given more and more tasks, agency mandates have become more nebulous in terms of what they focus on and forewarn policymakers about and create powerful incentives for spies to aid and abet corrupt crony capitalism. Mandates broadened in this way have become major drivers of global espionage and spying for profit.
For instance, companies attempting to obtain decision advantages over their competitors can try to bribe spies for intelligence. There is little in the agency’s recent history that tells us that all its spies will resist such temptations.
The upshot of these broad definitions and weak controls and oversight, is that the Presidency will have the most powerful spying capability in existence at its disposal, with few meaningful checks and balances.
Despite the disestablishment of the SSA and the reversion to the pre-2009 configuration of having separate domestic and foreign branches, the bill concentrates even more unchecked intelligence power in the hands of the President, which will be a gift to any future president who might harbour ill intent. The lack of futureproofing is disturbing.
No basis for foreign signals intelligence
In the wake of the Edward Snowden revelations, there have been major disagreements internationally on whether bulk surveillance should ever be legally permissible.
Gradually, though, more judgments are emerging that recognise bulk collection as a viable intelligence method, including the German judgment on the BND Act.
However, two points need to be made about this important question of principle:
The first is that the entire edifice of bulk surveillance rests on the ability of intelligence agencies to prove that what their signals intelligence agencies are collecting is, in fact, foreign and not local communication. Otherwise, they would not be able to sustain the argument for such invasive powers.
But how does one separate foreign and domestic communications in an era of globally connected communications, when people send, store and receive communications on foreign servers all the time?
In an admission that is fatal for the centre’s continued existence, the agency admitted in its answering affidavit that it had no way of distinguishing between foreign and local signals when it conducted bulk interceptions.
In other words, on the SSA’s own admission, there is no basis for a law to assign weaker protections to foreign communications than local communications. This is precisely what the bill is attempting to do relative to Rica.
Basic democratic decision
The second point is that, quite apart from the legal position and developing safeguards, there is a basic democratic decision that citizens need to take about what powers citizens want their spies to have, bearing in mind that spies the world over almost always want more powers.
Citizens need to decide whether it can ever be politically acceptable for their government to have a spying capability where no one can have a reasonable expectation of privacy at any point, which risks destroying so much of our social fabric.
This question is even more important for Global South countries. The Snowden disclosures showed how the major surveillance powers, led by the US and UK, used their signals intelligence alliance, known as the Five Eyes alliance, for reasons that extended far beyond global security.
The disclosures detailed how the alliance spied on African businesspeople, politicians and social movements to gain trade advantages, secure their economic interests on the continent and marginalise African countries even further.
Global South countries such as South Africa face stark political choices in how to respond. One choice is to build capabilities to rival the Five Eyes alliance, and this will probably have to involve using economies of scale that intelligence cooperation provides.
This may well result in an alternative alliance through the BRICS club. The long-term democratic implications of pursuing this option are too chilling to contemplate and must be resisted.
The other choice is to campaign for these capabilities to become politically unacceptable the world over. Signals intelligence surveillance is a weapon that comes out of a military environment, particularly the code-breaking of World War 2.
The long-term democratic solution to weaponisation has never been to engage in an arms race and weaponise further, but to demilitarise. Such is the case with signals intelligence surveillance too.
The implications of these two arguments are quite simple.
There is no basis for the National Communications Centre to resume operations. It was shut following the Constitutional Court judgment and should remain shut.
Any foreign-focused surveillance should be dealt with through the Rica process. Defensive cybersecurity functions can easily be assigned to another entity. DM
Jane Duncan is a Professor of Digital Society at the University of Glasgow and a holder of a British Academy Global Professorship. This article is an output of an eight-country surveillance research project titled, ‘Public oversight of digital surveillance for intelligence purposes: a comparative case study analysis of oversight practices in southern Africa.’ This research project is supported by the British Academy’s Global Professorship Programme, through the School of Social and Political Sciences at the University of Glasgow.