State surveillance of citizens reaches far beyond Pegasus

Published on 23 July 2021

Tony Roberts

Digital Cluster Research Fellow

The Pegasus spyware story is just the tip of the iceberg. Beyond the software developed by the Israeli surveillance firm NSO Group, there is a multi-million-pound global market in which companies compete to profit from helping states to illegally spy on their own citizens.

Rightly there has been shock and outrage globally as citizens learn that their governments are buying Israeli malware to hack the mobile phones of political opponents, judges and journalists. But the revelations have not come as a surprise to me and the other members of the African Digital Rights Network (ADRN), who earlier this year discovered disturbing examples of surveillance technologies being used by the state against its citizens in every one of the ten countries in Africa we studied.

The right to private communication

Citizens in every country are guaranteed the right to private communication in their constitutions, domestic laws, and in international conventions that their government has signed up to. The use of bulk interception and mass surveillance technologies, scanning mobile phone messages, hacking encrypted communications, and intercepting internet traffic in attempts to close down civic space and suppress opposition, is a clear breach of these rights. Yet, governments routinely sign export licences for companies in their country to assist in illegal activity in other countries. With reports claiming that some companies have even on occasion provided staff to help states perpetrate crime and violate citizen’s rights.

Out of the ten countries in Africa we studied, we found that the Pegasus malware was used to hack phones in four – Egypt, Kenya, South Africa and Zambia. This is also supported by the findings of the Citizen Lab investigation. However, evidence from ADRN reports show that Pegasus software is just one product in a booming commercial market of surveillance technologies and services to enable states to illegally spy on their own citizens.

We found many others, such as the Italian company Hacking Team, that supplied similar mobile phone intercept technologies to the governments of Uganda and Sudan (despite sanctions against Sudan) and indications that the UK/German company FinSpy sold spying software to the government of Egypt and Ethiopia.

Mass surveillance technologies globally

The majority of the countries that we studied as part of the ADRN Digital Rights Landscape reports were also buying artificial intelligence-enabled mass surveillance technologies from the USA or China. China and the US supply surveillance technologies to many African countries including Nigeria, South Africa, Sudan, Egypt, Cameroon, and Zambia.

China is ahead in this market providing total surveillance infrastructure solutions including “safe city” CCTV and facial recognition solutions complete with soft loan financing. Similar systems have also been developed by US companies IBM, CISCO and Palantir and from European vendors from France, Germany and Israel.

Our research found that the Chinese company Cloudwalk is supplying facial recognition technology to the state in Zimbabwe. Companies from Israel and Italy are also providing mobile hacking tools. And Cambridge Analytica style political marketing companies help states to use Facebook surveillance data to influence elections.

The Kenya country report documents funding from the US and China to build mass surveillance infrastructure (Nyabola 2018) and the intervention of Cambridge Analytica in Presidential elections. In South Africa, another UK company, Bell Pottinger, used social media bots to spread campaigns built on falsehoods and seed misinformation.

The Zimbabwe report revealed that while Mugabe was still in office he received a ‘gift’ of monitoring and surveillance technology from Iran that included mobile phone scanners, enabling his government to intercept citizens’ private communications and locations.

To extend their ability to spy on their citizens all of the African governments that we studied had made the registration of mobile phone SIM cards compulsory. Many had enacted laws requiring mobile phone and internet companies to save all mobile communication data to enable state surveillance, and there is also evidence of states buying technologies to enable internet shutdowns in specific districts and of particular platforms (Taye 2020).

Violating human rights

All surveillance is a violation of human rights. We allow legal surveillance only in narrowly targeted instances to prevent the most serious crimes. Surveillance of political opponents, journalists, judges or peaceful campaigners is illegal whoever it is carried out by. The selling of spy technologies to violate citizens’ rights must be made illegal with jail terms for the executives of offending companies.

To end state spying on political opponents and citizen activists we need to raise public awareness about privacy rights and digital rights. Building advocacy and legal capacity is necessary to challenge surveillance in constitutional, international and domestic courts and expanding knowledge about anonymisation and encryption technologies that mitigate risks (e.g., VPNs, Tor and Signal).

Unfortunately, relatively little is known about the use of surveillance technologies outside of North America and Europe. And there is currently insufficient capacity in civil society to effectively monitor, analyse, and effective end illegal surveillance and violation of rights.

The African Digital Rights Network is continuing to address these issues and is close to completing a review of existing surveillance laws in six African countries. In 2022 the network is planning to begin research by activists, lawyers and researchers in 14 countries to learn more about the drivers, tactics and technologies of state surveillance.

For updates on the African Digital Rights Network follow @ADRNorg on twitter.

The views expressed in this opinion piece are those of the author/s and do not necessarily reflect the views or policies of IDS.


About this opinion

Related content