How Undermining Encryption threatens Online User Security in Africa
By Arthur Gwagwa |
For activists, human rights defenders, journalists/bloggers, whistleblowers, sexual minorities, among others, digital tools that use encryption to enable anonymity over unsecured online networks such as the internet to facilitate not only free flow of information but also, and above all, protect personal security. At the fundamental level, anonymity is enabled by tools that use encryption techniques which protect data in storage or transmission.
Increasingly African governments are wary of the internet and are using an array of strategies to stifle its use by citizens. The crackdown on those who use encryption tools to bypass government installed censorship has come under threat in an already embattled right to privacy and free expression landscape in Africa. This is evidenced by recent events in Uganda, where the government has ordered telecommunication service providers to block Virtual Private Networks (VPN) applications to address ‘tax evasion’ for access to social media platforms Unable the block VPNs, the national regulator – Uganda Communications Commission (UCC) – is also unduly influencing Ugandans not to use VPNs arguing that the cost of such services would exceed the Over-the-Top (OTT) services’ tax.
Uganda’s tax on OTT services, which are defined under Section 2 of The Excise Duty Amendment Act as “the transmission or receipt of voice or messages over the internet protocol network & includes access to Virtual Private Networks” raises new challenges for activists and human rights defenders in the country and potentially across Africa as their means of communication becomes a means for repression. Apart from helping activists, circumvention technologies have helped internet users in countries such as the Gambia to access social media for communication with friends and families during partial internet shutdowns and also for, girls, women and sexual minorities in East Africa to preserve their privacy.
The current regional challenge could not have come at a worse time especially given the recent decision by Google and Amazon to block “domain fronting,” which has been used by the encrypted communications app Signal. The Ugandan proposal to ban the use of VPNs increases the potential that the Ugandan repressive state will spy on its citizens and further clamp down on free speech beyond enforcing tax compliance. Further, this adds Uganda to the list of African countries that have displayed an inimical attitude towards encryption and anonymity online. For instance in Tanzania, recent online regulations require internet cafes to have static IP addresses and also install CCTV cameras within their premises to record their clients. In Zimbabwe, where there were attempts to strip the anonymity of a popular blogger, the regulator also banned Blackberry Messenger because its encryption services undermined provisions for lawful interception under the Interceptions of Communications Act, 2007. There is also criminalisation of the use of digital and encryption tools in Ethiopia, and attempts to ban anonymous social media posts in Lesotho.
Egypt, just like in Venezuela, routinely censors circumvention technologies. According to a recent OONI report, ISPs in Egypt reportedly apply “defence in depth” tactics for network filtering by creating multiple layers of censorship that make circumvention harder. Not only were numerous circumvention tool sites (including torproject.org and psiphon.ca) blocked, but access to the Tor network appears to be blocked as well, according to the report.
Article 19 of the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights (ICCPR) guarantees individuals’ right to access information “regardless of frontiers.”
Echoing these provisions, in his first report to the Human Rights Council, the Special Rapporteur on freedom of opinion and expression, David Kaye, noted that encryption and anonymity in digital communications deserve strong protection to safeguard individuals’ right to exercise their freedom of opinion and expression.
Beyond upholding human rights, the use of reliable encryption software to safeguard data is critical to many sectors and organizations, including financial services, medicine and health care, research and development, and other critical infrastructures around the world. Encryption-related software, including pervasive examples such as Secure Sockets Layer (SSL) and Public Key Infrastructure (PKI), is essential to online commerce and user authentication. It is part of the underpinning of current communications networks.
While Africa is facing a number of threats as pointed out in the Symantec Report on cyber security trends on the continent including terrorism and child exploitation, laws, practices and policies that ban, restrict, or otherwise undermine encryption and anonymity significantly and disproportionately damage the rights enshrined in Article 19 of the ICCPR as well as national constitutional guarantees. Furthermore, it increases the vulnerability of government and companies to criminal activities online.
The proposed move in Uganda and related practices elsewhere in Africa go against the protection of anonymity for free expression for journalists, bloggers and human rights defenders operating in repressive environments or whistleblowing to expose government corruption.
Also, given Africa’s financial markets ‘vulnerability to cyber-attacks, weakening encryption protocols may further expose financial institutions and other critical infrastructure to cyber-attacks. As such, African governments, ISPs and other technology service providers should fully support and not undermine encryption efforts for commercial interests, and for companies and civil society to better protect data in transit, at rest, in the cloud, and in other storage.