- Gives state complete access’ to citizens’ private mobile and social media records
- Citizens’ info to be given to all security agencies without court orders
THE Lesotho government has gazetted draconian prying regulations that gives it sweeping powers to access and monitor the mobile phone communications of all citizens including foreigners visiting the country.
The regulations require mobile phone users to have their sim cards, handsets, addresses and biometrics registered and stored in a central data base to which state security agencies would be allowed easy access.
The world unprecedented regulations essentially eliminate all constitutional protections to freedoms of expression, privacy, association and dignity and are seen setting the groundwork for wholesale human rights violations.
More chillingly, the regulations allow private communications of citizens to be handed over to security agencies by the Lesotho Communications Authority (LCA) without the approval of the courts.
So primitive and invasive are the regulations that their most distressing effect will likely be to place Lesotho among the ranks of banana republics.
The regulations do not even spare diplomats, who are now required to register their SIM cards and mobile devices just like everyone else in clear violations of international diplomatic immunity protocols.
Lesotho’s biggest aid benefactor – the United States – has slammed the regulations and urged their reconsideration (see boxed story).
The cumbersome registration requirements will not only entail providing users’ identity documents and proofs of residence to network owners, they also require users’ biometric data.
Titled, “The Communications (Subscriber Identity Module and Mobile Device Registration) Regulations, 2021”, the regulations were gazetted a fortnight ago by then Communications, Science and Technology Minister Keketso Sello.
They have however been slammed by constitutional expert Hoolo Nyane, a law professor at the University of Limpopo, who says they are not only “intrusive” but “most probably in contravention of constitutional freedoms of communication and expression”.
The regulations are the first of a series of envisaged pieces of legislation aimed at giving the state full powers to snoop on and access citizens’ mobile phone and internet communications.
The LCA has already proposed regulations to compel individuals with at least 100 or more followers on any of the social media platforms including Facebook and WhatsApp to register with the authority.
Mr Sello, who was last week moved to the Public Service ministry by Prime Minister Moeketsi Majoro, had also tabled the Computer Crime and Cybersecurity Bill of 2021 in March this year. The bill seeks to empower the state to fully monitor cyberspace, define cybercrimes and prescribe penalties that include fines and lengthy prison sentences.
Section 4 of the latest gazetted mobile communications rules states that the new regulations seek to provide “for a regulatory framework for the registration of subscribers of mobile telecommunications services utilising SIM cards and mobile devices in Lesotho and for the establishment, control, administration and management of the Central Database”.
The central database will be established and maintained by the LCA and it “shall be the property of the government of Lesotho”.
“The database shall provide a platform for the central processing and storage of subscribers’ information.
“The database shall be segregated across network services in such a manner as to ensure easy access to data by authorised persons in respect of subscribers’ information,” the gazette states.
According to the regulations, subscribers will not only register their SIM cards, they will also be required to register their mobile devices including cellphones, tablets, iPads and any other mobile device which can take a SIM card.
This is an unprecedented move as other countries, including South Africa, only require users to register their SIM cards and not mobile devices.
Another unprecedented measure is the requirement for foreigners on international roaming services in Lesotho to be registered as well.
Besides the already cumbersome requirement for subscribers of mobile communications services to register mobile devices, they will have to register by presenting their biometric details.
All mobile communication services providers and providers of mobile devices will have to take down people’s biometric details along with proof of residence before handing it over to the LCA for storage in the central database system.
Big Brother is watching you
In a clear indication of the government’s brazen intention to eavesdrop on the communications of anyone on Lesotho soil, the LCA is now empowered to pass on to the security agencies any of the information captured and stored in the central database.
All the army, police, intelligence and correctional services have to do to lay their hands on such information is request it from the LCA in writing only. They also have to state why they want such information. But they will not require formal court orders as happens in most civilized countries.
“Notwithstanding the provisions of these regulations restricting access to subscriber information on the central database and subject to the provisions of the Communications Act, subscriber information on the central database shall be provided only to security agencies; provided that a prior written request is received by the (LCA) Authority from an official of the requesting security agency who is not below the rank of an Assistant Commissioner of Police or an equivalent rank in any other security agency.
“Release of personal information to security agents shall be in accordance with the provisions of the applicable laws, the (Communications) Act, these regulations and any directives, guidelines or instrument issued from time to time by the Authority and in a format to be determined by the Authority,” the regulations state.
Intrusive and unconstitutional
Professor Nyane has slammed Lesotho for the regulations he says are modelled on South Africa’s Regulation of Interception of Communications and Provision of Communication-Related Information (RICA) Act of 2002.
“This intrusive regulation of subscribers is very common in the SADC region,” Prof Nyane said in an interview with the Lesotho Times this week.
“South Africa had instituted it through the RICA Act of 2002 but as we all witnessed in February 2021, a good portion of the Act was found unconstitutional by the Constitutional Court of South Africa in the celebrated case of AmaBhungane Centre for Investigative Journalism NPC and Another versus Minister of Justice and Correctional Services and Others.
“The portion of the RICA Act which failed the constitutional test related to excessive intrusion into the right to privacy, surveillance and the interception of information. The Lesotho regulations are largely moulded on South African RICA law. It may therefore easily be reckoned that the Lesotho regulations’ provisions on the storage of subscriber information, management of such information may not pass the constitutional test on the strength of the authority of the Constitutional Court of South Africa’s decision in the Amabungane case.”
Prof Nyane said another constitutionally problematic aspect of the Lesotho regulations is that they are merely subsidiary legislation which contains provisions for the intrusion into the rights of people not contained in the parent Communications Act of 2012.
“It is therefore a travesty that such serious limitations of rights not be done by the parent Act have now been done through subsidiary legislation. That is a clear usurpation of powers of parliament by the Minister…
“When ministers make such delegated legislation, they must look at the provisions of the parent Act and see whether they are empowered to regulate that aspect of the Act. The generic assumption of legislative powers that are not specifically delegated by the parent Act is unconstitutional,” Prof Nyane added.
Outstanding cyber surveillance bills
Mr Sello is now Public Service minister following a 3 June 2021 cabinet reshuffle which saw Samuel Rapapa taking over the communications portfolio. Two months before his reassignment, Mr Sello had in March tabled the Computer Crime and Cybersecurity Bill of 2021. If passed into law, the act will give the state powers to monitor cyberspace, define cybercrimes and prescribe penalties that include fines and lengthy prison sentences.
Some of the crimes defined in the bill include data espionage, cyber terrorism, cyber extortion, distributing child pornography, computer-related forgery and fraud, identity-related crimes, racist and xenophobic insults and distribution of nude images of people without their consent.
Other offences include publication of false information, interception of electronic messages or money transfers, modification and interference with contents of a message.
Lengthy prison sentences of up to 25 years and fines of up to M15 million have been proposed as punishment.
Presenting the bill in parliament in March 2021, Mr Sello had said, “the Bill of 2021 is an effort by the government to combat computer crime and put in place the appropriate punishment for it”.
“There are several laws which provide for the criminalisation of different offences such as fraud, extortion, forgery, bribery, genocide, crimes against humanity, war crimes and terrorism.
“However, there is no statute which provides for criminalisation of illegal activities committed through the use of electronic devices except for the Penal Code Act of 2012 which criminalises unlawful access to computers or electronic storage devices owned by another person. There is therefore a need for a comprehensive law which adequately prevents computer and internet-related crimes,” Mr Sello said.
The bill provides for the creation of the National Cybersecurity Advisory Council and the National Cyber Security Incident Response Team.
The National Cybersecurity Advisory Council shall be responsible for advising the government on cybersecurity policy development and national cybersecurity strategies.
On the other hand, the National Cyber Security Incident Response Team will be tasked with providing cybersecurity incident response capabilities to the country. It shall provide technical assistance to law enforcement agencies when so requested.
“It shall provide Lesotho with cybersecurity intelligence, alerts, warnings technical assistance, eradication of threats and recovery from cyber-attacks. It shall build awareness among the general population on how to be safe on cyber space and build capacity for the sustained ability of the country to manage cybersecurity risks.
“In this way, the bill provides a live and functional body to protect its cyber space,” section 12 of the bill states.
In addition, the LCA has also proposed a new set of regulations to govern and monitor the use of the internet. These will be known as the Lesotho Communications Authority (Internet Broadcasting) Rules of 2020.
Among other things, the regulations seek to make it mandatory for anyone with 100 or more followers on any of the social media platforms to register with the Authority.
The now suspended LCA chief executive officer, Mamarame Matela, has previously told this publication that the regulations were necessary to curb abuse of the internet by users.
However, critics say the rules are not necessary and are meant to curb Basotho from enjoying their constitutional freedoms of expression using popular social media. After all social media companies like Facebook, Twitter and others are already monitoring and blocking users who abuse the facilities, making it unnecessary for governments to try and introduce inhibitive solutions of their own. The likes of former United States President Donald Trump have already been kicked off platforms like Twitter and Facebook for using them to incite his supporters to reject the results of last November’s presidential elections which he lost to the incumbent Joe Biden.
Local analysts say the proposed regulations are therefore wholly unnecessary. Their main ulterior motive is to muzzle the population. Prof Nyane said the regulations were only meant to increase and entrench state surveillance of all private communications. They are a violation of freedoms of speech and expression, the analysts say.
“Clearly, the permission to obtain personal information from the database when it is in the interest of security is the most disturbing aspect of the regulations. If there is any phrase that has been misused to attain political needs is the phrase, ‘in the interest of security’. Politicians who have power at a given moment usually abuse this common phrase to suppress dissent and persecute opponents,” Prof Nyane said.
It remains to be seen if both the cyber law and the internet regulations will be passed, in addition to the already gazetted communications regulations. Should this happen, the state will be fully equipped with a battery of laws to not only gain access, maintain surveillance but also criminalise aspects of civilians’ communications.
Herbert Moyo is a journalist researching digital surveillance with support from
the Media Policy & Democracy Project (MPDP) jointly run by the University of Johannesburg and Unisa.