By Nompilo Simanje
October 21 is commemorated worldwide as the Global Encryption Day — a day aimed at raising awareness on the importance of encryption in creating safe spaces online.
According to Data Reportal, as of January 2021, there were 5.01 million internet users in Zimbabwe and 14.76 million mobile connections, illustrating a clear picture on the increased use of mobile devices and the internet.
Encryption, therefore, comes into play as an essential means of promoting digital safety and security, centring on protecting personal information, protecting networks and devices.
As an example, several users in Zimbabwe prefer using platforms like WhatsApp for calls and messaging thanks to the end to end encryption security feature, which ensures that only the sender and the person they are communicating with can read or listen to what is said.
While there are different kinds of encryption, they all aim to achieve the same thing, which is to ensure that information can only be accessed by its owner or its intended recipient.
This, therefore, serves as an enabler for the right to privacy, freedom of expression, freedom of peaceful assembly and association as people feel more comfortable to share their opinion with others without fear of reprisals and also access information on the web.
Encryption is, therefore, a particularly critical tool for human rights defenders, activists and journalists, all of whom rely on it with increasing frequency to protect their security and that of others against unlawful surveillance.
The United Nations Special Rapporteur on Freedom of Expression, David Kaye, in 2015, noted that: “Encryption and anonymity provide individuals and groups with a zone of privacy online to hold opinions and exercise freedom of expression without arbitrary and unlawful interference or attack.
“Consequently, outright prohibitions on the individual use of encryption technology disproportionately restrict freedom of expression, because they deprive all online users in a particular jurisdiction of the right to carve out private space for opinion and expression.”
Principle 40(3) of the Declaration of Principles on Freedom of Expression and Access to Information also obligates states not to adopt laws or other measures prohibiting or weakening encryption, including backdoors, key escrows, and data localisation requirements, unless such measures are justifiable and compatible with international human rights law and standards.
With regards to the Zimbabwean landscape, there are specific developments and also specific laws that speak to the issue of encryption.
As background, in 2011, the Postal and Telecommunications Regulatory Authority of Zimbabwe (Potraz) banned encrypted messaging services provided on Blackberry phones, arguing they violated the Interception of Communications Act, as the law requires that all services must have “the capability to be intercepted”.
This is provided for in Section 12(1) of the Interception of Communications Act, which notes that a telecommunication service provider shall provide a telecommunication service which has the capability to be intercepted and store call-related information in accordance with a directive issued.
Section 11(1) of Interception of Communications Act also allows the security and law enforcement agencies to impose “disclosure requirements” to persons in respect of encrypted information where they believe that a key to encrypted information is in the possession of that person, and that a disclosure requirement is necessary in the interests of national security, to prevent or detect a serious criminal offence, or in the interests of the country’s economic well being.
The requirement is that they must also believe this is proportionate to what is sought to be achieved by its imposition and that it is not reasonably practicable for them to obtain possession of the encrypted information in an intelligible form without that disclosure requirement.
Of note also, is the mandatory SIM registration in Zimbabwe, which was introduced in 2013, which obligates all subscribers to register with their telecommunications service providers by providing personal details including a full name, permanent residential address, nationality, gender, subscriber identification number, and national identification or passport number.
The service providers are then required to retain such personal information for five years after either party has discontinued the subscription.
SIM registration, in effect, eradicates the ability of mobile phone users to communicate anonymously and also facilitates mass surveillance, making tracking and monitoring of all users easier for law enforcement and security agencies.
The proposed Cybersecurity and Data Protection Bill, which is currently awaiting presidential assent, also has provisions that relate to encryption, for example, Section 163A of the Cybersecurity and Data Protection Bill provides that any person who unlawfully and intentionally overcomes or circumvents any protective security measure intended to prevent access to data shall be guilty of an offence.
Unlawful interference with encrypted information would, therefore, be an offence.
In addition, Section 163B(1)(g) of the Cybersecurity and Data Protection Bill also makes it an offence for any person to unlawfully and intentionally interfere with computer data or a data storage medium by denying, hindering, blocking access to computer data to any person authorised to access it.
What this, therefore, means is that, in the event that for instance law enforcement officers have been authorised to access some data, encrypting that data will also amount to an offence.
What is key however, is that encryption promotes data protection and privacy.
States, therefore, have obligations under international law to respect, protect and fulfil the right to privacy of their populations.
In the digital age, these obligations mean that states should ensure the security of online communications, including by raising awareness of internet security issues, encouraging the identification and repair of security weaknesses in computer networks and systems, and facilitating the use of encryption tools and services.
Where a limitation on this is imposed, it should be provided by law in the sense that the restriction is precise, public and transparent, there are strong procedural and judicial safeguards, the restriction is necessary, for instance for purposes of law enforcement.
Related to this, is the issue of unlawful and unjustified surveillance.
The Zimbabwean government should review existing laws, policies and practices on surveillance, including Covid-19 surveillance, biometric data collection, encryption and data localisation to ensure they comply with the principles in the African Commission on Human and Peoples’ Rights, the Declaration on Principles of Freedom of Expression and Access to Information in Africa and broadly international human rights standards.
A multi-stakeholder approach remains key to ensure meaningful participation of all stakeholders in the development of policies and laws that affect the right to privacy and data protection.
- Nompilo Simanje is Misa Zimbabwe’ legal and ICT policy officer