/ 10 September 2015

Spies are all set to grab your metadata

We should demand answers about what surveillance tools are being used.
We should demand answers about what surveillance tools are being used.


Imagine a country where you attend a protest with thousands of other people to demand democracy and accountability from an increasingly unresponsive, authoritarian government.

Imagine a country where the government has the ability to print out a list of just about every person at that protest, including their names, addresses and contact details. How safe would you feel?

Well, thanks to a device called the “grabber” that’s been making the headlines recently, you may well be living in such a country.

The grabber is a mass surveillance device used by police and intelligence agencies globally. In South Africa recently, the police caught criminals in the act of trying to buy one, and apparently a second grabber is still at large.

Also known as international mobile subscriber identity (IMSI) catchers, or active cell site simulators, the device can intercept the location and identifying information of thousands of cellphones at the same time. Next-generation devices can even impersonate a user’s cellphone, block calls and intercept communications content such as SMSs and change the content.

IMSI catchers are surveillance tools that act like fake base stations, allowing the operator to bypass telecoms companies and communicate directly with cellphones.

State law enforcement or intelligence agencies typically use these devices to identify a suspect’s location, providing they know the person’s cellphone number or, if they don’t, to identify a suspect’s number for tracking purposes. The devices can also track data-only devices.

If they fall into the hands of criminals, they can be used for a range of purposes, including espionage.

The problem is that, in order to identify a targeted individual, these devices have to suck up the information of all other cellphone users in the vicinity, even if they are not suspects. This means that the information of thousands of people could land up in the hands of the state – or of criminals – for no good reason.

These devices allow the state to identify whether people are at home, and even where they are in their homes, which constitutes a search – and no search should be conducted without a warrant. This is because the state is trespassing in private space to gather information, where a person has a reasonable expectation of privacy.

Christopher Soghoian of the American Civil Liberties Union says: “If the government shows up in your neighbourhood [with an IMSI catcher], essentially every phone is going to check in with the government … The government is sending signals through people’s walls … and capturing information about innocent people. That’s not much different than using invasive technology to search every house on a block.”

Location data is part of metadata (or information about your information usage), which can say as much, if not more, about a person’s habits, associations and even political beliefs than the content of their communications.

But many state agencies have resisted proper regulation of these devices, basing their arguments on the terribly outdated assumption that metadata should receive lower privacy protections than communications content.

Many agencies also refuse to confirm or deny the use of these devices, arguing that the disclosure of operational methods could jeopardise their investigations. But secrecy may have a grubbier motive, which is to force state agencies to keep information from the public to prevent a backlash against their usage.

Some agencies have signed non-disclosure agreements with manufacturers, and have even attempted to hide their usage from judges, prompting a judicial backlash.

Granted, the devices can be extremely valuable for law enforcement. In one case, they were used to track a rape victim’s cellphone to the rapist’s home. But governments can also abuse these devices to spy on legitimate political dissenters, not just on criminals. Activist organisations have claimed that the police are using them to monitor legitimate protests, a recent example being during anti-police violence protests in Chicago last year.

Governments need to start accounting properly for their use of these devices, which can be done without jeopardising specific investigations.

Recently, the American Civil Liberties Union released recommendations on federal use of the devices. Apart from arguing that policies should require a search warrant based on probable cause, these warrants should also contain information about the number of people who stand to be affected.

They should also spell out measures the agencies have taken to minimise invasions of privacy.

The union also argued that law enforcement agencies should purge all nontarget information immediately, and disallow its dissemination or use. Agencies should stop attempting to conceal their use during court proceedings and they should be prevented from signing nondisclosure agreements with manufacturers.

Information about the number of times the devices have been used should be disclosed publicly, as should all operational policies relating to their use. These proposals ­provide a useful starting point for privacy advocates.

After years of judicial criticism and civil society pressure, the tide is turning in the United States. Last week, the US justice department released a policy requiring its agencies to seek warrants for the device, although the policy does not apply to state and local agencies. Divisions using the device need to provide annual reports on their use.

So what is the position in South Africa? The grabber case makes it clear that these devices are in the country. Reportedly, the president must authorise possession of the devices, but whether the state uses them is a question that still remains to be answered. 

In an attempt to receive some answers, the Open Democracy Advice Centre has sent various government departments information requests on behalf of the Right2Know campaign. Hopefully, these requests won’t be turned down on national security grounds.

When asked whether they were using the devices in their work and, if so, whether they applied for an interception direction in terms of the Regulation of Interception of Communications and Provision of Communication-related Information Act (Rica), the South African Police Service did not respond.

The ministry of state security’s spokesperson, Brian Dube, neither confirmed nor denied their use.

He said: “Well, it becomes difficult for us to reveal the make and details of the equipment we use for the very simple reason that it has the potential to compromise the very work we are doing. With the technological race that is out there between states and organised crime syndicates, it’s not advisable to disclose such details.”

So, if they did use them, would the State Security Agency apply for an interception direction? Dube replied: “On the matter of procedure, the interceptions protocol applies whenever an individual’s communications are to be intercepted. Such a protocol doesn’t provide for mass interception as the interception judge must hear each case on its merit.”

This statement speaks volumes about the ministry’s attitude to the devices, in that it sees them as being about mass surveillance in the main and, for them, mass surveillance would not be regulated by Rica. The inference is that, even if the agency used them, there would be no judicial oversight of their use.

If they are being used in South Africa, then arguably their regulation here is even more urgent than in the US. This is because South Africa has SIM card registration, a legal requirement in terms of Rica, whereas the US doesn’t.

The device allows for the tracking of unknown phones. In countries that do not have SIM card registration, the devices will merely generate a series of numbers and the state won’t be able to track these back to individuals without considerable effort.

But in countries with SIM card registration, such as South Africa, the state can, at the touch of a button, print out the names and addresses of every single cellphone-carrying participant at a rally or protest, for instance.

When cellphone users were told to get Rica’d or risk being cut off, most complied with little resistance.

This quiescent attitude may well come back to bite South Africans, as sophisticated surveillance equipment such as IMSI catchers can now be bolted on to the Rica database and used for mass surveillance purposes.

South Africa has a broad intelligence mandate that includes political intelligence gathering. There is also too little transparency about how the spies do their business. At the same time, surveillance tools are growing in sophistication and none is more pernicious than those used for mass surveillance, as they target the guilty and the innocent alike.

These factors create space for the surveillance capacities of the state to be used for anti-democratic purposes, against perceived political opponents that present no real threat to national security.

South Africans should demand answers about what surveillance tools are being used and for what purposes. They should also stop accepting vague arguments about surveillance being necessary to bring down crime and enhance security, and demand solid evidence that it is actually doing so. Otherwise we may land up getting the security state we surely don’t deserve.

Professor Jane Duncan teaches at the University of Johannesburg. She is the author of Rise of the Securocrats, published by Jacana, and a member of the Right2Know campaign’s surveillance focus group.