INTRODUCTION
The Uganda government through its agencies has for years focused on curtailing expression platforms such as assemblies and the traditional media spaces, as documented by Human Rights Watch report in 2015. As a result, citizens are shifting to the online space to express themselves, particularly using Internet enabled mobile devices to access the various social media platforms. However, there is growing concern among the populace as the state is using both lawful and unlawful means to intercept and openly conduct surveillance on all Ugandans.
One of such measures is the SIM card re-registration and validation exercise with the recently issued guidelines requiring biometric data from national ID for SIM registration. This process exposes users’ personal data to abuse without collection and protection safeguards. This brief thus examines the existing SIM card registration legal framework, the gaps and how lawful and unlawful state practices promote surveillance and curtail the right to privacy and freedom of expression.
SIM Card registration – Policy and Practice;
Uganda is among the 49 African countries that have adopted laws requiring mandatory registration of SIM cards by 2014, engineered by the widespread diffusion of mobile connectivity. Uganda’s Regulation of Interception of Communications Act (RICA) came into force in 2010, and has since been criticized by both National and International human rights bodies for giving broad powers to state to intercept and monitor private communications.
According to RICA Section 9, telecommunication service providers are mandated to ensure that subscribers register their SIM cards, by disclosing comprehensive personal data. Telecom companies are also required by the Act to install relevant equipment with capacity to enable the interception of communications, with a penalty of 5years imprisonment for non-compliancy.
Section 3 of RICA provides for the establishment of a Monitoring Centre and mandates mobile phone service providers to ensure that intercepted communications are transmitted to the Monitoring Centre.
In December 2010, Amnesty International faulted RICA for the broad and undefined basis for interception of communication thus allowing for possible intrusion into communication of individuals and professionals such as journalists, human rights defenders and political dissidents engaged in legitimate activities and exercising their inherent human rights including freedom of expression and association.
The Government of Uganda through the telecommunication regulator, the Uganda Communications Commission (UCC) downplayed all human rights abuse concerns and moved to enforce SIM card registration. The SIM card registration exercise began on 1st March 2012 with UCC directing all subscribers to register their mobile phone numbers in order to be activated on a mobile network in Uganda. UCC argued that SIM card registration is meant to curb criminality, with all citizens required to surrender their personal data contained in crucial documents including, valid passport, employee ID, student ID, voter’s card and a valid driver’s license for their SIM Cards to be registered as per section 7(3) of RICA 2010.
Whereas RICA was still being criticized by both National and International bodies for facilitating state surveillance, the situation has been worsened by non-policy directives made by Uganda Communication Commission (UCC) following a closed-door meeting with the inspector General of police, Gen. Kale Kayihura and representatives of Telecom operators. In a statement issued on 28th March 2017 UCC Executive Director, Godfrey Mutabazi imposed a ban on street SIM Card vending and also introduced national Identity Card (ID) as a new requirement for SIM Card verification, despite lack of the guiding legal framework to oversee the verification exercise.
While the UCC Act, 2013 mandates the commission to oversee the operations of telecom service providers, it ought to be done within the confines of the law.
The UCC directives were ultimately meant to ensure easy identification of individuals’ activities online since majority of Internet users in the country connect via mobile-enabled devices.
It was further reported by the local newspaper that personal data collected by National Identification and Registration Authority (NIRA) during the ID registration was to be shared with telecom operators in order to enforce the new SIM Card directive, threatening deactivation of non-verified SIMs.
Under the national ID system, extensive personal data was captured including biometric (finger prints and images), individual’s residence, biological parents and next of kin. The processing of such crucial personal data and sharing with private business companies without a Data Protection law, as is the case in Uganda, is a great danger to citizens’ right to privacy, freedom of expression and anonymity. Besides private telecom firms are not nationally owned and managed, they have their databases located outside Uganda. This complex structure raises concerns on the obligations of such private companies to protect the data they process and/or control, which in itself raises concerns of the legal regime which protect the personal data of SIM card users, and exposes them to abuse and misuse.
With total disregard to public outcry and legal advise from Uganda Law Society, UCC moved to enforce ID – SIM verification and deactivated unverified SIM Cards and it took the intervention of President Yoweri Museveni who issued a different directive to reactivate and extend the SIM verification deadline to the end of August 2017.
National Identity Card System
In November 2013 the then minister of Internal Affairs Gen. ArondaNyakairima launched the mass enrollment strategy for the National ID project for the second time after the project failed to yield results on its first launch of 2009, allegedly due to corruption. At the launch of the ID project, there was no legal entity to superintend over its implementation, perhaps explaining why several government departments, including population secretariat, Uganda Bureau of Statistics, Uganda Regulation Services Bureau, the Electoral Commission, Directorate of Citizenship and Immigration and National Information Technology Authority all scrambled to take control of the project implementation.
It was after a year-long period of struggle between Ugandans, Civil Society Organizations (CSOs) and opposition political activists, that the Registration of Persons Act, 2015 was enacted by Parliament. It provided for the establishment of the National Identification and Regulatory Authority (NIRA), a body charged with registering citizens and issuing National Identity Cards, but the law does not have any provision regulating data retention, storage and use, raising concerns of citizens’ right to privacy and anonymity.
Before the country’s 2016 general elections, the electoral body, Uganda Electoral Commission revealed plans to use the ID project register during the electoral process amid wide condemnation from activists and politicians. The local newspaper quotes EC spokesman Jotham Taremwa saying government made the decision that all government departments should use the collected national voters’ data banks for future purposes. This was condemned by different sections of the public and was later abandoned by government. Critics argued that not all Ugandans had obtained National IDs and indeed, even up-to-date, ID issuance is still ongoing amid challenges of system breakdown and corruption among others.
National and International Human rights framework
Article 27(2) of the 1995 Uganda Constitution states that, no person shall be subjected to interference with the privacy of that person’s home, correspondence, communication or other property while Article 29(a) guarantees citizens’ right to freedom of speech and expression, including freedom of the press and other media.
Fundamental rights and freedoms are further reinforced by regional and International human rights legal frameworks to which Uganda is a party. Article 17 of the ICCPR recognizes and confers protection upon privacy, similarly, Article 19 of the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights, affirms that everyone has a right to hold opinions without interference, and to seek, receive and impart information and ideas of all kinds through any media and regardless of frontiers.
Despite the widespread recognition of the state obligation to protect privacy and anonymity of citizens, Ugandan government has enacted laws such as Regulations of Interception of Communications Act, 2010 that has provisions that restrict the anonymity of mobile phone or Internet users while communicating. As noted by privacy International in its submission to the UN Special Rapporteur on freedom of expression in 2015, anecdotal evidence shows that often the actions of private companies are as a result of pressure from states to ensure companies are able to facilitate state surveillance of their users.
Restrictions on anonymity have a chilling effect, dissuading the free expression of information and ideas. According to UN Special Rapporteur’s report, 2015, restrictions on anonymity allow for the collection and compilation of large amounts of data by the private sector, placing significant burden and responsibility on corporate actors to protect the privacy and security of such data.
As government of Uganda enforces the Regulations of Interceptions of Communications Act 2010, to register SIM Cards countrywide, what is perhaps most alarming is the lack of a data protection law to guide on collection, retention, processing and disclosure of the personal data to deter abuse and misuse by state and non-state actors.
The Privacy and Data Protection Bill 2015, has been shelved by parliament despite repeated calls made by Unwanted Witness-Uganda to have the bill passed into law.
Reported Cases of Abuse/Misuse
In the 2013 UN special Rapporteur report on the promotion and protection of the right to freedom of opinion and expression, Frank La Rue criticized the RICA for taking communications surveillance out the realm of judicial authorization and allowing unregulated, secret surveillance, eliminating any transparency or accountability on the part of the state. He described the requirement for law enforcement authorities to demonstrate reasonable grounds to allow interception to take place as extremely low, given the potential for surveillance to result in investigation, discrimination or violations of human rights.
As a member of the East African Communications Organization, the Ugandan government believes that mandatory SIM Card registration will reduce the opportunities of malevolent actors to use mobile devices anonymously to undertake unlawful activities. In light of the killing of Assistant Inspector General of police, Andrew Felix Kaweesi in Kampala, the government has significantly increased its pressure to have SIM card matched with the user’s National Identification Number (NIN). However there has been no evidence provided which shows that SIM registration has been effective in fighting crime but instead fueled it as criminals have been resorting to alternatives such as using foreign SIMs in roaming mode or Internet and stellate telephones to circumvent SIM registration requirements.
In a country without data protection laws to regulate data retention, usage and storage on top of having cases of abuse and or misuse already reported/registered, it is hard to believe the efficiency of the system. In December 2015, Unwanted Witness-Uganda, in a statement showed how MTN Uganda was sharing subscribers’ data with the ruling National Resistance Movement (NRM) party. Using the code number “0207” the party made anonymous calls to MTN subscribers and played recorded campaign messages by President Yoweri Museveni, who successfully stood for re-election.
The 2015 report on the state of surveillance in Uganda produced by Privacy International, entitled For God and My President: State Surveillance In Uganda, revealed government’s use of secret communication surveillance to spy on journalist, political activists and human rights defenders, by infecting several hotel Wi-Fi with Fin Fisher malware.
Responding to SIM card-ID verification deadline set by UCC, the telecom operators set up an Online verification code *197# for subscribers, but this code is also insecure and personal bio data is prone to third party interception, including criminals. Currently, the Criminal Investigations Department (CID) of the Uganda Police is investigating a forgery case in which a criminal forged someone’s Identity Card data and extorted millions of Uganda shillings in cash. It is still a mystery which of the agencies that is in possession of citizens’ data collaborated with the criminal.
It is feared that service providers may use the registration data to market new services and products to customers, already unsolicited messages are a common occurrence on subscribers’ telephones with some mentioning users’ identity.
The new SIM card verification requirement is likely to deactivate millions of users as a result of lack of national Identity Cards caused by the inefficiencies in the registration body, National Identification of Registration Authority (NIRA). Telecom operators are calling for the extension of the exercise that is meant to end on 30th August 2017, to enable over 3million users register their SIMs.
A similar exercise in November 2013, deactivated 1/3 of mobile phone users in Niger due to lack registration, while in South Africa MTN subscribers’ base dropped from 17.2 to 16.4million as vast majority of the population lacked formal identification.
Conclusion
The right to privacy is a fundamental right protected by article 27 of the 1995 Constitution of the Republic of Uganda and therefore, any law including, Regulations of Interception of Communications Act, 2010 or any other law, which seeks to restrict the right to privacy should not be allowed because it explicitly violate article 27. International legal frameworks to which Uganda is party further reinforce the right to privacy and sets standards for restrictions.
However the current policies and practices by Ugandan government negates the constitution, regional and International legal frameworks that guarantee citizens’ enjoyment of the right to privacy, anonymity and freedom of expression.
The ability to communicate anonymously without government knowing one’s identity is crucial in safeguarding free expression and strengthening of political accountability, with people more likely to speak out on issues of public interest if they can do so without fear of reprisal.
In order to uphold the 1995 Constitution of the republic of Uganda, particularly articles 27 and 29 that guarantee the right to privacy and freedom of expression respectively, Unwanted Witness-Uganda recommends the following;
The government should revoke sections; 3, 5 and 9 of the Regulation of Interception of Communications Act, 2010 (RICA) to ensure that Uganda meets national and international human rights obligations;
There should be concerted efforts from all stakeholders to advocate for the review and finalization of a data protection law. The Privacy and Data Protection Bill 2015, is currently before the ICT Committee of Parliament but there is need to review it to ensure that it meets internationally recognized data protection principles and upholds Uganda’s national and international human rights obligations.
The government should ensure that citizens’ data collected and shared with private telecom companies is strictly necessary and proportionate as guided by the international data protection principles.
The Ministry of Internal Affairs and the National Identification Registration Authority (NIRA) should ensure that personal Data collected during mass enrolment is protected from third party intrusion.