Overbroad new regulations enable a near-total invasion of privacy by attacking anonymity.

BY Frederico Links

Many people use a pseudonym to post anonymously on social media about their political views, while others don’t want to be identified when sending an anonymous SMS to a newspaper for publication.

Or consider the whistleblower who wants to anonymously and confidentially pass along sensitive information to an investigator or journalist, or the political activist anonymously mobilising and organising a protest via encrypted applications on a mobile phone.

Or people even just being outspoken and critical of the state in their private telecommunications.

These are examples of anonymity enabled free expression and privacy of communication.

But anonymity has also been used for bad behaviour online – cyberbullying, hate speech, spreading child pornography, etc. – and it is such behaviour that has been used as a pretext to attack online and communications anonymity, as well as encryption, by governments the world over, and particularly on the African continent.

Communication privacy and anonymity are now under threat in Namibian as the government moves to operationalise the communications interception and surveillance enabling Part 6 of the Communications Act of 2009, through the implementation of the mandatory SIM registration and data retention regulations gazetted on 15 March 2021.

The Namibian government’s views on anonymity recently became clear, following critical media coverage of the new SIM registration and data retention regulations.

In an official statement on 26 October 2021, the Ministry of Information and Communication Technology (MICT) executive director, Mbeuta Ua-Ndjarakana, stated: “The benefits of SIM card registration is that it eradicates anonymity of communications, which aids in legal surveillance and interception. It also assists in finding criminals who utilise telecommunications to commit offences.”

However, while governments, including the Namibian government, have been spinning attacks on anonymity as critical to crime fighting and national security, the specter of human rights violations has been solidifying through the imposition of extensive and overbroad data retention obligations on telecommunications and internet service providers.

In this regard, almost a decade ago now, the US-based Centre for Democracy and Technology (CDT) warned: “Data retention, by creating records that link highly detailed descriptions of users’ Internet activity to identifying information, violates fundamental human rights, such as the right to privacy, the right to freedom of expression, and the right to the presumption of innocence.”

‘Constitutionally faulty’

Concerns such as these were heightened around the emerging Namibian regulatory framework in October 2021 when conditions being imposed on telecommunications and internet service providers became public, following a Communications Regulatory Authority of Namibia (CRAN) stakeholder consultative process.

The conditions detail the extensive amount of personally identifying information and telecommunications and internet traffic data of every individual telecommunications and internet service customer that will be collected and stored for years – the data retention regulations and conditions to be imposed in the telecommunications sector almost completely undermine any notion of online privacy and anonymity for Namibians.

It is because of this that the Legal Assistance Centre (LAC), in a detailed analysis of the SIM card registration and data retention regulations published in October 2021, labelled the emerging regulatory framework as “constitutionally faulty”.

The LAC said this was because of “the breadth of the kinds of data required to be collected, the lack of procedural safeguards and the lack of attention to data protection principles”.

Addressing similar concerns around privacy and anonymity-destroying regulations, the ‘State of Internet Freedom in Africa 2021’ report, which was recently released by the Uganda-based Collaboration on International ICT Policy for East and Southern Africa (CIPESA), finds that the “collection, processing and sharing of personal data is a critical component in facilitating surveillance and the identification of surveillance targets”.

According to CIPESA, data retention regimes introduced across the continent have “greatly undermined the ability of citizens to communicate anonymously, given the amount of personal data that is collected, retained and shared through these exercises, without adequate oversight and respect for individuals’ privacy rights”.

It adds that “concerns about the misuse of such data are exacerbated by the lack of data protection laws, absence of independent data protection authorities, or poor enforcement of such laws where they exist, as well as the loopholes in the regulation of interception of communication laws”.

All of these conditions prevail in Namibia, given the absence of strong data and online privacy protections, the general lack of transparency and accountability of national intelligence and law enforcement agencies, the absence of strong and independent oversight mechanisms over national intelligence and law enforcement agencies, coupled with the legacy of politicisation of such agencies, and the fact that the largest telecommunications and internet service providers in Namibia are state-owned.

These conditions provide fertile ground for invasive mass surveillance of Namibian society under the emerging regulatory framework.

In this Namibia will be treading the path of numerous African countries, for as CIPESA states, “the nature of the surveillance being conducted by some states, appears to run counter to African and international human rights standards.”

Why this matters

Privacy the world over is highly prized, but under-protected.

This premium placed on privacy cuts across both the online and off-line spheres.

For instance, in 2019, in a Namibian corruption case in which it was found that law enforcement’s accessing of the bank accounts of the accused had been unprocedural, the High Court judge stated: “The purpose of incorporating the right to privacy in the Constitution is that no one should be subjected to unreasonable invasions of a person’s liberty, privacy, property or effects. Any invasion of these rights must be authorised by law in such a manner that it least intrudes [on] those rights enshrined in the Constitution.”

Considering this, according to legal opinion, the emerging SIM card registration and data retention regulatory framework appears to be unreasonably intrusive of a person’s privacy, in “that it eradicates anonymity of communications”, as the MICT executive director recently stated of the aim of the emerging framework.

In its attack on anonymity, the Namibian government is reminded that, as per an adapted quote from international digital rights organisation AccessNow, in a brief about global threats to the right to online privacy and encryption: “Defending anonymity isn’t about protecting criminals. It’s about protecting people in communities at risk — human rights defenders, journalists, and activists — who use anonymity to communicate without fear.”

*Frederico Links is a Namibian journalist, researcher and chairperson of the ACTION Namibia Coalition. This article was commissioned by the Media Policy and Democracy Project (MPDP), an initiative of the University of Johannesburg’s department of journalism, film and TV and Unisa’s department of communication science.

A version of this article was first published in The Namibian newspaper on 11 November 2021.