BY FREDERICO LINKS –

The evidence that Namibian intelligence and state security forces are stockpiling and deploying sophisticated communications interception and surveillance technologies continues to grow, even as the lawfulness of such practices remains highly questionable.

Indications are that invasive communications interception and surveillance are happening despite the fact that Part 6 of the Communications Act of 2009 has yet to be implemented, raising the spectre that these activities are shrouded in illegality and could already be violating constitutionally enshrined human rights, specifically freedom of expression and the right to privacy, among others, and are a threat to the rule of law.

This comes as intelligence and state security agencies, probably at the behest of the ruling political elite, and under the guise of “countering violent extremism”, “radicalisation” and terrorism, have subtly started to cast “non-state actors” (which could be anyone or critical civil society and political actors), “religious institutions” and youth movements as threats to national security.

This has to be viewed against the backdrop of senior ruling party politicians, whenever the party is publicly criticised over its governing of state and society, consistently cautioning Namibians against disturbing “peace and stability”. It is becoming increasingly clear that political paranoia, primarily an outflow of fractious internal ruling party politics, is the primary driver of this security creep, and not the need to fight cybercrime or terrorism.

In the two previous instalments in this series it was shown how Namibian intelligence and state security actors have acquired technologies to intercept and monitor mobile communications, while attempting to construct legal cover after the fact. In this final instalment, Namibian intelligence and state security actors’ attempts to intercept internet-based communications, through the use of hackers and malware, is explored.

MALICIOUS TASK

While there is some patchy evidence that Namibian state security and intelligence services already at least considered procuring the services of foreign hackers in 2012, it was in late 2014 when these attempts really seem to have intensified.

On 28 October 2014, as national and presidential elections were looming in Namibia, one Andreas Nekongo, who identified himself as the “head of the technical directorate” in the “directorate of auxiliary services, Office of the President, Republic of Namibia”, which he said was “a national security agency responsible for the security of the state”, made email contact with the now notorious Italian surveillance malware vendor, Hacking Team, which operated out of Milan at the time.

The email correspondence, stretching over more than six months, between Nekongo and first Marco Bettini, Hacking Team sales manager, and then Emad Shehata, a Hacking Team key account manager, form part of the cache of emails dumped online by Wikileaks in July 2015, after the Hacking Team itself had been hacked.

Nekongo states that he had seen a presentation by the Hacking Team at the ISS World South Africa a few months earlier in Johannesburg.

ISS World South Africa “is the world’s largest gathering of Southern Africa Law Enforcement, Intelligence and Homeland Security Analysts as well as Telecom Operators responsible for Lawful Interception, Hi-Tech Electronic Investigations and Network Intelligence Gathering”, according to its bare-bones website.

In subsequent emails Nekongo tells Emad Shehata that he was “impressed by the product displayed by your company”, and on 3 November 2014, he tells Shehata that he was looking for a system that would allow tracking of “at least 30 targets at the same time”.

The Hacking Team sold malware, which took complete control of targeted computers or devices. Malware is harmful, intrusive and unwanted software installed on targeted devices without permission and illegally.

Nekongo says: “Mostly people here use Windows and Mac-OS on the laptop side while on Smartphones let us be able to infect all types”, and then goes on to state that “budget is mostly not a big issue”.

By 6 November 2014 a file, titled “Presidential Security Namibia”, had been opened by Shehata and Bettini and the “product” they were going to try and sell Nekongo would cost 550 000 euros (±N$8-9 million). In mid-December 2014 Nekongo relates that he had “submitted the motivation and just expect their response” from intelligence chiefs. However, the deal appears to have stalled after that and over the next six months Nekongo and the Hacking Team would only be in intermittent contact.

This was arguably because the Namibia Central Intelligence Service (NCIS) was without a director general for a couple of months in early 2015, until Philemon Malima was appointed in late June 2015 by new Namibian head of state Hage Geingob.

On the day (30 June 2015), that Geingob announced Malima’s appointment, Nekongo informed Shehata that he had “not gotten feedback yet from the authority on the way forward”.

A few days later, in early July 2015, the Hacking Team was hacked and the emails were dumped online by Wikileaks, exposing the Hacking Team’s business with a number of African governments, most of which used the outfit’s services to spy on democracy activists, journalists and bloggers, as well as for widespread invasive monitoring of citizens’ social media accounts on especially Facebook and Twitter.

HACKING AWAY

It is unclear whether Nekongo and the Hacking Team picked up contact again after the breach, but it seems Namibian authorities remained undaunted in their aim to procure hacking services and technologies internationally, as hacking appears to be the way they want to go with communications surveillance and interception.

The Hacking Team now seems to be operating from the Mediterranean island of Cyprus since Italian authorities revoked their licence to operate in the country in 2016.

The Surveillance Industry Index, an online database of companies selling and states buying surveillance and communications interception technologies, lists Namibia as having been active in the surveillance and interception market twice in 2015 and once in 2016.

The Namibian purchases on all three occasions were for “off the air interception technology”, which could refer to cellphone surveillance technologies, including IMSI-catchers, which can be used to hack mobile-based internet systems. At the same time, sources have said that Namibian intelligence and state security actors have procured the services of a team of Russian hackers who lived for a while in the country. Despite attempts, the existence of this Russian hacker team could not be independently verified.

Namibian authorities are going around claiming that their activities in the surveillance and interception services market are to combat cybercrime, however, the Namibian Police do not appear to be a beneficiary of these activities, as the Namibian Police’s cybercrime unit by all accounts remains under-resourced, understaffed and under-capacitated, and is arguably a cybercrime unit in name only.

The gulf in technological sophistication between the police and intelligence forces appears to be exceedingly wide.

At the same time, it seems clear that Namibian intelligence and state security actors are or have been in the market for technologies and services which would allow them to sidestep having to apply for warrants.

And therein lies the threat to democracy and the rule of law.

Why exposing state surveillance activities is important

Over recent weeks certain commentators have argued that publicly discussing or exposing state surveillance activities is endangering national security. I would claim that state surveillance activities are endangering national security and stability because such activities are being conducted in a legal vacuum, which undermines the rule of law and Namibian democracy.

In fact, the Namibian government has admitted to engaging in such activities illegally and have been called out for it. In late March 2016 the UN Human Rights Committee (UNHRC), after hearings earlier that month with a Namibian government delegation, noted “with concern that interception centres seem operational despite the fact that their legal basis, part 6 of the Communications Act (Act No. 8 of 2009), is not yet in force. While noting the indication by the delegation that all interceptions must be authorised by a magistrate, and that no private information is kept, the Committee is concerned about the lack of clarity regarding the reach of legal interception possibilities, as well as about the safeguards to ensure respect of the right to privacy in line with the Covenant (arts.17 and 21)”.

The UNHRC goes on to state that: “The State party should ensure that the interception of telecommunications may only be justified under limited circumstances authorised by law with the necessary procedural and judicial safeguards against abuse, and supervised by the courts when in full conformity with the Covenant.”

The “Covenant” being referred to is the International Covenant on Civil and Political Rights, under which Namibia’s compliance was being assessed by the UNHRC.

In mid-2017, the UNHRC requested of the Namibian government to respond to these concerns. It appears that to date Namibian authorities have failed to do so. Continued illegal surveillance should concern every Namibian, as the state is violating its own laws and the supreme law of the land, the Constitution of the Republic of Namibia.

/Ends