Don’t let the spies grab your metadata

Secrecy may have a grubbier motive, forcing state agencies to keep information from the public to prevent a backlash against their usage.

Jane Duncan
11 September 2015
Protest at police violence in Chicago, 2014.

Protest at police violence in Chicago, 2014.Demotix/M.Stan Reaves.All rights reserved.Imagine a country where you attend a protest with thousands of other people. You are demanding democracy and accountability from an increasingly unresponsive, authoritarian government.

Imagine a country where the government has the ability to print out a list of just about every person in that protest, including their names, addresses and contact details. How safe would you feel?

Well, thanks to a device that’s been making the headlines recently, called ‘The grabber’, you may well be living in such a country.

‘The grabber’ is a mass surveillance device used by police and intelligence agencies globally. In South Africa recently, the police caught criminals in the act of trying to buy one, and apparently a second grabber is still at large.

Also known as International Mobile Subscriber Identity (IMSI) catchers, or active cell site simulators, the device can intercept the location and identifying information of thousands of cellphones at the same time. Next generation devices can even impersonate a user’s cellphone, block calls and intercept communications content such as sms’s and change the content.

IMSI catchers are surveillance tools that act like fake base stations, allowing the operator to bypass telecoms companies and communicate directly with cellphones.

State law enforcement or intelligence agencies typically use these devices to identify a suspect’s location, providing they know the person’s cellphone number, or if they don’t, to identify a suspect’s number for tracking purposes. The devices can also track data-only devices.

If they fall into the hands of criminals, they can be used for a range of purposes, including espionage.

The problem is that - in order to identify a targeted individual – these devices have to suck up the information of all other cellphone users in the vicinity, even if they are not suspects. This means that the information of thousands of cellphone users could land up in the hands of the state for no good reason, or of criminals.

These devices allow the state to identify whether people are at home, and even where they are in their homes, which constitutes a search, and no search should be conducted without a warrant. This is because the state is trespassing in private space to gather information, where a person has a reasonable expectation of privacy.

According to the American Civil Liberties Union’s (ACLU) Christopher Soghoian, ‘If the government shows up in your neighbourhood [with an IMSI catcher], essentially every phone is going to check in with the government…The government is sending signals through people’s walls and clothes and capturing information about innocent people. That’s not much different than using invasive technology to search every house on a block’.

Location data is part of metadata (or information about your information usage), which can say as much, if not more, about a person’s habits, associations and even political beliefs than the content of their communications.

Yet, many state agencies have resisted proper regulation of these devices, basing their arguments on the terribly outdated assumption that metadata should receive lower privacy protections than communications content.

Many agencies also refuse to confirm or deny the use of these devices, arguing that the disclosure of operational methods could jeopardise their investigations. Yet, secrecy may have a grubbier motive, which is to force state agencies to keep information from the public to prevent a backlash against their usage.

Some agencies have signed non-disclosure agreements with manufacturers, and have even attempted to hide their usage from judges, prompting a judicial backlash.

Granted, the devices can be extremely valuable for law enforcement. In one case, they were used to track a rape victim’s cellphone to the rapist’s home. But governments can also abuse these devices to spy on legitimate political dissenters, not just on criminals. Activist organisations have claimed that the police are using them to monitor legitimate protests, a recent example being during anti-police violence protests in Chicago last year.

Governments need to start accounting properly for their usage of these devices, which can be done without jeopardising specific investigations.  

Recently, the ACLU released recommendations on federal use of the devices. Apart from arguing that policies should require a search warrant based on probable cause, these warrants should also contain information about the number of people that stand to be affected. They should also spell out measures the agencies have taken to minimise invasions of privacy.

The ACLU also argued that law enforcement agencies should purge all non-target information immediately, and disallow its dissemination or use. Agencies should stop attempting to conceal their use during court proceedings, and they should be prevented from signing non-disclosure agreements with manufacturers.

Information about the number of times the devices have been used should be disclosed publicly, as should all operational policies relating to their use. These proposals provide a useful starting point for privacy advocates.  

After years of judicial criticism and civil society pressure, the tide is turning in the US. Last week, the US Justice Department released a policy requiring its agencies to seek warrants for the device, although the policy does not apply to state and local agencies. Divisions using the device need to provide annual reports on their use.

So what is the position in South Africa? Are they being used, and if so, how? The ‘grabber’ case makes it clear that these devices are in the country. Reportedly, the president must authorise possession of the devices.

In an attempt to receive some answers, the Open Democracy Advice Centre has sent various government departments information requests, on behalf of the Right 2 Know Campaign. Hopefully, these requests won’t be turned down on national security grounds.

When asked about whether they were using the devices in their work, and if so, whether they applied for an interception direction from the designated judge in terms of the Regulation of Interception of Communications and Provision of Communication-related Information Act (Rica), the South African Police Service spokesperson did not respond to the questions.

Yet, a newspaper article quoted Hawks spokesperson Hangwani Mulaudzi confirming that government security organisations do have access to the devices, and use them for national security purposes.

The Ministry of State Security’s spokesperson Brian Dube neither confirmed nor denied their use.

According to Dube, ‘Well, it becomes difficult for us to reveal the make and details of the equipment we use for the very simple reason that it has the potential to compromise the very work we are doing. With the technological race that is out there between states and organised crime syndicates, it’s not advisable to disclose such details’.

So, if they did use them, would the State Security Agency apply for an interception direction? Dube responded, ‘On the matter of procedure, the interceptions protocol applies whenever an individual’s communications are to be intercepted. Such a protocol doesn’t provide for ‘mass interception’ as the interception judge must hear each case on its merit’.

This statement speaks volumes about the Ministry’s attitude towards the devices, in that it sees the devices as being about mass surveillance in the main, and for them, mass surveillance would not be regulated by Rica. The inference is that even if the SSA used them, there would be no judicial oversight of their use.

If they are being used in South Africa, then arguably their judicial regulation here is even more urgent than in the US. This is because South Africa has SIM card registration – a legal requirement in terms of Rica - while the US doesn’t.

The device allows for the tracking of unknown phones. In countries that do not have SIM card registration, this is less of a problem. The devices will merely generate a series of numbers, and the state won’t be able to track these back to specific individuals without considerable effort.

But in countries with SIM card registration, such as South Africa, the state can, at the touch of a button, print out the names and addresses of every single cellphone carrying participant in a rally or protest, for instance.

When cellphone users were told to ‘get Rica’d’, or risk being cut off, most complied with little resistance.

This quiescent attitude may well come back to bite South Africans, as sophisticated surveillance equipment such as IMSI catchers can now be bolted onto the Rica database and used for mass surveillance purposes.

South Africa has a broad intelligence mandate in that it includes political intelligence gathering. There is also too little transparency about how the spies do their business. At the same time, surveillance tools are growing in sophistication, and none are more pernicious than those used for mass surveillance, as they target the guilty and innocent alike.

These factors create space for the surveillance capacities of the state to be used for anti-democratic purposes, against perceived political opponents that present no real threat to national security.

South Africans should demands answers about what surveillance tools are being used, and for what purposes. South Africans should also stop accepting vague arguments about surveillance being necessary to bring down crime and enhance security, and demand solid evidence that it is actually doing so. Otherwise we may land up getting the security state we deserve.

An earlier version of this article was first published in South Africa’s Mail & Guardian newspaper on September 11, 2015.

Had enough of ‘alternative facts’? openDemocracy is different Join the conversation: get our weekly email


We encourage anyone to comment, please consult the oD commenting guidelines if you have any questions.
Audio available Bookmark Check Language Close Comments Download Facebook Link Email Newsletter Newsletter Play Print Share Twitter Youtube Search Instagram WhatsApp yourData