Читать книгу Stopping the Spies - Jane Duncan - Страница 10

Introduction

‘I saw my final hour unfurl before me, I thought this was the end. I thought I’m finished, I’m finished. I was terrified. We must all have thought the same.’¹ Julian Pierce, a journalist for the French radio network Europe 1, was inside the Bataclan theatre in Paris in November 2015, watching a live music show, when gunmen claiming to support the Islamic State for Iraq and Syria (ISIS) stormed the theatre and shot indiscriminately into the crowd. Eighty-nine people died in that attack, and a further 41 people were killed in other co-ordinated attacks around the city that night.² It must be many people’s worst nightmare: becoming a victim of a terrorist attack simply for being in the wrong place at the wrong time.

Terrorist attacks have swept Europe in the past few years, with France being attacked repeatedly. I will discuss the politics of naming particular acts as ‘terrorist’ later in the book; for the moment, suffice it to say that I do recognise forms of violent political action that could be legitimately considered terrorist. Fearful citizens have looked to their governments to protect them from terrorist violence, and these governments have responded by increasing their intelligence and policing powers. In fact, intelligence work has become increasingly important to governments seeking to thwart terrorist threats, as it allows them to identify the culprits of these attacks and even prevent future attacks from taking place. They can also profile possible ‘persons of interest’, who might become terrorists in future. Gathering intelligence from human sources (or human intelligence, as it is known in the intelligence community) is expensive, time-consuming and often dangerous, as terrorist organisations could uncover spies in their midst, or these spies may provide unreliable information, or even be recruited as double agents. Given the drawbacks of human intelligence, more governments are turning to the surveillance of communications networks to acquire intelligence on terrorist activities and plans (what is called signals intelligence).

Yet, government surveillance programmes may not be motivated purely by the noble objective of protecting public safety. We have all become familiar with terms that describe a government that spies indiscriminately on its people in order to maintain its grip on power. George Orwell’s terse novel Nineteen Eighty-Four painted a chilling picture of an authoritarian society dominated by pervasive surveillance, and his character ‘Big Brother’ came to symbolise the horrors of such a society.³ Writing several decades later, Michel Foucault drew on the nineteenth-century British philosopher Jeremy Bentham’s plan for a ‘panopticon’ – a building that allows a single watchman to watch large numbers of people – as a metaphor for a modern society in which its subjects are made to practise self-discipline through the threat of constant surveillance.⁴ These terms have endured in the public imagination as descriptors of the power of surveillance and the dangers of its being undertaken on an unaccountable basis. In spite of the real and present danger of terrorist attacks in some countries, more people have become concerned about the dangers of unaccountable state surveillance and the impact that it may have on the fundamental human right to privacy. According to Article 12 of the United Nations (UN) Declaration of Human Rights, ‘No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.’⁵ Clearly, arbitrary surveillance would threaten this right. However, opinion polls suggest that public opinion remains sharply divided on whether privacy is more important than national security.⁶

‘The idea that they can lock us out and there will be no change is no longer tenable. Everyone accepts these programmes were not effective, did not keep us safe and, even if they did, represent an unacceptable degradation of our rights.’⁷ Whistleblower Edward Snowden made these comments two years after leaking thousands of NSA documents about secretive mass communications surveillance programmes. The NSA is the United States government agency responsible for communications surveillance for intelligence purposes. These leaks, drip-released in collaboration with journalists such as Glenn Greenwald and Laura Poitras, led to the journalists blowing the lid on secret government spying programmes that had moved far beyond their original stated purpose of fighting terrorism and violated the privacy of millions of innocent people in the process. While the Snowden documents focused mainly on US and UK government programmes, they also revealed information about the close co-operation with other ‘Five Eyes’ countries. Referring to a coalition of countries co-operating with one another to fight terrorism and other national security threats, and dating back to the post-World War II period when Western hostility to the Union of Soviet Socialist Republics (Soviet Union or USSR)was at its height, the Five Eyes coalition consists of the US, UK, Australia, New Zealand and Canada. While little is known about the nature of their co-operation, what is known is that they co-operate around the sharing of intelligence, including the interception and analysis of signals intelligence.⁸

The Snowden revelations created a huge public outcry, and pressure from privacy advocates forced the US government to concede reforms of some of its programmes. Yet, critics have argued that these reforms are not as significant as they appear, as they leave most of the surveillance programmes revealed by Snowden intact. According to Privacy International and Amnesty International, many governments are continuing or even expanding their mass surveillance capabilities.⁹ The intractable nature of mass surveillance is unsurprising: it has become big business. State and consumer surveillance programmes have converged to the point where it has become difficult to separate the two. The state relies on private security companies to store huge datasets in the cloud, while the private sector commercialises these datasets for profit by selling them to other companies, mainly advertisers. The state and the private sector operate in a charmed circle, where intelligence is used to advance countries’ commercial interests, especially for imperial powers that risk losing their dominance in global affairs; as a result, more governments are including the protection of commercial interests in their definition of national security.¹⁰

As the importance of signals intelligence has evolved, regulatory regimes have developed to give this form of surveillance a semblance of public accountability, but these regimes are often inadequate. For instance, in 1978 the US government established the Foreign Intelligence Surveillance Court (FISC), set up in terms of the Foreign Intelligence Surveillance Act (FISA), to hear applications for communications surveillance warrants for the interception of communications between foreign powers and agents of foreign powers operating in the US, which may include US citizens too. The surveillance of foreign communications is authorised under Executive Order 12333, which is not subject to judicial review and which may also involve the collection of communications records of US citizens in contact with overseas targets. While the existence of the FISC suggests that due process is followed in the interception of foreigners’ communications, court proceedings are secret and the vast majority of applications are approved. This is largely because the application process is not adversarial in that the grounds for application are not interrogated by counsel for the defence, as would usually be the case in open court. Furthermore, the grounds for the issuing of warrants in FISA are less stringent than those required for ordinary criminal warrants (or Title III warrants), even when it comes to the interception of US citizens’ communications. More seriously, though, the FISC has authorised the establishment of mass surveillance programmes in terms of the amendments to FISA by the Amendment Act, and, according to the Snowden documents, the court had used a controversial section of the Patriot Act to approve the collection of the phone metadata records of Americans in bulk. In authorising the procedures for mass surveillance programmes, FISC had no concrete knowledge of their actual functionings, and as a result deferred to the intelligence agency applicants rather than second-guess them. Under these circumstances, it is hardly surprising that the FISC has been a poor check on official surveillance abuses.¹¹

WHY WORRY ABOUT SURVEILLANCE?

Why should we be worried about surveillance? After all, governments argue, if people have nothing to hide, then they have nothing to fear: a saying whose origin is unclear, but which has been attributed to Orwell and, before him, the Nazi Minister of Propaganda, Joseph Goebbels. The problem with this argument is that it assumes that government motives in undertaking surveillance are pure: that is, they will not misuse these powers to spy on their political opponents and others whom they consider to be politically inconvenient, like investigative journalists intent on holding governments to account. Governments the world over have justified surveillance to their citizens as a necessary evil to counter criminal activities and threats to national security, especially those posed by terrorists. Yet, even in the wake of the terrorist attacks on the US on 11 September 2001, the ‘war against terror’ never remained a pure war against those who were responsible for their acts and their supporters. Some countries seized on the heightened global security measures to place political activists under surveillance. In fact, the expansion of security powers was under way even before 11 September. In New Zealand, for instance, the country’s definition of national security was extended to include the country’s economic and international well-being as far back as 1996.¹² The UK government spy agencies MI5 (the domestic intelligence agency) and MI6 (the foreign intelligence agency) have spied on social movements calling for nuclear disarmament and trade unions, clearly considering them to be an ‘enemy within’, in spite of scant evidence of illegality.¹³ There are many well-documented cases of states, under the political direction of government officials, using their surveillance capacities to spy on activists who posed no real threat to national security; these practices have cast a pall on the supposed political neutrality of state surveillance practices and the uses to which they are put.¹⁴ These cases point to a broader truth about surveillance – namely, that it is not being used simply to fight crime and terrorism but to stabilise social relations more broadly by collecting information on those who may expose or challenge how society is currently organised. The purpose of surveillance in this broader context is to make people who are considered to be problem subjects legible to public and private power, for the purposes of determining their risk profiles, managing them as risks and even acting against the most extreme risks. This is particularly the case in relation to intelligence work, where broad definitions of what constitutes threats to national security are coupled with technologically advanced forms of surveillance, leading to state spies claiming the right to access more and more personal information.

There are many forms of intelligence-gathering, but the two that are of concern in this book are human intelligence and signals intelligence. Human intelligence (or HUMINT) is intelligence gathered by physical means, such as the infiltration of organisations, tailing of suspects or espionage, while signals intelligence (or SIGINT) is intelligence gathered from the surveillance of electronics networks, including telemetry intelligence, electronic intelligence and communications intelligence (or COMINT).¹⁵ Globally, intelligence agencies are being tempted to shift away from human intelligence and towards signals intelligence. Why is this so?

Technological advancements have reduced the cost of surveillance using electronic signals, making it easier for governments to place whole populations under surveillance. Previously, if governments wished to spy on their citizens, they would need to place them under physical surveillance – which could also be uncovered, possibly at great political cost to the government concerned – or need to use costly telephone-bugging equipment that could be detected if people knew what to look for. However, new information and communications technologies (ICTs) have allowed governments and private companies to gather vast amounts of information about people at a small fraction of the previous cost. They are able to collect and analyse huge databases detailing people’s travel habits, banking details, personal interests and reading habits, who their closest friends and associates are, and what they communicate about. For instance, cellphones can provide huge amounts of information about whom people communicate with, as well as location information about where they have travelled. Internet and communications companies are also busy storing information about people’s locations, search habits and communications with other people, to mine it for commercial uses. This information is called metadata, as it provides information about a person’s communications, but not the actual content. However, metadata can provide such rich information about a person’s habits, personal preferences and associations that it can be as revealing as, if not more revealing than, communications content. Yet there are few legal protections for metadata.

Other data-driven technologies are being used increasingly to monitor public spaces, for a range of national security, criminal justice and commercial reasons. CCTV cameras can monitor people’s movements, and increasingly these cameras are fitted with invasive technologies such as facial recognition, which allows a computer to identify a person from his or her facial features from a photograph stored in a facial database (known as ‘smart’ CCTV, which is something of a misnomer as once the data is transmitted over the internet to another location, the television system no longer operates on a closed circuit). Electronic tolling systems track drivers’ movements for the purpose of billing them for road usage. These schemes usually include automatic number-plate recognition systems, allowing tolling companies to recognise vehicle licence plates and match them to a database of vehicle owners. Biometric identifiers – or digital impressions of fingerprints, irises or voices – can also be used to identify people for surveillance purposes; this is a particularly invasive form of identification as it involves a person’s body. While many countries use biometrics for border control, some have attempted to use them to establish national identity systems. In countries like the US and the UK, these attempts have been met with mass opposition on the ground that they threaten privacy on a massive scale. More governments are also using unmanned assistance vehicles – colloquially known as ‘drones’ – to conduct surveillance of borders and monitor crime scenes and disaster areas. Drones can also be loaded with lethal payloads to kill opponents, and, controversially, lethal drone strikes became a distinctive feature of the Barack Obama administration.

These surveillance devices can gather vast datasets, or ‘big data’, which can be analysed using computer algorithms, or sets of rules or methods for the processing of data and for the purpose of establishing patterns. Search engines like Google mine people’s internet searches to analyse personal interests, and then on-sell this information to advertisers. But big data is being used increasingly by intelligence agencies as well. One of the challenges of living in the digital age is that we are not necessarily who our data suggests we are: we can develop ‘data doubles’, or digital identities that may bear little, if any, resemblance to who we really are and what we really think.¹⁶ These identities can then be used to profile people as terrorists or criminals, even if they are innocent. So, intelligence analysts may tell computers to analyse datasets for individuals who have searched for information on how to buy a gun, have spent time in Syria or Iraq recently – where ISIS established its strongholds – and have made enquiries about travelling to Paris. Such an individual could match the profile of a terrorist. Yet, he or she could also match the profile of a researcher seeking to understand ISIS as an organisation, its criminal networks and its reach into Western countries. Or the individual may simply have travelled to the Middle East for personal reasons, have an interest in collecting guns and wish to take a holiday in Paris, with no underlying motive linking these actions and interests together.

Big data analysis is meant to bring a measure of objectivity to intelligence-gathering, profiling possible suspects on the basis of clear criteria. In the process, analysts assume that they can eschew the subjective assumptions (even prejudices) to which analysis undertaken by humans is susceptible. Intelligence agencies like GCHQ have argued that mass surveillance does not violate privacy as there are no (or limited) human interventions in the process given that surveillance is a machine-driven process. The automated nature of the process means that the vast majority of data that is intercepted is discarded without human beings ever having looked at it. Once data of interest is identified, then an examination warrant is needed before the examination can be undertaken.¹⁷ However, the reality of big data analysis is somewhat different. There are six stages in the surveillance process: initial interception of the signals, often from cables as they enter the country; extraction, the stage where the signals are converted into an intelligible format; filtering, where analysts identify particular information of interest; storage, where this information is retained for further analysis; analysis, where the stored information is queried or examined; and dissemination, where the information is sent on to the relevant agencies.¹⁸ Spy agencies are reluctant to admit that privacy is interfered with at all stages of the surveillance process, while data is being diverted from its original and intended path, but this impacts on communications privacy even if it is an automated process.¹⁹ The most glaring privacy invasion occurs at the level of filtering, though. Analysts need to identify the search terms (known as selectors) for the processing of the raw data, and this involves subjective decisions about what matters and what doesn’t; so, clearly, there is human intervention at this stage, even if the selectors are used to undertake an automated filtering process.

Analysts may use hard selectors (such as email addresses or telephone numbers), a combination of selectors (such as an Internet Protocol address combined with a name), or what Eric King, director of Don’t Spy on Us, an organisation campaigning for surveillance reform in the UK, has referred to as ‘fuzzy selectors that can easily be critiqued’ (such as ‘all Muslims living in the city of London’).²⁰ Once analysts have the data, they may become so overwhelmed with the volume that they may bring their own subjective lenses to bear on the analytical process. As a result, agencies have a vested interest in being as precise as possible, but the dangers of overbreadth remain, nonetheless. According to King:

Mass surveillance and targetted surveillance aren’t adequately precise. This doesn’t do justice to agency practice, which is to collect on a very large scale but in a targetted manner. Sometimes they overcollect. They may be going after a group, then may collect far more than they need … Targetted and mass surveillance are functionally hard to separate … What I take umbrage with is the limiting of people’s rights in the process. Where I have a problem, is the gathering of information of a whole country. Intrusion occurs when data is filtered out of the cable, irrespective of how much. There are a number of cases where communications have been intercepted when they were the target and where they weren’t the target.²¹

US attorney Brandon Mayfield is a real-life example of just how wrong big data-driven intelligence work can go. In 2004, he was falsely linked to the Madrid train bombings after his fingerprints were matched incorrectly to those found at one of the scenes of the crime. His fingerprint had found its way into an International Criminal Police Organisation (INTERPOL) database for an arrest two decades earlier on a charge that was subsequently dropped. In addition to his matched fingerprint, Mayfield became a prime suspect because he had converted to Islam and, as an attorney, had represented a person accused of attempting to assist the Taliban. Another suspect who did not fit this profile was ignored.²² Yet, in spite of the real dangers of falsely accusing people of a crime through big data analysis, and using the analysis to confirm already existing prejudices against social groups (Muslims, for instance), intelligence agencies are relying more and more on intelligence gleaned from big data.

ICTs have made contemporary life much more convenient; but they have also created new mechanisms of potentially anti-democratic social control. Is it really desirable for the state and private companies, sometimes working together, to regulate the most private actions and even thoughts of its citizens? The concerns about powerful institutions having such intimate knowledge about us have led to many becoming concerned that we are living in a surveillance society, where the collection, retention and analysis of vast quantities of data for the purposes of controlling human behaviour become central to our social fabric. Even more worryingly, we may be living under a surveillance state, in which the state uses this information to control citizens more effectively than in the past, because it has access to their most intimate details.

The surveillance society and state did not come out of nowhere; they have been under construction for many years. David Lyon has warned about the dangers by referring to what he calls ‘the slow cooker of surveillance’, in which the practices and technologies that are being deployed now have evolved over several decades,²³ but such warnings have been confined largely to the arcane forums of academic publishing, rarely spilling over into public debate. The ‘slow cooker’ effect becomes apparent only when people understand the full extent of the surveillance architecture and how different elements of the surveillance assemblage link together. This bigger picture allows active citizens to anticipate what the state’s capacities are likely to be, and how the corporate sector bolsters these capacities: information which, in turn, can be used to anticipate when the state is becoming too powerful.

Surveillance creates mistrust between governments and citizens, leading to a reluctance to speak out on controversial issues of public importance, and even self-censorship. Being watched, or the fear of being watched, has a chilling effect in that it may dissuade people from expressing their innermost thoughts, and, when they do, they may alter what they have to say to please those who they think may be watching. In this regard, a distinction needs to be drawn between targeted surveillance and mass surveillance. Targeted surveillance involves the observation and gathering of information about individuals and groups where there is a reasonable suspicion that they have been involved in a crime, or where there are strong reasons to believe that they may be intending to commit a crime. This form of surveillance has also become known as ‘lawful interception’, as communications service providers are usually required by law to assist with such interceptions for the purposes of surveillance. Governments generally prescribe certain standards that communications companies must meet in making their networks surveillance-capable for lawful interception purposes: standards that originated from the Communications Assistance for Law Enforcement Act (CALEA), passed by the US Congress in 1994 to respond to law enforcement concerns that their ability to monitor networks was declining (or ‘going dark’) as more networks were digitised. The Act required network operators to use digital switches or handover interfaces that have surveillance capabilities built into them: a requirement that was subsequently incorporated into EU regulatory frameworks as well, according to standards set by the European Telecommunications Standards Institute (ETSI), subsequently known as ETSI standards.²⁴

CALEA and ETSI standards have become internationalised as the surveillance standards for many countries.²⁵ According to the communications security expert Susan Landau, while these standards have made surveillance of digital networks easier, they also introduced security vulnerabilities that have been exploited by intelligence agencies and criminals alike. Between 2004 and 2005, still-unidentified individuals exploited the inherent weaknesses in these interfaces to intercept the communications of senior Greek government officials for ten months, until the vulnerability was discovered. Over six thousand Italians, including judges, politicians and celebrities, also had their communications intercepted by criminals over a period of a decade.²⁶ In 2012, in the wake of massive abuses of internet freedom by regimes desperate to cling to power in the Middle East and North Africa, the Directorate-General for External Policies of the European Parliament called for a reconsideration of some ETSI standards, as they were simply too vulnerable to abuse and enabled mass surveillance.²⁷ Yet in spite of these problems, South Africa adopted CALEA and ETSI standards in 2005, including some of the very standards about which the European Parliament expressed concern.

Before we proceed with this discussion, it is necessary to add a terminological note on the differences between monitoring, surveillance, interception and equipment interference, as these terms are difficult to distinguish from one another, and at times some are used interchangeably. Monitoring involves the intermittent observation of communications over a period of time without specific pre-defined objectives. Surveillance, on the other hand, involves much closer continuous and systematic observation for analysis with specific objectives in mind, and may involve the collection and retention of communications for these purposes. Needless to say, I am more concerned with the surveillance of communications, rather than its monitoring, as surveillance carries with it greater potential for harm if unregulated than monitoring. In order for surveillance to take place, the communications need to be intercepted, or diverted from the intended recipient and captured, collected or acquired by a third party. A human being does not have to divert, collect or analyse the communications for the action to constitute surveillance: a machine can do so, too.²⁸ However, not everyone agrees that machine surveillance constitutes surveillance at all; intelligence agencies have argued that machines cannot violate privacy, only humans can.²⁹ This disagreement is not purely semantic: it goes to the heart of whether mass surveillance can be considered a privacy violation at all, and consequently whether societies should tolerate such conduct by their security services. I take the position that as the basis for machine interception, collection or analysis is determined by humans, an act of surveillance occurs even if machine analysis is involved, and privacy stands to be violated in the process. Surveillance can occur through the monitoring of communications traffic, such as internet traffic, the interception of mobile phone communication content and data about those communications, the interception of fixed-line communication content and data about those communications, and the planting of intrusion equipment on communications devices, as well as through the use of data-driven surveillance tools like CCTV.

On the whole, though, targeted surveillance through lawful interception has been less controversial than mass surveillance, which is often referred to as ‘suspicionless surveillance’. The latter involves the tracking of individuals or organisations where there is no suspicion of wrongdoing, but where information about their communications may be stored just in case the law enforcement or intelligence agencies need it to detect suspicious activities in future. While lawful interception generally requires human intervention in order to intercept the communications of specific individuals, and communications service providers have to ‘switch’ the communications to a monitoring centre, mass surveillance is generally automated, and may be conducted through network probes that transmit communications directly to a monitoring centre. Communications service providers may not be involved in this form of surveillance, as the data can be copied off the backbone of the communications infrastructure. Once it is copied, then an agency can conduct searches for specific terms, names or numbers in the intercepted communications to narrow them down to more manageable levels. They may also choose to look for associations between various individuals in order to map contacts. The Snowden documents revealed how the NSA is allowed to travel three ‘hops’ from the communications of a person of interest: that is, they can examine the people who spoke to that person and the people who spoke to those people. As a result of the ‘three hops’ policy, the communications of large numbers of people, many of whom are likely to be innocent of any crime, can be examined.³⁰ However, surveillance affects different social groups differently, and can be used for the purposes of discriminatory social sorting: selectors can be developed on the basis of populations (Afghanis, for instance), and the tendency to profile what the agencies consider to be problem populations is particularly pronounced with mass surveillance.³¹

Surveillance provides the state with a politically low-cost form of social control, as abuses are very difficult to detect, and it can use such surveillance, or the threat of surveillance, to create fear that organised violence will be used against perceived opponents. To that extent, and when used inappropriately, surveillance could be considered a form of violence. At the same time, the fear of being watched may force people to self-police their own behaviour, as Foucault argued.³² Such a society is not one that we should want to live in, or to allow our children to inherit, as it will be premised on fear and insecurity.

Perhaps even more controversial than mass surveillance, which involves passive monitoring of networks, are more active forms of communications interception using equipment interference, such as hacking. Increasingly, law enforcement and intelligence agencies are arguing that encryption is making it more and more difficult to conduct communications surveillance, and this is pushing them to resort to more extreme measures such as infiltrating a communications device like a computer remotely, using malware that delivers surveillance software through an email attachment, taking control of the device and opening any document or application as though it was the device owner. Hacking can even alter or delete a person’s communications, which not only renders the communications and the device pretty useless for evidentiary purposes, but presents grave threats to the security of communications networks as a whole.³³

In spite of the widespread public outrage about the expansiveness of the programmes exposed by Snowden, and in spite of ongoing controversies about the effectiveness of mass surveillance relative to more traditional intelligence efforts, the UK responded by not only defending its existing bulk powers in terms of the Regulation of Investigatory Powers Act (RIPA) and the Data Retention and Investigatory Powers Act (DRIPA), but also seeking new powers through a controversial new Investigatory Powers Act, which was passed in the dying days of 2016. Bulk powers target people outside the country, with less privacy-invasive surveillance ostensibly being reserved for UK nationals. As a result, the Act subjects non-nationals to weaker privacy protections, and thus discriminates against them, thereby flying in the face of attempts to universalise human rights. The most controversial elements of the Act are the executive’s bulk powers to intercept, store and even hack communications on a massive scale. The debate about the Act did put a spotlight on the UK government’s use of hacking. Up to that point, the UK government had never admitted its use of bulk hacking of the computer equipment of non-nationals, until several NGOs brought a case before the Investigatory Powers Tribunal (IPT), which confirmed GCHQ’s use of this surveillance practice.³⁴ This form of surveillance is possibly the most intrusive and dubious of all, as it allows the intelligence agencies, on a mass scale, to access address books, track every keystroke, email and internet search on communications devices, and even turn on a computer’s camera and microphone, using it as a surveillance device against its owner.

WHY SHOULD THE GLOBAL SOUTH BE CONCERNED?

But should countries in the global South, like South Africa, even be concerned? The southern African region has largely escaped the terrorism problem plaguing countries like France, the UK and the US, and African countries further north, like Nigeria and Kenya. No southern African country has its own version of al-Shabaab or Boko Haram, responsible for terrible atrocities in East Africa and Nigeria respectively. South Africa faces no significant threats to national security, especially terrorist threats, although the presence of terrorists in the country has been an enduring source of speculation. So, it could be assumed that the region should have little reason to invest in the building of surveillance states. Evidence is emerging that suggests this assumption is incorrect.

Even though South Africa is not a terrorist target, growing social discord over inequality means that the temptation is there for less principled members of the security apparatus to abuse the state’s surveillance capabilities to advantage the ruling group in the ruling party and disadvantage their perceived detractors. This possibility is not far-fetched. In 2005, the state’s mass surveillance capacities were misused to spy on perceived opponents of Jacob Zuma, then contender for the presidency. Journalists have also had their communications intercepted, and several politicians and activists have alleged that their communications were intercepted. The Mail & Guardian has quoted sources inside the police and the SSA alleging that security personnel often do not even bother to obtain directions to intercept communications.³⁵ In 2013, it emerged during a trial that the Crime Intelligence Division of the South African Police Service (SAPS) had placed members of the extreme Afrikaner militia, the Boeremag, under surveillance while in prison, which included intercepting communications between the accused and their lawyers, in violation of attorney–client privilege.³⁶ While it is extremely difficult to establish the extent of the problem, these incidents make the case for reforms to ensure that the state’s surveillance capacities are not abused.

South Africa has a law, RICA, that governs lawful interceptions for policing and national security purposes. In spite of the fact that its drafters attempted to strike a balance between the interests of justice and national security, on the one hand, and civil liberties such as privacy, on the other, it ignores many of the most basic international human rights protections. Even worse, the available evidence points to mass surveillance being grossly under-regulated in South Africa, and, as Snowden has shown, where there is a lack of accountability, abuses are almost inevitable. The centre that undertakes this form of surveillance is the National Communications Centre (NCC); the centre has no founding statute and its interceptions do not require a warrant. In fact, the available evidence points to its operating on an entirely separate but parallel track to the targeted, lawful interception process of RICA. In 2005, abuses of the NCC’s surveillance capacities were confirmed by the statutory intelligence watchdog, the Inspector General of Intelligence, who found that the country’s bulk scanning facilities had been used to keep South Africans under surveillance during the country’s bruising presidential succession battle, including senior members of the ruling party, the opposition, businessmen and officials in the public service.³⁷ So, the organ of state that has the greatest capacity to conduct mass surveillance is also the one that is least regulated by law. This capacity is so intrusive that its use should be authorised by primary legislation. WikiLeaks has also revealed how South Africa manufactures and exports mass surveillance equipment to authoritarian regimes such as Libya. Privacy International has also publicised the fact that the South African government has provided funding to the local technology company Vastech for the manufacture of one of its surveillance products, and that the problem of taxpayers’ money being used to fund mass surveillance equipment which was exported to a repressive regime has not been addressed.³⁸

There has been little public controversy in South Africa about the implications of other potentially privacy-invasive, data-driven surveillance technologies, such as the use of CCTV in more and more public spaces. The government intends biometrics to become the technology of choice in its transactions with citizens. It is establishing centralised biometric databases for its social security system and identity cards, in spite of major concerns globally about the wisdom of establishing such databases. In 2015, the state entity responsible for airspace safety, the Civil Aviation Authority (CAA), passed regulations authorising the flying of drones, but the privacy protections contained in its regulations are weak. South Africa is also experimenting with electronic tolling of drivers who use certain freeways, which allows their movements to be tracked for the purposes of billing. However, the relationships (if any) between these various forms of surveillance, and the way they relate to police and intelligence surveillance activities, remain largely unexplored. While South Africa has a data protection law in the form of a Protection of Personal Information (POPI) Act, at the time of writing the information and privacy regulator that the Act envisages was still in the process of being set up, which meant that some of the most privacy-invasive technologies were being rolled out in the absence of enforceable privacy protections. In fact, South Africa has been sleepwalking through some of the most significant privacy issues of recent times, ones that have made people elsewhere take to the streets in protest. This book is an attempt to change that situation by linking the current global debates about surveillance and privacy to South Africa, and asking how concerned we should be. Could the widespread abuses of the right to privacy that we have seen in the US, the UK and elsewhere in the North, and as revealed so dramatically by Snowden, take place here too? And if so, what are the implications for the quality of South Africa’s democracy?

OBJECTIVES OF THE BOOK AND THEORETICAL OUTLOOK

In this book, I attempt to answer the following key question: to what extent is South Africa becoming a ‘surveillance society’ governed by a ‘surveillance’ state, in which data-driven surveillance becomes a key instrument of social control? The book is motivated by a growing concern that contemporary societies are starting to experience unacceptably high levels of surveillance, and that South Africa may be no exception to this general rule. But there is little understanding of how surveillance is being practised in South Africa, the extent to which it is being routinised, and the implications of all this. In this book, I seek to establish patterns in the way surveillance is practised in the country, and attempt to explain the phenomenon in the context of the country’s post-apartheid political economy. I will focus particularly on the extent to which political surveillance is being used to stabilise social relations – which have become increasingly fractious since the 2008 global recession – and on the relationship between political surveillance and the economic expansion of the industry. In order to maintain this focus, I do not delve deeply into the social or cultural aspects of data-driven surveillance (or ‘dataveillance’). The commonsense understanding of these issues is that the surveillance state is expanding and that privacy is dead. But the workings of the world of surveillance are not self-evident, which is hardly surprising as so many surveillance practices are still shrouded in secrecy.

I consider the relevance of Snowden’s revelations for South Africa, which does not face any major terrorist threats, and yet inexplicably still engages in mass surveillance. Drawing on a wealth of surveillance studies literature, I look at what is driving the worldwide assault on the right to privacy by state surveillance practices, and how these problems are manifested in South Africa. In exploring these issues, I will focus particularly on those who are most vulnerable to abusive forms of state surveillance because they challenge how power is organised in society, namely political activists, as well as those who write about and defend these change agents, namely academics, journalists and lawyers.

In mapping the growth of ‘surveillance state’ practices in South Africa, I look not only at the globally controversial issues of surveillance of communications, but at more ‘benign’ data-driven tools developed in the North to enable the state to track its subjects, such as bulk personal datasets recording people’s banking transactions, location data and biometrically based identity systems, and the growing use of invasive technologies like CCTV and drones in public spaces. After having mapped the nature and extent of the problem, I seek to answer the following questions: What concepts are needed to mount successful resistance to these practices? What resistance practices have succeeded or are likely to succeed, what social forces and actors are most likely to mount successful resistance, and under what conditions are they most likely to succeed? To what extent are companies pushing back against state surveillance, or are they complicit in the problem? What kind of society do we want to live in? Should this be a society where every movement is tracked, and where there is no such thing as private space anymore?

A key challenge to mounting successful resistance to surveillance is that so much of it is mobile and invisible; people may not even be aware that their movements are being tracked through their cellphones, for instance. In exploring these questions, I seek to contribute to a growing body of literature on privacy, surveillance and resistance, but from a Southern perspective and with a particular bias towards working-class political and social movements as actors. So much of the literature on these questions focuses on the global North and the middle-class NGO activists who campaign against unaccountable surveillance. These questions are important because – in spite of significant gains – the public outrage in the wake of the Snowden revelations has not translated into game-changing collective action against mass surveillance, and this has exposed some of the limits of NGO-led privacy advocacy. South Africans are likely to become much more sensitive to privacy issues as the country’s information or privacy regulator is being established. A comprehensive analysis of how worried we should be about these problems should hopefully set an agenda for this regulator in the years to come. While this book uses developments in the global North as a touchstone – which is necessary given that the Snowden revelations were largely about surveillance abuses in the North – it is focused on South Africa, and should therefore be considered a single case study of surveillance in South Africa, rather than a comparative study of several countries.

My outlook is critical in nature, and I embrace a critical political economy approach to explore the above-mentioned questions. Political economy focuses on the structures of control in capitalist society and the production of wealth needed to reproduce that society.³⁹ In relation to communication studies, political economy examines power relations in the functioning of communications systems and embeds this analysis in the social context in which communications take place.⁴⁰ Political economy can provide the conceptual tools to examine the relationship, if any, between political, economic and communications power and to analyse the impact of commodification of communications on the ability of people to receive and impart information. Furthermore, political economy’s emphasis on engaged research is of relevance in that the theoretical insights offered by such analyses can be used to develop effective intervention strategies in the real world, to solve real social problems.⁴¹ In other words, this book is premised on the need to transform power relations and ensure a more just and equal society. It assumes that under capitalism, communications systems are structured to reproduce and reinforce elite interests; but, equally, communications systems are key sites of struggle and communications tools are important assets in that struggle. However, it does not assume that the capitalist economy determines communications content in any simplistic, deterministic way. Communications messages are not mere reflections of the capitalist base. Whether these systems are used in the service of the ruling class or the working class is determined by real-world struggles. That is why I use the word ‘critical’.

While critical political economy is a fairly well-developed approach to communications studies generally, and media specifically, it is not as well developed in relation to surveillance studies, which itself is an emerging field that studies how the collection, storage and processing of information have become integral to the functioning of contemporary society.⁴² A world in which privacy is truly respected will be impossible without successful struggles for justice and equality, as the ability to enjoy rights such as privacy will remain the preserve of a select few. Owners of the means of production will continue to define the conditions under which this right is enjoyed on a widespread basis. We must not resign ourselves to thinking that a world where privacy is invaded on a routine basis is the way things necessarily are, and cannot be changed. We must not accept unquestioningly the statement made by Steve Rambam that ‘privacy is dead – get over it’.⁴³ What is needed to mount an effective fightback is a thorough understanding of why the world looks the way it does at this current conjuncture. This requires not just analysis, but theory.

The problem, though, is that some of the key concepts that have been used to describe the surveillance state have not been particularly empowering. The panopticon, for instance, does not encourage people to identify the agents involved in surveillance. Theories of resistance to surveillance are underdeveloped, which makes it more difficult to see the world differently from how it currently operates. While surveillance has always been a feature of the capitalist system, its importance as a mechanism of social control has grown massively over the past two decades. This means that there are still many people who have experienced a world where pervasive surveillance was not such a problem. As a result, we are challenged to identify the particular political-economic and technical conditions that have given rise to the forms of surveillance being experienced today. Through an examination of surveillance in South Africa, this book seeks to address some of these broader theoretical questions.

THE RESEARCH PROCESS AND ANALYTICAL FRAMEWORK

The collection and analysis of information amassed through the research and journalism incorporated into this book have been guided by an analytical framework based around the following organising concepts: actors, interventions or actions, relationships, and outcomes or impacts. A series of sub-questions were then posed in relation to each concept. The frame directed the researchers to collect information about the different surveillance actors and their roles and responsibilities, the relationships between these different actors and how they were changing over time, and relationships between these actors and the broader political environment. The questions that guided the research process were as follows:

Interest groups

• The different actors: the main state surveillance ‘clients’ (the police, military and intelligence, and other state agencies), surveillance oversight bodies, communications companies, surveillance subjects, civil society and social movements. Who are the main actors, and what are their roles and responsibilities? Is there any evidence of other actors becoming active in relation to surveillance?

Interventions or actions

• The surveillance perpetrators: Who is undertaking surveillance and how often? What is motivating the surveillance? What forms of surveillance do they use (including the technologies), and are these changing over time? Are the organisations and individuals that are being placed under surveillance changing over time, and why? Where do they stand in relation to key power-holders in the state and society? Are some organisations or individuals more likely to be subjected to surveillance than others, and why? How much surveillance is warranted in that it is legal and pursues a legitimate aim, and how much is not?

• The surveillance oversight bodies: What interventions do they engage in to keep the perpetrators under review? How are they set up, and how independent and accountable are they? How effective are they at holding perpetrators to account if there are abuses?

• The surveillance subjects: How are surveillance subjects chosen? How do subjects respond to surveillance? Are particular social groups more likely to become subjects of surveillance, and, if so, who are they and why are they groups of interest? Do different categories of victim respond differently to surveillance? Under what conditions do subjects resist surveillance, and how?

• Communications companies: What are the roles of these companies in relation to surveillance, and are there shifts in their roles over time, and why? If they themselves engage in surveillance, what technologies do they use and how is this changing over time? Under what conditions do they enable surveillance, and under what conditions do they resist it?

• Civil society and social movements: What are the roles of these actors in relation to surveillance, and are their roles shifting over time? Under what conditions do they take up advocacy in relation to surveillance, what are the main organising concepts they use, and how successful have they been in resisting surveillance abuses?

Relationships

• The relations between these different actors: What are the relationships, if any, between private and state surveillance? Is decision-making among these different actors static or is it changing over time, and why? Are roles and responsibilities of these different actors clear? Which actor or actors seem to hold the power in relation to decision-making about surveillance? How are surveillance practices impacting on relationships among the different actors? Why do different actors support or resist surveillance? Do they act alone, or do they build coalitions of interest around this issue?

• Relationships between actors and the broader political environment: What are the relations of different surveillance actors to the broader political environment, and how are they impacting on this environment? What do the uses of surveillance tell us about broader political shifts?

Outcomes and impacts

• Outcomes and impacts of surveillance: How have different actors responded to surveillance or the threat of it? What are the impacts and consequences of surveillance? What are the impacts and consequences of resistance to surveillance? What forms of resistance work, and what concepts are the most empowering? What is the broader political significance of surveillance, and how does this significance (or lack of it) impact on civil society and social movement responses? If surveillance is being used for positive purposes, are positive impacts evident, and, if so, what are they? If surveillance is being used for negative purposes, are negative impacts evident, and, if so, what are they?

These sub-questions are then used to answer the overall question. These key elements of the analytical framework allowed me to develop an answer to the broader question of whether South Africa is becoming a surveillance society governed by a surveillance state, to construct some general explanations or theories about the contributions of surveillance to social control, and to propose some theoretical points about elements of resistance to surveillance.