Q&A: Zimbabwe’s Kuda Hove

‘There Are No Safeguards to People’s Right to Privacy’

By Maureen Nkatha

With no active law on how private data that is collected should be stored or handled, human-rights activists and privacy experts in Zimbabwe are questioning just how ready the country is for facial-recognition technology. 

The country’s Freedom of Information Act was enforced starting last July, providing citizens and media the right to access information. However, the law does not clearly outline how data collection is handled.

Kuda Hove, a policy officer at Privacy International, told Digital Privacy News that surveillance in Zimbabwe went beyond investigating crimes and was now used as a political tool against those speaking against President Emmerson Mnangagwa’s ruling party.

Hove, who holds a Bachelor of Laws degree from the University of South Africa, also led the Information and Communication Technology (ICT)’s policy and legal work at the Zimbabwean chapter of the Media Institute of Southern Africa.

Does the government’s surveillance activities infringe on citizen freedoms of expression and right to privacy? 

Yes.

The surveillance activities by the state are targeted and aimed at intimidating and silencing any dissenting voices.

In Zimbabwe, surveillance goes beyond the investigation of crime and is used as a political tool against those who dare speak against the ruling party.

That the surveillance is not curbed by any law means that there are no safeguards to people’s right to privacy.

The Zimbabwean Constitution provides for the right to privacy, but only a few people have access to the Constitution — and even fewer people have access to the Constitutional Court.

How safe are citizens’ personal data from government exploitation?

It is hard to effectively say how much of citizens’ personal data the government exploits.

But the lack of any data-protection safeguards, laws or policies makes it easier for the government to exploit data that is under its control.

Two recent examples give an idea of how government is exploiting citizen data.

What are they?

In the run-up to the 2018 general elections, the ruling party sent personalized SMS messages to people who registered to vote.

These SMS messages were urging voters to vote for ruling-party candidates at the parliamentary and presidential levels.

The information used to send out this information could only have been attained from the national electoral commission, because only citizens who had registered to vote received the personalized messages.

What was the other one?

In March 2019, it was reported that the Zimbabwean government turned over large amounts of biometric or facial data to a Chinese firm for the purpose of training that firm’s AI technology to recognize and differentiate between African faces.

Has the reported government surveillance changed since the inception of facial-recognition technology in Zimbabwe? Any fallout?

Despite reports that the Zimbabwean government acquired facial-recognition technology from China in 2019, there is no actual proof that this technology has been rolled out in Zimbabwe. 

Government representatives have denied any knowledge of the acquisition or use of facial-recognition technologies.

Surveillance in Zimbabwe is mainly in the form of communications surveillance allowed by the Interception of Communications Act, as well as through offline surveillance that is suspected to be carried out by state security agents and state intelligence operatives.

The Interception of Communications Act of 2007 (ICA) requires telecommunications service providers, such as mobile network operators and internet service providers, to make sure that communications transmitted over their networks are capable of being intercepted at all times.

Interception of communications is under the direction and guidance of the Monitoring of Interception of Communications Centre (MICC).

Little is known about the MICC — and there is no publicly available information to confirm whether it was actually established and operationalized after the billing of the Interception of Communications Act.

Does Zimbabwe have laws that limit government surveillance activities?

Zimbabwe currently has no laws that limit surveillance activities by the state.

Surveillance is reportedly undertaken under the guidance of the Office of the President. There is no oversight mechanism.

Any requests for information on Zimbabwe’s surveillance regime are likely to be dismissed on grounds of national security.

Do the surveillance activities go beyond the scope set by the ICA? 

The ICA only provides for the monitoring and interception of communications.

But Zimbabwe reports a large number of politically related abductions, forced disappearances and torture.

Surveillance plays a role in the commission of these acts by suspected state security agents and state intelligence details.

Such surveillance activities are extra-judicial, because they have no legal basis or justification.

Even in instances where these human-rights violations are reported to the police, there are no arrests or substantial investigations conducted by the police.

This lack of action lends credibility to the suspicion that surveillance — and the subsequent abduction, torture or forced disappearance — is done by state security agents.

Are there policies or laws that regulate how data captured by surveillance cameras is used or stored?

There is currently no law that regulates the use of CCTV cameras or how the media captured by those cameras is stored or processed.

Zimbabwe has no data-protection or privacy law since the 2003 Access to Information and Protection of Privacy Act was repealed by the Freedom of Information Act of 2020.

This situation will subsist until the passing of the 2019 Cybersecurity and Data Protection Bill. If passed in its current form, this law would provide a basic protection of data, including media collected by CCTV cameras.

It is still unknown when this bill will be finalized and sent to the president for assent. 

Maureen Nkatha is a writer in Nairobi, Kenya.

Sources: