It has recently been publicized that South Africa's State Security Agency (SSA) was involved in 'bulk interception' of communications coming in and going out of the country. The initial reporting, thanks to Privacy International, revealed that the State Security Agency mainly tapped Internet traffic on undersea fibre cables.

Reading some of the court documents related to the State Security Agency and the case brought against it by South Africa's amaBhungane Centre for Investigative Journalism, you will come across the name Murray Hunter. Hunter at the time when these court cases were taking place, was working for a Right2Know, a South African civil rights organisation that, together with Privacy International, intervened on the case against the State Security Agency as friends of the court.

As such, I decided to quiz Hunter so he can shed more details on this mass surveillance, what it possibly involved and it means for South Africans. Hunter is also a researcher on digital rights and author of a children's book about surveillance, Boris the BabyBot.

Murray Hunter, a researcher on digital rights and author of a children's book about surveillance, Boris The Baby Bot.

iAfrikan: What is the context and background information on these revelations?

Murray Hunter: The most remarkable thing about all this is that we have known for over a decade that the state [South Africa] has been conducting mass surveillance, or 'bulk interception' as they call it - and that it's almost certainly unlawful. The excellent article published by our friends at Privacy International draws on evidence submitted in 2017 by Arthur Fraser, then representing the State Security Agency, in the ongoing court challenge to RICA, SA's surveillance law.

But what's interesting is that Fraser's admissions were actually an attempt at damage-control after the court was made aware of longstanding evidence of the state's mass-surveillance operations.

How far back does this mass surveillance in South Africa date back to?

So, Arthur Fraser said this is all being done according to a government policy adopted in 1999, although whatever that document is remains a mystery, but we had details of the state's mass surveillance activities at least as early as 2006.

That year, the state's intelligence watchdog publicly reported that rogue members of the intelligence agencies had used the SSA's mass-surveillance facility (known as the National Communications Centre or NCC) to spy on political operatives and journalists. (You can download the Inspector General of Intelligence's report)

A section of the the Inspector General of Intelligence's report discussing the risks of the surveillance project.

Then in 2008, the Matthews Commission, appointed by Ronnie Kasrils in the wake of this scandal, confirmed that the government was indeed conducting mass-surveillance through the NCC, and doing so unlawfully. (You can download the Matthews Commission report)

What was "tapped"?

The sources are vague about the details, but if we combine what's in those oversight investigations in 2006 and 2008, and Arthur Fraser's claims in 2017, it suggests that the NCC has been used to do 'bulk interception' of at least 'some' content and metadata from a range of sources, including internet traffic, telephonic communication, and satellite data.

So, they might not be able to collect all of it, at a technical level, but it seems that they're open to trying.

Fraser calls it “broad based environmental scanning”, whereby a great deal of data is collected from any and all sources, and then analysed for key words.

Essentially, the State Security Agency is collecting as much haystack as it can, just in case it needs to look for a needle.

We're talking here about people's most sensitive private information: Internet traffic, communications data. Arthur Fraser has tried to assure the court that this is non invasive because it's done by computers instead of humans, which really shows how out of date the state's thinking is on digital privacy. It's 2019 - of course it's being done by computers, just like nearly all the world's most invasive mass surveillance.

So the government has been quite upfront that it's collecting data from a vast number of people who are not suspected of any wrongdoing, and is analysed for all kinds of purposes. In fact, he says people's communications data is even being analysed for the purposes of food security and water security. So we're not even limited to serious crimes or terrorist acts here - just snooping through people's data to make sure nobody's talking about maize shortages or whatever.

Is this kind of spying legal?

Hell no. As early as 2008 the Matthews Commission warned that this kind of mass surveillance is unconstitutional, but there is *no law* that enables it. The RICA law, as bad as it is, is clearly designed to regulate targeted surveillance - whereby the state MAY be able to intercept the communications of a specific person or group of people, if they are being investigated for the most serious crimes, and if a judge has looked at the case and signed off on it.

There is no way a judge can meaningfully sign-off on the interception of a thousand or a million people's communications data, just in case one of them ends up being suspected of wrongdoing. Evidently, the State Security Agency agrees, because there's no evidence they even try run these operations past the RICA judge.

What is an acceptable form of tapping by the state?

Quite simply, digital surveillance can only be justified when it's limited to the most serious offences, targeted to specific suspects, and subject to independent oversight and transparency. The State Security Agency seems to think this is crazy talk, but the international 'Necessary & Proportionate' offer a world-class 13-point formula for how to do it.

What would be your advice to South Africans regarding protecting against being spied on in this manner?

As individual users, we should always be mindful of what steps we can take – seeking out simple security advisories like the Surveillance Self Defence Guide – but the real lesson here is that we need collection action as well.

The first step is to get informed. Let's read up on this issue. Let's support the work of journalists who are investigating surveillance issues.

Then let's deepen the public debate, because the places where this debate should have happened, like Parliament, have failed us.

Let's put privacy where it should be: as the centrepiece of people's rights in the modern era.

Because ultimately the people of SA don't just need better encryption, we need a better government. And until the state knows that there is a political cost to these abuses, it will never truly respect our privacy.