Zimbabwe’s new cyber law to target online government and military critics

Comment & Analysis
Zimbabwe could sanction the search for government critics online, thanks to a planned cyber-security law earmarked to make it an offence to spread falsehoods and deal with leakage of official information on social media and the internet, The Standard can report.

Zimbabwe could sanction the search for government critics online, thanks to a planned cyber-security law earmarked to make it an offence to spread falsehoods and deal with leakage of official information on social media and the internet, The Standard can report.

Fired Health minister Obadiah Moyo is currently facing trial for a scandal over issuance of a tender to a company reportedly linked to associates of President Emmerson Mnangagwa’s family, after a protracted campaign on social networking platforms and online media that involved leaked documents.

But worryingly, the Cyber Security and Data Protection Bill, over which Parliament has just embarked on hearings for public input, could empower the military to spy on citizens online, according to a poignant notice from a senior civil servant.

On the day the army issued a statement expressing “grave concern” at alleged misinformation by online news media following a military clampdown in Bulawayo, the deputy chief secretary to the president and Cabinet, George Charamba, delivered an ominous warning through his Twitter handle.

“(The) Cybersecurity Bill will end this useless chatter!” he said.

Charamba attached the Zimbabwe National Army (ZNA) statement, signed by Major Alex Zuva, the deputy director of army public relations, and advised: “Statement from Army HQ. Read and understand!!!”

The warning, made against the background of several citizens having been arrested for alleged subversive statements on social networking platforms and elsewhere, was a strong signal of government’s intention to fortify online surveillance and clampdown on freedom of expression using the proposed law, which human rights campaigners had expected to herald the start of a democratisation process in the country.

Apparently, the commander of the ZNA, Edzai Chimonyo, had told senior commissioned officers a few months earlier that online media posed “a dangerous threat to our national security” and that the military would start snooping into private communications between citizens. He said social media was one of the tools being used for misinformation by detractors, who were resorting to “social media platforms to subvert security forces in pursuit of their own hidden agendas…”

Tabani Moyo, the Media Institute of Southern Africa (Misa)-Zimbabwe director, said there was “a genuine fear that military involvement will result in targeting of opponents and silencing of critics”.

Criticism of government and its institutions, he said, was necessary for transparency and accountability. “The military has no business in Cyber Security and Data Protection issues,” said Moyo, a freedom of expression advocate. “(This) shall be the domain of the proposed Cyber Security Centre and Data Protection Authority”.

He said Misa-Zimbabwe was advocating functional independence of these bodies, rather than for them to fall under the remit of the Postal and Telecommunications Authority of Zimbabwe, which already regulates telecommunication firms.

Misa-Zimbabwe was pushing for parliamentary oversight instead of having those bodies reporting to the minister, he said. “We, therefore, note that the military has no role in civilian activities and must be confined in the barracks and leave issues of regulation of the internet to civilian institutions through a pro-human rights approach to internet governance,” said Moyo. He described Charamba’s remarks as “a cause for concern as they bring into question the intentions of the executive, as he is the spokesperson of the presidency, behind the proposal of this law”.

“Misa-Zimbabwe acknowledges that there is a need for a regulatory framework that addresses cyber security and data protection issues. “However, such law should not be relied on to stifle free expression and media freedom,” Moyo said.

Since the emergence of the so-called second republic following a military-assisted takeover of power by Mnangagwa in November 2017, nearly a dozen human rights campaigners and opposition politicians have been arrested for alleged subversive statements on online platforms. Currently, a 36-year-old man, Lovemore Zvokusekwa is on trial for “publishing or communicating false statements prejudicial to the state” after circulating a social media statement suggesting that Mnangagwa would extend a lockdown imposed to control the spread of coronavirus.

While the Cyber Security and Data Protection Bill has the noble intention of curbing vices like cyber bullying and cybercrimes and increase cyber security, protect data in the public interest and deal with revenge pornography in a growing digital environment, critics fear an increasingly paranoid government wants to use it to clamp down on dissent.

Due to a crackdown on street protests, Zimbabweans have resorted to social networking platforms to express their disapproval of government policies as well as their political preferences.

Currently, the security men are on high alert due to social media agitation for mass protests on July 31 over economic hardships and a political crisis.

Targeting fake news

The Cyber Security and Data Protection Bill has laid down a number of offences related to electronic communication.

But at least two of these could be used to target critical media and citizens expressing themselves on online platforms, should their information be deemed to be untrue or false.

The Cyber Security and Data Protection Bill has proposed that any person who unlawfully, by means of a computer or information system, makes available, transmits, broadcasts or distributes a data message to any person, group of persons or to the public with the intention of inciting such persons to commit acts of violence against any person or persons or to cause damage to any property shall be guilty of an offence.

It also proposes to make it an offense for any person to unlawfully and intentionally, by means of a computer or information system, make available, broadcast or distribute data to any other person concerning an identified or identifiable person knowing it to be false with the intention of causing psychological or economic harm.

And to deal with an increasing leakage of official information on social media and its circulation, which recently resulted in the disclosure of a scandal in the acquisition of medical supplies to contain the Covid-19 pandemic, the Cyber Security and Date Protection Bill proposes to make it an offense to unlawfully and intentionally possess data knowing that such data was acquired unlawfully. Unlawful acquisition includes to use, examine, capture, copy, move to a different location or divert data to a destination other than its intended location.

Media outlets in the dragnet

Even mainstream media will not escape the prying eyes of security agencies under the Cyber Security and Data Protection Bill for content published online or posted on social media platforms. Moyo said the statement by Charamba implied that there was potential that the Cyber Security and Data Protection Bill would “be relied on and abused to persecute individuals and the media exercising their constitutional right to free expression”. “With regard to the context in which this statement was made, being a response to a purported communication of false information, it should be noted that the Criminal Law Code in section 31 also criminalises the publishing or communication of false statements prejudicial to the state. “The framing of false news offences was already criticised by the court in the case of Chimakure and Kahiya v the attorney general as resulting in self-censorship and ultimately curtailing freedom of expression. “The Charamba sentiments, therefore, also serve to cause a chilling effect on citizens in general and media practitioners in particular as far as the purposes of the Cyber Security (and Data Protection) Bill are concerned,” said the Misa-Zimbabwe director. He highlighted that the Cyber Security and Data Protection Bill was problematic in that it lumped together two broad issues of cyber security and data protection against best practices. This omnibus approach, he said, had resulted in similar circumstances with the Access to Information and Protection of Privacy Act (Aippa), which lumped together three complex issues such as access to information, media regulation and privacy. “This is the reason why there is a process of unbundling the law,” Moyo said. “These were the mistakes accrued at the turn of the century, to plunge into the same mistakes smacks of underhand dealings on the part of the government towards politicisation of the process aimed at compromising the right to privacy.” Mnangagwa a few days ago assented to the Freedom of Information Bill, which repealed AIPPA.

Moyo noted that mainstream newspapers, including state-controlled media, had established a presence on social media and online platforms to distribute their content due to the growing popularity of social networking sites. But this, he said, “should not be narrowly used by government to discredit all media platforms that write unfavourably about the status quo”. “Rather, it is a reflection of the new reality which has been brought about by the internet and technology and has impacted greatly the media industry,” he said.

“Traditional media has had to embrace and integrate social media and online media into its channels of dissemination of information. “This is a reality that the government of Zimbabwe cannot wish away through propaganda or other means,” he said.

State intelligence involvement

Before Zvokusekwa’s arrest, Mnangagwa took personal interest in the case, saying he had asked the Central Intelligence Organisation (CIO) to hunt him down so that he could be used as an example against circulators of fake news on social networking platforms.

Mnangagwa said he wanted him to “go in for at least level 14, which is 20 years imprisonment…to demonstrate that we don’t want false news to be circulated, especially if you are telling false news about the president”.

The offence had been brought into existence by a statutory instrument put in place to control information on the coronavirus pandemic, which had just resulted in lockdown measures after cases had been detected in the country.

The Cyber Security and Data Protection Bill will make it a permanent law on the country’s statutes. Opposition party members and activists have argued that the CIO, created as an external intelligence-gathering arm, has in recent years been used to target members of opposition political parties, human rights activists and government critics. In its statement on developments in Bulawayo, the army had “noted with grave concern the levels and rate of misinformation that continues to be peddled mostly by online news agencies”. It singled out one online news outlet that carried a series of stories that the army had taken over the city of Bulawayo, whose central business district had been sealed off from the public.

Soldiers, working with police officers, turned away commuters going to work.

Video footage showed officers chasing members of the public from the city centre.

The army described the reports, which later courted conflicting explanations from government bureaucrats and politicians, as “a blatant lie”. The army, the statement said “was, and is still assisting the police to enforce lockdown regulations in order to contain (the) Covid-19 pandemic”.

Surveillance capability

The surveillance capacity of state security services is unknown, but Moyo pointed out that Chimonyo’s warning that the army would start snooping into citizen’s private, online communication implied existence of tools to facilitate this. “There has generally been a lack of transparency around the acquisition of cyber security equipment and the conditions under which it is sold to Zimbabwe,” he said. Moyo pointed at the inadvertent disclosure of a deal signed by government in 2018 with CloudWalk Technology, a Chinese-based entity that is providing Zimbabwe with facial recognition technology, under which the country would give the company vast amounts of biometric and personal data.

“Apart from the fact that this constituted a violation of people’s right to privacy because no one had knowledge of or consented to the cross border transfer of their data, such close partnerships with the Chinese can result in Zimbabwe acquiring surveillance equipment to build a strong surveillance network in the country that would among other things be used to monitor online activities,” he said. Government signed a strategic agreement for cooperation on a mass facial recognition surveillance project with Chinese artificial intelligence firm Cloudwalk, and has been harvesting data at the country’s airports, state facilities and border points using facial recognition cameras with deep learning capacity supplied by Cloudwalk as well as another Chinese AI firm, HikVision. The cameras were also deployed in the eastern border town of Mutare, where government launched the city’s Smart City project in January, according to reports.

In terms of the Interception of Communications Act, all telecommunications companies had put in place infrastructure linking their mobile centres with authorities, who connect their own equipment to the system.

The Act had categorically placed upon networks the burden to ensure that their services had “the capability to be intercepted”. State security agencies also use IMSI Catchers, also known as GSM Interceptors, to track citizens’ movements and mobile phone usages. A senior police official last year told officers at a rebranding course that they had received the latest surveillance equipment from government, but declined to disclose the nature of the devices.

In a report on social media surveillance, Freedom House noted: “The booming commercial market for social media surveillance has lowered the cost of entry not only for the security services of dictatorships, but also for national and local law enforcement agencies in democracies, where it is being used with little oversight or accountability.”

Wider reach

Apparently, digital surveillance has been extended even into the financial services sector, where government fears its distractors are running riot in their efforts to undermine the economy.

In another post on his Twitter handle, Charamba said it was increasingly becoming clear to government that policing a hyper-literate society was “less and less about baton sticks and more and more about computer-aided illicit activities, which are money-related and transactional”. “Our security services, in their diverse permutations, will spend more and greater time in the markets than on the streets,” he said. “You don’t need celestial wisdom to know that the market now conditions politics on the streets. “This means the state now stabilises the streets from the markets. Call it security/market/street nexus!!” A few days later, government ordered the closure of the Zimbabwe Stock Exchange as it sought to stabilise the country’s defenseless currency. It also ordered the country’s biggest mobile money payment platform, Ecocash to stop all phone-based mobile money payment transactions “to facilitate inclusive investigations”. Measures against Ecocash, said sources knowledgeable with developments, were meant to bring the mobile payment platform within the remit of the central bank to allow monitoring. This, they said, would be achieved by ensuring the mobile money payment platform was connected to the National Payment Systems (NPS), which was established in 1998 to allow the central bank “to pay undivided attention to payment systems issues, given their significant contribution to financial stability and economic development,” according to a Reserve Bank statement. Currently, mobile money payment platforms are not connected to this surveillance system, and the Reserve Bank of Zimbabwe has had to rely on mere reports from the payment platform owners. Under the NPS, the Reserve Bank would be able to monitor mobile transactions in real time.

David Coltart, the opposition MDC-Alliance treasurer general, suggested the measures could have been meant to monitor donations to the opposition. “One interesting aspect to the government’s latest bizarre move to shut down Ecocash, is that it comes barely a week after the successful launch of the MDC-A website…which uses Ecocash to receive subscriptions and donations. Is this part of the reason?” asked Coltart, rhetorically. According to a Bloomberg report, the military was behind the closure of the stock market and Ecocash. Government spokesman Nick Mangwana, however denied this.

l Dumisani Ndlela is a journalist researching on digital surveillance with support from the Media Policy & Democracy Project jointly run by the University of Johannesburg and Unisa.