The previous Sudanese totalitarian regime used several types of non-ethical and infringing tactics to remain in power, as an invasion of privacy through unfair laws and surveillance tactics with imported technologies.
The regime was deposed in April 2019, following a series of protests in favor of democracy that ended 37 years of power. Now, he faces intense criticism for his violations. Sudan is at a critical moment in its history to have a debate about interaction between the State, the private sector and citizens in terms of privacy rights.
Sudan has embarked on a three-year transition to democracy and a civil government, and the transition authorities must evaluate reforms in order to promote and protect the right to privacy.
To spy on users and citizens, the deposed regime used surveillance and tracking technologies sold by Western companies. The regime had to import these technologies in secret due to US sanctions that prohibited the regime from acquiring them.
In July 2013, Citizen Lab, Toronto's interdisciplinary laboratory at the intersection between technology and human rights, identified the presence of the Blue Coat ProxySG device in the Canar network, a private Sudanese internet service provider, which allows the interception of encrypted sessions in Internet. The device was sold by the Californian company Blue Coat Systems, before being acquired by another US software company in 2016.
In February 2017, Citizen Lab published another report that mapped the use of spyware sold by the Italian company Hacking Team to governments around the world, including repressive regimes. The study found that 21 governments, including the one in Sudan, used the company's Remote Control System (RCS), which “allows government surveillance of encrypted internet communications of a target, even when the target is connected to a network that the government cannot intercept ”. According to the same report:
RCS’s capabilities include the ability to copy files from a computer’s hard disk, record Skype calls, emails, instant messages, and passwords typed into a web browser further, RCS can turn on a device’s webcam and microphone to spy on the target
The capabilities of the Remote Control System include the ability to copy files from a computer's hard drive, record Skype calls, emails, instant messaging and typed passwords to a web browser. In addition, the system can turn on the webcam and the microphone of a device to spy on the target.
This collaboration between the Hacking Team and the Sudanese Government did not go unnoticed, and the international community questioned it. In June 2014, the United Nations asked Hacking Team to provide information about its sales to the Sudanese Government. According to a report by The Intercept, the “internal registries proved that the Sudan National Intelligence and Security Service paid 960,000 euros (US $ 1,071,504) for the Remote Control System.”
Existing legal framework
Under Sudanese law, authorities can access user data after obtaining the order of a prosecutor or judge. Article 74 of the law regulating telecommunications and mail clearly allows interception, surveillance and listening – only by order of the prosecutor or a specialized judge – and offenders are punished with five years in prison, a fine or both.
Interception and listening are illegal. For example, the cybercrime law of 2007 establishes a penalty of up to three years in prison, a fine or both for anyone who “intervenes, captures or intercepts a message through a computer or information network or similar hardware without authorization from the prosecutor or the competent authority or who owns the information. The term “competent authority” is undefined, and the law is subject to abuse.
Article 28 of the electronic transactions law of 2007 sanctions anyone who reveals encrypted data for any unauthorized party or access to any information without approval, with ten years in jail, fine or both. The law addresses financial transactions such as online payments and legal contracts.
The 2016 anti-corruption law protected the privacy rights of informants, and sanctioned anyone who disclosed their personal data with two years in jail, a fine or both.
Although these laws offer protection, in practice they are not enough to protect the privacy and data of Sudanese government surveillance users.
Certainly, the use of surveillance tools, such as the Hacking Team Remote Control System and Blue Coat ProxySG of the previous regime, shows how the authorities could violate the privacy of users without the need for a court order.
The use of inaccurate terms as a “competent authority” – as in the cybercrime law of 2017 – without a clear definition gives telecommunications companies a pretext to deliver user information to security agencies – even without a court order.
In Sudan there is no independent supervision of how the Government and the private sector handle the data. For example, in February 2014, the Sudanese Parliament publicly analyzed the privacy invasion of the National Intelligence and Security Service (NISS) through internet service providers and telecommunications companies, such as MTN-Sudan, ZAIN SUDANI and CANAR.
An independent investigation has not been initiated and local media reported that the then Minister of Telecommunications refused to respond if legal surveillance of telephone calls and online activities was carried out.
In addition, Sudan has no data protection authority or data protection law regulating the collection, storage and use of personal data by governments and the private sector. A basic principle of an effective data protection law is to establish an independent regulator that oversees the implementation of the law. In the absence of a legal framework, personal data will be at risk of misuse and abuse not only of the Government but also of the private sector.
The current existing legal framework does not include provisions that require companies, websites and organizations that disseminate or have a written policy that explains their data collection or dissemination practices.
– Amr Mohsen (@AmrMohsenadvo) October 31, 2019
For example, online startups in Sudan that rely primarily on electronic payment lack transparency on how and manage their users' information. Online shopping platforms such as Dukan, Maglag and Sahla publish privacy policies that reveal limited information, or do not reveal information, about data collection, retention and dissemination. Other e-commerce sites such as ma3roud do not publish privacy policies. Shared transport applications such as Tirhal, lemon and Tarha offer links to privacy policies on the pages of their applications, perhaps as an attempt to meet the registration requirements for Apple and Google Play stores. They only direct users to their websites – which do not include privacy policies.
As part of an agreement to share power to guide Sudan in the three years transition to a civi government, Transitional Military Court and the political coalition representing the protesters, Freedom and Change Forces, signed the Constitutional Statute for the Period of Transition 2019.
Article 54 of the statute enshrines the right to privacy. He states: “Nobody's privacy will be violated nor will it be allowed to interfere with anyone's private or family life in their home or correspondence, unless expressly provided by law.”
However, in the absence of reforms in order to strengthen and protect privacy, this right remains under threat. An effective data protection law in Sudan is crucial to cover legislative gaps, according to international human rights standards and best practices for data protection.