Privacy red flags flying; OccupyGhana calls for detailed investigation by an independent expert

The Ministry of Communication (MoC) and the National Communications Authority (NCA) are on a collision course with IMANI Africa, OccupyGhana and the Ghana Chamber of Telecommunications over the privacy of telecom subscribers’ information.

While the two government institutions have assured that the equipment to be used by Kelni GVG to monitor real-time telecoms traffic are not capable of spying on subscribers, the two civil society groups and telecoms think otherwise.

Crunch meeting between telcos and NCA, MoC

As a result of this disagreement, information available to The Finder indicates that the Ghana Chamber of Telecommunications is pushing for a meeting with the technical experts of NCA this week to thrash out the issue.

To do real-time monitoring of telecoms traffic, Kelni GVG will have to connect their equipment to the billing and other nodes of the telcos to be able to collect real-time data for verification, among other things.

Ghanaian law prohibits them from using equipment capable of accessing the content of communication like text, voice and videos.

As a result, the Ghana Chamber of Telecommunications said in a statement that the architectural design of the Kelni GVG equipment and the points to which they want to connect indicate to them that the equipment can access the content of communication.

The telcos fear their subscribers could also sue them if it emerges that the revenue monitors listen in to their conversations.

The press statement by telcos said, “The current architecture seeks to connect beyond the equivalent point in the network where the network providers’ billings systems are connected.

“The monitoring mechanism has the capability to actively or passively record, monitor or tap into the content of any incoming or outgoing electronic communications traffic such as voice. The proposed connection point will risk exposing content of voice traffic,” it added.

But Communications Minister Ursula Owusu-Ekuful and the Director-General of NCA, Joe Anokye, have both said the NCA has put measures in place to ensure the security and privacy of consumers.

"If the privacy of their customers is their only worry, then let me tell the telcos that they can go to bed because we got them covered. We are not interested in people's private conversations and will apply the law fully to ensure that the vendor does not breach anyone's privacy," the Communication Minister said.

She further explained that the design of the monitoring equipment is such that whatever Kelni GVG sees, the telcos will automatically see in real time also, so if Kelni GVG violates anyone's privacy, the telcos will know and report for immediate action.



The Minister further stated that under the new monitoring regime, various categories of communication content go through different channels, adding that the monitoring equipment will only be connected and configured to collect data that is needed to verify the number of minutes, revenue and fraud-related information, but not the caller identity or content of the communication.

The caller identities and content will be going through different channels, the Minister said.

Joe Anokye believes telcos are overplaying the privacy card probably because they have something to hide.

"We have visited four countries where each of these telcos operate and they are happy to comply with real-time monitoring so why are they apprehensive about the same system in Ghana? Is it because they have something to hide?" he quizzed.

Mr Anokye said the telcos cannot be interested in the security and privacy of Ghanaians more than the government.

He said unlike in previous contracts, the current deal ensures that the monitoring equipment will be situated on the premises of the NCA so that government can also monitor and ensure security for Ghanaians.

He assured the public that on the Government of Ghana side, there are three data protection experts – a lawyer, an accountant and an ICT – who are particular about details and have a job to protect Ghanaians.

Joe Anokye is confident the monitors will be connected by the June 11 deadline for work to begin.



OccupyGhana raises critical privacy issues

Despite the assurances from the government officials, OccupyGhana says however laudable the government’s intentions are for entering into a contract to do real-time monitoring of telecoms traffic and whatever assurances and pledges have been made that the government does not intend to snoop on or tap into communications and correspondence, the law is simply that whatever mechanism is being deployed “shall not have” snoop or tap capability.

According to the group, if the allegations raised by the Ghana Chamber of Telecommunications are true, then the deployment of the mechanism with the statutorily prohibited snoop and tap capability is a breach of the law and the Constitution.

OccupyGhana agrees with telcos

OccupyGhana agreed with the chamber that “the voice transaction damp (sic) for the revenue assurance tool should be enough without risking individual customer privacy. We are minded that the law does not talk about intent but capability, which the current architecture processes (sic).”

The pressure group cautioned that the deployment of the Revenue Assurance Module under the contract should be limited to access to the service providers’ billing systems and nothing more or less.

“We also note that the contract has four modules; namely, (i) Revenue Assurance, (ii) Specific Voice, (iii) Geographic Location, and (iv) Mobile Money Monitoring. We think that the Revenue Assurance Module should be easy to implement, which would comply with the law, as long as all that the government has access to are the billing systems.

“We are concerned that the Specific Voice Module (‘traffic monitoring’) raises questions about the potential to monitor the content of communications in breach of the Constitution and statute. We also need to be convinced that the Geographic Location Module (‘fraud management’) is really relevant to the work that the government has to do, and does not breach the Constitution and statute.

“And we have doubts that with the launch of the mobile money interoperability platform that is monitored by the Bank of Ghana in real time, a parallel Mobile Money Monitoring Module is really required.

“Thus, while we appreciate the government’s probably well-intended aims under these contractual modules, it goes without saying that the modules may only be implemented in accordance with the law.

“But, more importantly, anything beyond this would also arguably be in breach of the privacy protections afforded by the Constitution and statute,” it said.



Detailed investigation and audit by an independent expert

“Detailed investigation and audit by an independent expert, of the mechanism to be deployed under the contract, particularly the Revenue Assurance, Specific Voice and Geographic Location Modules, to ascertain and ensure that any snoop and tap capability that is prohibited by law does not exist,” it added.

OccupyGhana disappointed in telcos for not suing NCA

OccupyGhana expressed disappointment that the members of the chamber, with such a strong and informed position on the matter, neglected or failed to commence legal action against the government to have this matter resolved once and for all by the courts within the seven-day limit imposed by law.

“However, moving forward, we must point out that in Ghana, the 2012 Data Protection Act protects both ‘data’ and ‘metadata’, i.e. data that provides information about other data.

“This falls under the definition of ‘personal data’ as ‘data about an individual which can be identified from the data or other information in the possession of or likely to come into the possession of the data controller’.

“Thus in Ghana, a person’s voice communications, as well as the fact that the person communicated with another person from a certain location and for a certain period (which is the kind of information that the ‘Real-Time Monitoring’ would have access to) are entitled to the same level of privacy protection under our law.

“As a matter of interest, while industry watchers are awaiting a decision of the US Supreme Court on whether the US government’s ‘acquisition of historical cell-site records created and maintained by a cellular-service provider violates the Fourth Amendment rights of the individual customer to whom the records pertain’, we in Ghana have no such problem.

“Accordingly, any system that obtains both data and metadata has to comply with the law,” it added.

OccupyGhana registered disappointment also at the profoundly deafening silence of the Data Protection Commission in all of these matters, adding that “it is important that when such issues arise, statutory bodies entrusted with responsibility to protect our rights act proactively in investigating them, speaking out and making their relevance felt by educating the public”.