Uganda's Grand Ambitions Of Secret Surveillance
We hate to say we told you so.
Privacy International has for years warned that powerful surveillance technologies are used to facilitate serious human rights abuses with insufficient technological and legal safeguards against abuse.
We now have the most solid evidence to date that we were right. Our latest investigation uncovers disturbing evidence that substantiates our long held concerns.
Today Privacy International publishes an investigation (PDF) into communications surveillance in Uganda. We detail the sale of intrusion malware FinFisher by Gamma International GmbH (‘Gamma’) to the Ugandan military. FinFisher was the ‘backbone’ of a secret operation to spy on leading opposition members, activists, elected officials, intelligence insiders and journalists following the 2011 election, which President Museveni following evidence of vote-buying and misuse of state funds.
The Police and military deployed the spyware specifically to “crush…civil disobedience” and “cra[ck] down [on] the rising influence of the opposition” by “blackmailing them”, according a secret briefing document prepared for President Museveni.
Here we summarise our findings and explain their importance in the context of Uganda’s presidential elections next year.
A building in downtown Kampala bears the logo of Africell, a telecommunications providers. Providers are required to comply with lawful interception requests according to Uganda’s Regulation of Interception of Communications Act (2010). Photo: Privacy International, 2015.
Kampala, We Have A Problem
In late 2011, Uganda's Police and military were busy quelling domestic unrest. In April of that year, activists and opposition politicians had launched protests across the country to draw attention to police brutality and the increasing cost of living. They encouraged Ugandans to peacefully walk to work.
Government forces killed at least nine unarmed persons in the first month. Over 100 were injured. Over 600 people were arrested and detained; some bore marks consistent with allegations of whipping and beatings. Members of Parliament were arrested, manhandled and placed under 24-hour surveillance and preventative detention. The leading presidential challenger, Kizza Besigye, was dragged from his vehicle and pepper sprayed in the face, sustaining serious injuries.
These are all serious human rights issues that we would expect any of Uganda's potential business partners and investors to be very concerned about. Nevertheless, Gamma supplied the Government with surveillance malware suite FinFisher shortly before the launch of a second round of protests. The Government subsequently used FinFisher with the aim of consolidating the ruling NRM party's power.
Opening His Eyes
On 13 January 2012, President Museveni launched Operation Fungua Macho ('open your eyes' in Swahili) by military radio message, according to the documents.
Covert FinFisher 'access points' were installed within Parliament and key government institutions. Actual and suspected government opponents were targeted in their homes. Hotels in Kampala, Entebbe and Masaka were also compromised to facilitate infection of targets' devices. The CMI solicited state funds to 'bribe' collaborators to facilitate infections and intended to use collected information to 'blackmail' targets, according to the documents.
A greying photo of President Museveni watches over a hotel business centre in Entebbe. Photo: Privacy International, 2015.
The company of friends
These are serious accusations. How can we believe just one briefing document that was prepared for President Museveni?
Because we have a number of other documents that further substantiate elements of these claims. Over the course of our investigation, we obtained original documents from independent sources that shed further light on the Government’s surveillance plans and relationship with a number of companies, including Gamma. The details of Fungua Macho are detailed in a single intelligence document which we believe to be authentic. But documents and testimony from independent sources in and out of Uganda further substantiate the Government’s sustained relationship with Gamma, and its ambition to buy further surveillance tools over subsequent years — and the key players who come up, time and again, to develop the state’s surveillance capacities.
On 19 and 20 January 2012, around the time Operation Fungua Macho was launched, two Gamma officials met with senior intelligence officials in Kampala and briefed them on FinFisher’s capabilities, according to a company Powerpoint presentation.
Then, in June 2012, Ugandan police and military officials travelled to Europe as guests of Gamma to attend ISS World, the key international surveillance trade show, according to a Gamma visitor program. At Gamma’s Munich headquarters, they learned more about the surveillance products from Gamma partner companies from around the world — Trovicor, Utimaco, Polaris, Cobham, among others. They then travelled to Prague, staying at the Clarion Congress Hotel while attending the trade show.
Mission creep
Meanwhile, the Ugandan Government has been attempting to procure a communications monitoring centre, five years after its Parliament passed the Regulation of Interception of Communications Act.
In 2013, the inter-agency Joint Security/ICT Technical committee invited bids for the project from seven technology companies based in China, Israel, Italy, Poland and the United Kingdom, in another government briefing document from another source.
Some familiar names were on the shortlist to supply the monitoring centre — Huawei and ZTE, NICE and Verint — and some less well known contenders — Macro System and RESI Group. And, of course, Gamma Group International. Later in 2013, Gamma’s representaive in Munich, Stephan Oelkers, returned to Kampala at least three times.
Fast forward two years. The Ugandan Government appears closer to finalising plans to purchase a monitoring centre. According to internal emails of surveillance technology company Hacking Team, NICE Systems was one of the frontrunners for the project. The Uganda Police was also looking to buy Hacking Team’s intrusion malware through a trusted contact — a former Presidential IT advisor and, worryingly, an important media mogul.
Here we go again
All of this is particularly worrying because next year Ugandans will vote in the fifth presidential election since President Museveni first came to power, where he has stayed ever since.
The Government is widely assumed to be increasing its surveillance efforts against people opposed to President Museveni’s candidacy, as journalists and activists prepare to weather the political storm.
When BBC Newsnight went to Uganda to report on this investigation, government spokesperson Colonel Shaban Bantariza told them: “Political opponents are not enemies in Uganda. We don’t treat political opponents as enemies, we treat them as people who have got alternative political views.” In any case, he said, “the onus is on those who are alleging [surveillance] to prove [it]”. Be careful what you wish for.
For God and my President
Perhaps the saddest part of the story is that FinFisher — which Gamma claimed in its response to Privacy International is used to combat terrorist threats, drug cartels and other organised crimes — was deployed to consolidate the President’s control of the country through whatever means possible, including bribery and blackmail.
The use of surveillance technology in this way has chilled free speech and legitimate expressions of political dissent.
Uganda’s intelligence officials know its power. As Michael Bbosa, then Director of Technical Intelligence, says “with funds being made available, this whole dilemma of incomplete datum especially when approaching challenges (like the Walk-to-Work demos) would be history”.
Covert, extrajudicial surveillance projects like those documented in our investigation have contributed towards making Uganda a less open and democratic country in the name of national security. Until and unless these issues are addressed, claims that Uganda is a burgeoning democracy ring hollow.
For more visit: https://privacyinternational.org
Update: 16/10/15: Statement by Privacy International in response to the Ugandan Government press conference
Privacy International has been made aware of the Uganda Media Centre’s press conference today in Kampala following the release of Privacy International’s report “For God and My President: State Surveillance In Uganda” and BBC Newsnight’s broadcast based on the report. We would like to address certain points raised by Colonel Shaban Bantariza today.
We are confident that all documents presented in our report are genuine documents. We have undertaken extensive corroboration of all the documents we have been provided. We look to Uganda’s press to follow up on the story and bring to light more surveillance in the country.
Our report is based on extensive research and evidence, including six sets of documents. Besides the Fungua Macho briefing memo drafted by the CMI Director of Technical Intelligence in January 2012, these include: a visitor program of Ugandan government officials’ travel to meet with Gamma in 2012, a Ugandan government document indicating that seven firms including Gamma were invited to tender for a lawful interception monitoring centre, and corroborating evidence including a Powerpoint presentation delivered specifically to Ugandan officials, with business cards — all amongst other information referenced in the report.
Many of these documents were obtained from independent sources both within the surveillance industry and the Ugandan government. The evidence taken as a whole shows a sustained and close relationship between Government of Uganda officials and Gamma Group officials from 2011 through 2013. The Government of Uganda appears not to have commented on the bulk of the documents, rather focusing on discrediting the Fungua Macho briefing memo.
Furthermore we note that the Regulation of Interception of Communications Act (2010) does not regulate the use of intrusion malware like FinFisher. Rather, the law only covers interception of communications, as conducted through Uganda’s service provider networks. The use of FinFisher amounts to “hacking” an individual’s device. The Fungua Macho operation — which appears to have been completed without any reference to judicial oversight or warrants — was thus not within the realm of law. Our report contains a more detailed legal analysis.
We encourage Ugandans to read the report for themselves. We remain open to engaging the Uganda Government in our goal of ensuring that surveillance is conducted in a legal and transparent manner with the interests of all Ugandans at heart.