By Heidi Swart
If you are tweeting or posting about a “security threat”, law enforcement can fish you out of the ocean of the world’s 2.6-billion social media users. Using special surveillance software, they can gather posts from platforms to identify you, and walk right up to your front door. Governments buy this data from surveillance companies, who in turn buy it from social media companies. But security threats are what governments decide them to be. These include certain protesters, non-profits and journalists. In a country where intelligence services are known to commit corrupt surveillance practices, can the law protect us from misuse?
There’s a reason why Stephen King’s IT first appears as two blazing eyes in the darkness, and why it scares the crap out of you every time you watch it. It triggers the instinctive fear of the hunted. It’s a hard-wired reaction that’s allowed our species’ survival. A successful predator sees you long before you see it. By the time you do, it’s too late.
But, in the world of the virtual, the visceral is lost. Removed from flesh-and-blood face-offs, we visibly share our lives on social media. And social media giants collect vast amounts of data about us. For an example, log into your Facebook account. You can download your personal information – over 50 data categories – stored since you first joined. Posts, messages, tags, pokes, searches, the friended, the unfriended, login locations, facial recognition data… For a complete list, go here.
Social media companies assure you that your information is protected, even if your data is sold to marketing companies, since marketer’s shouldn’t able to identify you. Generally, advertisers tell the social media company what demographic they want to target, and then the social media company will ensure that the advertisements find you if you are part of that demographic. This is how specific adverts land on your Facebook page. Bottom line: a salesman or stalker won’t visit your house.
But that doesn’t mean the state won’t. And that includes the South African government.
To find you, intelligence services needn’t hack your social media account, or get a court order to force a social media company to release your private data. What they need are your public Twitter, Instagram or Facebook posts, and the right social media surveillance software.
And, just as social media giants sell your data to marketers, they also sell it to surveillance software companies, who then sell it on to government intelligence and law enforcement agencies. Ultimately, the state can use your public social media posts to identify you and walk right up to your door. This outcome is very different from being targeted with advertisements.
To understand just how invasive the technology can be, it helps to take an in-depth look at an example of software being used in South Africa, namely Media Sonar. The product is designed and sold by a Canadian firm by the same name. The DM has established that the software is also being employed in South Africa to assist our intelligence services.
Media Sonar’s strength lies in its ability to monitor social media activity within a specific geographic area. Company marketing materials uploaded to the US’s National Security Internet Archive in February 2016, assert that Media Sonar can monitor Facebook, Twitter, Instagram, Picasa, YouTube, Flickr, FourSquare and Vines.
The software aims to identify security threats. Threats can be whatever governments decide them to be. In South Africa, they also include protesters, non-profits and media agencies that speak out against the ANC.
Media Sonar allows for “geofencing”. You can cordon off, by specifying GPS co-ordinates, an entire region, town, neigbourhood, or campus. You can also pinpoint a single address. Then, the public social media posts of people who are in the geofenced space can be picked up.
Currently, this is how intelligence services in South Africa approach the matter too, as one industry expert who spoke off the record explains: “From a monitoring point of view, the minute it’s out in the wild, it’s considered published, so you don’t need a warrant to specifically look at somebody’s Twitter or Instagram profile, or whatever the case may be.”
Regulation only kicks into action, says the source, once authorities require information that the user didn’t make public. For instance, once a potential criminal’s Twitter handle has been identified, intelligence services may want to find the email address or telephone number associated with the account. For this, says the source, intelligence services need to apply through processes provided for in the Mutual Legal Assistance Treaty between South Africa and the United States. This treaty allows the two countries to exchange information about investigations happening in both or one of the countries. This process is facilitated by the Justice Department. Says the source: “There’s no other way to get that stuff because it’s not publicly viewable.”
In addition, should SA’s intelligence services wish to set up a false account to go undercover, that would be treated like any other undercover operation, and be regulated by the Criminal Procedures Act.
But stricter data protection regulations are on the way. Alison Tilley is an attorney and head of the advocacy department of the Open Democracy Advice Centre. She’s also a member of the South African Law Reform Commission Project Committee on Data Protection. She says that storing and analysing social media data is not a free-for-all, thanks to the Protection of Personal Information Act (POPI).
Tilley explains: “So if you gather, process or store personal information, you are subject to the provisions of POPI.” Tilley says that your social media posts may be public, but that doesn’t mean they’re not personal and therefore protected by POPI.
“It’s not a question of it being public. It’s a question of why you put that information up there. It’s personal information which you make available. You do that because you want to make a comment on something. If somebody then takes that information and they record it and they then start to mine that information, that then becomes the processing of that data.”
So, how does POPI protect people from social media surveillance? Guidelines to POPI published by the Law Society of South Africa earlier this year provide some answers.
One restriction, is that your data should not be stored for longer than necessary.
Another, is that the purpose of processing the data must be clearly defined, and must be related to the intelligence services operations. Thus, if your public posts are collected and analysed for surveillance, there would have to be a good reason.
Says Tilley: “If you (as a social media surveillance company) gather it (personal data) off Twitter, and then sell it on to somebody, I think you can be sure that the people who posted that information did not consent to that. So the question would be, what is the purpose in doing that?”
The government (or companies appointed by the government) may process personal information if the purpose is to “safeguard national security” or for “the investigation and prosecution” of crimes. But this is subject to the establishment of “adequate” legislative “safeguards” to protect personal data. The onus is on our intelligence services to draw up such regulations.
In practice, however, social media surveillance in SA remains largely unregulated.
POPI, although it was signed into law in 2013, is still to be implemented, and special regulations pertaining to data processing for surveillance purposes are yet to be made. For now, you just won’t know if the clown is watching you. DM
This story was commissioned by the Media Policy and Democracy Project, an initiative of the University of Johannesburg’s department of journalism, film and TV and Unisa’s department of communication science
Heidi Swart is a journalist who has extensively investigated South Africa’s intelligence services