Comments for Stockholm Internet Forum (SIF14) by Alison Gillwald
Main Session 1 chaired by Stephen Sackur of BBC Hard Talk
Over the last decade Research ICT Africa has been conducting individual, household and informal business surveys on ICT access and use that provide insights into the critical demand side issues that continue to constrain ICT diffusion and adoption in Africa. This enables us to identify the very different ways voice communications, and now the internet, are evolving in Africa and in the global South in comparison to the North. For me, the discussion on privacy needs to be located in this context of constraint – the absence of affordable access, institutions, resources and often human rights – on which discussions of privacy are usually premised.
My own work seeks to bring a more integrated political economy approach to understanding internet governance. The uneven outcomes of internet governance require not only an understanding of the unevenness in access to and use of the internet, but also of the disparities between developed and developing countries’ abilities to effectively participate in global internet governance debates, agenda setting, policy formulation and particularly in the implementation and enforcement of public policy within democratic institutional arrangements.
The political and economic assumptions that underpin such discussions on internet freedom and internet governance, and specifically privacy in this case, using the EU frameworks as a so-called “best practice”, simply does not apply to vast parts of the developing world, making the proposed solutions – particularly compliance with increasingly globalised legal frameworks, whether through self-regulation or co-regulation – unlikely to succeed. On the economic side, the assumptions of internet access driven by affordable access and that of a decent quality (including the capability to utilise it), in addition to an abundance of social and economic activity (data and information flows) that prompt concerns about infringements on individuals’ privacy are both erroneous for many African countries. Similarly, on the political side, assumptions of freedom – respect for human rights, democracy and the rule of law – as a basis for which specialised areas of law and governance can be built are fallacious for many African democracies.
The fundamental notion of owning the right to personal privacy (or giving up some of your rights, including privacy, in exchange for the protection offered by the state or for the sake of national interest) through some form of social contract of the kind which informs jurisprudence as well constitutional and legal frameworks in mature democracies is simply foreign to many, arguably most, Africans. This is not to romanticise conditions in the US and the EU, or to fail to acknowledge the erosion of these rights in these jurisdictions over the last decade, but to point out that they simply do not exist in many countries in Africa. For many Africans there are no democratic constitutions or bills of rights that create the expectation of privacy (or for that matter, its counterpoint, the freedom of expression,) or that protect them from surveillance (the obverse policy rationale for eroding privacy) as assumed and evidenced in digital rights frameworks such as the European Directive. In the US, human and digital rights frameworks provide the basis for the indignation witnessed when Americans discovered that their government had its own citizens under surveillance (not foreign enemies), and the need on the part of the state to repair the loss of trust of its citizens.
For people searching for ways simply to gain access to communication services, specifically to the internet, many of whom have very low levels of e-literacy, issues of privacy are unlikely to be a priority and notions of privacy are likely to be quite different, for instance, across generations, and in different income groups. Without bottom-up pressure and greater awareness-raising from human rights activists, these are unlikely to be prioritised on national policy agendas.
This is unlike some other global governance issues like cybercrime or surveillance and interception which have rapidly diffused through many jurisdictions. Not that any of these issues should not be debated, and proportionally applied if African countries are going to create the environment of trust required for an open and free internet (including facilitating online commercial activity) but, from a policy perspective, issues raised in relation to digital rights which start with assumptions of legal, non-digital framework existence, and which simply seek to devise additional protections in a digital environment to safeguard privacy are flawed.
This is not to say that normative policies and pressures from multilateral agencies or economic communities or social movements should be dismissed, or the status quo accepted, or that they have not been very successful historically. The spread of global governance through the adoption of international standards, or so-called “best practice”, is what drove the liberalisation of markets in Africa over the last two decades, creating the conditions for the emergence of the internet on the continent and underpins the success of the mobile revolution in Africa on which internet uptake is entirely dependent. But there are lessons to be learnt from this.
Historically, epistemic communities driving reforms derived from global institutions such as the ITU, or multilateral agencies such as the World Bank or technical institutions such as ICANN, have been motivated by (important) economic imperatives, which have generally failed to understand alternative institutional arrangements, and therefore the necessary conditions for the reforms to be realised. Often, global “best practices” imposed or ‘sold’ to developing countries have ignored the political economy of sovereign states in which the implementation must be undertaken.
Internationally funded national projects are often implemented through a checklist of reforms – which include the creation of regulatory agencies, the development of a licensing regime, technical monitoring, the deployment of internet exchange points and, in the case of privacy regulation, the appointment of data commissioners – rather than being focused on the substance (openness, transparency, accountability) of the projects. In order to open markets and create free flowing information (and capital), global institutions and multilateral and donor agencies were, and continue to be, willing to overlook the lack of democratic rights or simply not to acknowledge that there is no shared normative position underpinning fundamental rights, policy principles or legal guidelines.
Uganda provides an example of the implications of this when the market freedoms associated with telecommunications reform collide with a regressive political agenda. Uganda was one of the earliest countries to open up a telecommunications market, establish a well-respected regulatory agency and promote a competitive reform agenda in Africa delivering mobile services to millions of Ugandans who had never had access to communications. It was a front-runner in identifying the need for regulatory intervention in line with global “best practice” regulation, especially where they would drive take-up – although the retrogressive tax regime impeded optimal adoption. While the need for a data protection regime to grow e-commerce has been identified and acknowledged by lawmakers and the regulators this is seldom located in a human rights context. As we move into an increasingly internet infused environment, and content issues such as rights to personal privacy or freedom of expression arise, the technical agencies of many African countries’ – which generally survive by avoiding politics and raising revenue for the treasury – inability to regulate such human rights dimensions become exposed.
Where there is an alignment of interests between Western states setting agendas, such as the post 9/11 anti-terrorism agenda which dramatically curtailed individual freedoms and bolstered state power in the name of national security, global governance guidelines and standards tend to be more rapidly adopted. While few African countries have adopted global governance guidelines to defended consumer and citizen rights to privacy, many African countries have found a way to swiftly comply with global surveillance and cybercrime guidelines – what Gus Husein has referred to as policy laundering.
In countries throughout Africa, national policymakers and regulators were unable to introduce interconnection or number portability into markets to improve access to lower prices in the first decade of telecommunications reform. Chastened by securocrats, they sprang into action committing massive resources to introduce compulsory SIM card registration. This has probably been one of the most efficient regulatory interventions in telecommunications that Africa has seen. It has also been one of the most counterproductive. In South Africa alone, over 1 million (primarily) poor people were unable to provide proof of residence, were not registered and were consequently unable to use their SIM cards. Of course, in time these numbers were made up as people found ways to regain access to mobile phones. I have at least half a dozen domestic workers, gardeners and illegal immigrants with SIM cards registered to my address. And has this policy limited crime? Possibly some. In Nigeria, the SIM card registration process was proudly linked to a full biometric profile that cost millions of dollars. Has this limited Boko Haram’s bomb attacks or enabled the state to find and bring back the 276 girls abducted from Chibok? Apparently not. Did the highly authoritarian post 9/11 Kenyan anti-terrorism legislation used to create a surveillance standard in the region stop the Westgate Mall massacres bomb blasts? According to websites that monitors the purchase of surveillance software (http://globalcause.net/ and http://no-spyware-for-dictators.eu/) in Ethiopia, the country with amongst the lowest internet penetration in the world and which seeks to filter internet content rather than prioritise the allocation of resources to developing the internet for its self-proclaimed purpose of economic growth and development, spent millions of dollars purchasing internet surveillance equipment and software.
Not that Africans are happy to be subject to a global internet governance system controlled by the US. Unlike their European counterparts, who may be riled by US control of the system, but relieved that at least it is the Americans and not the Russians or the Chinese, many Africans are not. In a study of 10 African countries, Research ICT Africa investigated the potential and limitations of cloud computing for UNCTAD’s Knowledge Economy report last year. In Ghana, Africa’s oldest modern democracy, several businesses expressed their distrust of American cloud providers storing their data on servers in the US – and this was before PRISM.
And even where there have been attempts to comply with global privacy and data protection frameworks and standards, as in the case of ECOWAS, the issue of effective institutional arrangements and capabilities necessary for implementation and enforcement, again, are assumed. The necessary independence of implementation agencies and their technical capacities to monitor, enforce penalties and arbitrate disputes are often absent.
To avoid leaving the impression that everything regarding internet freedom and privacy in particular in Africa is bleak and the challenges insurmountable, before I stop, I should stress that conditions that will create an open and free internet in which users are able to assert their rights to the degree they feel they need to is essential and should not be abandoned. Finding ways to do this requires, however, an understanding of the very different circumstances under which the internet has evolved in developing countries and to discard some of the assumptions underlying “best practices”. There are often lessons to be learnt from Africa. There are numerous examples to demonstrate the adaptiveness and innovation of users and providers under the conditions of limited trust or political and economic constraint. Mobile money provides a great example of an enabling technology that was able to overcome trust and privacy issues that plague online banking and commercial transactions, and to which reams of legal text are devoted in many more mature regulatory regimes. Mpesa, the mobile money product of Safaricom, the highly dominant national operator in Kenya, prior to the registration of SIM cards, was able to overcome the information entry thresholds assumed to be necessary to participate in online transactions in mature digital economies. It did so by offering airtime transfers without any personal identifiers beyond the SIM number, without any retention of data other than what the user chose to keep and the purchase amounts the vendor retained for reconciliation purposes with the providers. The only information required was whether there was sufficient money/airtime in the account/number the transfer was coming from without any unique identifier linking the SIM card to a person. There is a lesson in this for current data protection regimes and practices in which generally far more information is collected than may be needed or useful in future. In countries where there are few safeguards for citizens’ data being collected, retained and stored off shore, and in countries where data may be utilised against citizens to curtail their freedom, and where there are understandably low levels of trust, or sometimes even awareness that the dangers exist, developing enabling environments may require entirely different approaches to matters of privacy.
The need to find ways to protect individual and collective rights and build trust is critical in ensuring equality amongst citizens in their ability to enjoy the benefits of the internet. Conditions have to be found under which the public interest potential of big data from mobile companies can be used to provide critical statistical and planning data in the absence of government capacity in many developing countries. Similarly, it is important to create conditions that limit the unfettered commercial exploitation of private information without the necessary privacy safeguards, as well as those conditions that improve the ability of small enterprises or the public sector to benefit from secure cloud services able to provide software and services previously only available to large corporations.
So it is not that global practices and policy that protect personal privacy or constrain the use of data for commercial or surveillance purposes do not pertain to African countries. But when the democratic and economic premises on which global systems operate do not apply, the likelihood of the potential of the internet to improve information flows and reduce transaction costs diminishes.