Malawi Is Acquiring Expensive Gadgets that Might also Spy on its Citizens. Macra’s CEIR Cost K2 Billion, But There’s More…
BY EARLENE CHIMOYO
Scammers follow a familiar routine, yet they continue to deceive people. A common scenario involves a caller who claims to have goods sent by your relative in South Africa but needs money to clear the border fee.
In some cases, the caller might allege that money was mistakenly sent to your mobile phone and ask you to send it back. Sceptics check their balance and realize no money was sent in error. However, many still fall victim to these schemes and send money to the fraudsters.
So, who are these fraudsters? They are prisoners orchestrating cyber fraud schemes using multiple SIM cards from inside a jail. The state has pledged to end this criminal activity and has acquired a state-of-the-art security system known as the Central Equipment Regulatory Authority (CEIR). This system, implemented by the Malawi Communications Regulatory Authority (MACRA) this year, is designed to track citizens’ phones.
The CEIR’s capabilities extend beyond identifying those involved in financial scams. The system will not only block SIM cards used in fraudulent activities or stolen, but it will also block the gadgets hosting the number.
It, however, poses a hidden threat to democracy as it, when in sync with Simcard registration, to some extent, enables widespread state surveillance. Investigations by the Platform for Investigative Journalism (PIJ) have revealed that this system cost taxpayers K2 Billion and may be part of a broader expansion of the country’s surveillance infrastructure.
Recent research conducted by the Institute of Development Studies and the African Digital Rights Network has uncovered that governments in Nigeria, Ghana, Morocco, Malawi, and Zambia collectively spend at least $1 billion annually on digital surveillance technology contracts. These contracts involve companies from the US, UK, China, EU, and Israel, contributing to the growth of digital surveillance technology across these countries.
“Malawi has spent over $27 million on surveillance contracts for mobile interception and biometric ID,” reads the research findings.
Most areas the expenditure is for remain murky, raising fears that it is for more surveillance-related activity.
State Eavesdroppring & Subsequent Arrests
In 2011, MACRA procured the Consolidated ICT Regulatory Management System (CIRMS), popularly known as the Spy Machine, which telecommunications operators in Malawi objected to as it allegedly allowed the regulator to eavesdrop on their subscribers. One of the operators obtained a court injunction stopping the use of the machine.
The law guiding electronic monitoring bars the regulator from using systems that can eavesdrop. Section 8 of the 2015 Electronic Monitoring Regulations stipulates that the authority shall ensure that its monitoring system is established in a way that does not access voice and data content transmitted through a licensee’s network.
The 2022 Freedom House Report cite one case that suggests that the Malawi government is illegally monitoring the communication of its citizens. The report refers to a case of a citizen who was arrested for comments made on an encrypted communication platform.
“There were credible reports that the government monitored private online communication without appropriate legal authority. For example, on May 1, police arrested Chidawawa Mainje based on his fully encrypted private communication on a social media platform,” reads part of the report (see section 1.f.).
In the case of Mainje, a senior officer in the Malawi Police Service Cybersecurity Unit, Gladwell Kubwalo, disclosed in an interview with PIJ that the WhatsApp message that got him(Mainje) arrested was acquired through a tip.
“Somebody reported it to us,” Kubwalo said.
He indicated that they do not have sophisticated software that can give them access to communication contents; hence, they sometimes work with MACRA and MNOs to be able to track suspects and or victims.
“What happens is that most cases are reported; I should say all the cases are reported. We receive complaints, but it varies how complaints are reported or brought to our attention,” explained Kubwalo.
Kubwalo pointed out that some cases go to them through MACRA and others from the MNOs, and they take things from there.
A similar case was recorded in 2021 of a woman (Irene Chisulo Majiga) who got arrested for circulating, through WhatsApp, a voice note which had false information. She pleaded guilty to the accusation and was ordered to pay a K 50,000 fine.
In the course of our compiling of this article, three women, including a police officer, were arrested on October 23, 2023, over what National Police Publicist Peter Kalaya described as being behind the “creation and circulation of false and malicious information” that was viral on social media(WhatsApp).
The said voice notes were concerning the arrest of a personal assistant to a cabinet minister over murder charges.
The Tales of CEIR
Regarding the CEIR and its functionality, an IT expert employed at one of the leading telecommunications companies, who is well-versed in the CEIR’s operations and requested anonymity as his company had not authorized him to discuss the matter openly, expressed that while telecommunications companies are unlikely to engage in data sharing that may be illegal.
He expressed that their primary concern revolves around the need for clearer guidelines on preventing misuse of the new system, which can block specific numbers.
He further elaborated that combating fraud won’t rely on operators or regulators detecting misconduct through message content or eavesdropping on conversations.
Instead, MACRA will monitor the serial numbers associated with alleged criminal activities and will have the ability to simultaneously block both the suspicious number and the device in use.
“The system will likely have an impact in addressing mobile fraud.
For instance, consider the case of numerous scammers who have been tracked and apprehended; they often possess around 20 SIM cards.
When one SIM card is blocked, they switch to the next one. However, the CEIR will not only block these SIM cards but also disable the handsets used, effectively ending the use of the other cards,” he explained.
Additional System Elements
Additional elements of the system include the categorization of mobile gadgets.
This classification will determine whether certain gadgets can freely access networks, be blocked entirely, or permit network access with tracking capabilities.
As highlighted by MACRA Director General Daud Suleman in a public notice issued on January 31, 2023, the system will also serve the purpose of maintaining a centralized registry of all equipment identities, thereby facilitating a comprehensive database of all valid equipment.
Malawi State Invests in Surveillance
According to the Africa Centre for Strategic Studies, a Pretoria-based think tank specializing in security and governance, at least 13 African countries, including Malawi, have invested in surveillance technologies. These developments have sparked significant concerns…
Digital Rights activist Jimmy Kainja, recognizing the relevance of such technology in the modern digital age, has raised a cautionary flag. He highlights potential negative implications, such as surveillance and politicization, which could threaten human rights.
“Most of the time, the issue is that when we embrace new technology, the focus tends to revolve around security and ensuring people’s safety. While that’s important, considering MACRA’s mandate to safeguard communication services for its people, we often, if not always, neglect the aspect of human rights,” Kainja emphasized during an interview.
CEIR In the Absence of Data Protection Law
Kainja also criticized the authorities for introducing the CEIR before establishing proper data protection laws.
“We needed data protection legislation long before implementing national IDs and SIM registration. All these measures should have followed the enactment of data protection laws. Today, we even have the Data Centre, yet nobody knows how the data we provide is used, who has access to it, and for what purposes,” Kainja wondered.
Malawi’s proposed Data Protection law has remained stagnant in some public offices for years. Currently, the sole safeguard is in Section 54 (1) (2) of the Communications Act of 2016, which includes a clause on the Protection of subscriber information. This provision prohibits the regulator or phone companies from disclosing subscriber information without High Court authorization.
In other countries with similar systems, legislation has been enacted to prevent abuse. For instance, Tanzania has a law that authorised and regulates the use of monitoring system equipment equivalent to CEIR, and Uganda has laws governing its CEIR, among others.
However, the absence of a Data Protection law in Malawi has raised concerns about the local regulator’s implementation of such advanced technologies, prompting questions about their intentions and motives behind these systems.
The Platform for Investigative Journalism (PIJ) has discovered that there is a need for the authority to use drafted regulations that require approval by local lawmakers when embarking on such technological advancements. This situation mirrors the introduction and procurement of CIRMS, for which the MACRA board approved the proposal document.
“It’s actually the board and the government because you submit your plans to the board, then go to the government for approval, and then you implement. But involving parliament is not required for monitoring equipment,” explained a well-placed source.
He also provided an example of how CIRMS was implemented during his tenure:
“For CIRMS, when it was being introduced, the approval processes extended to even President Bingu. He was briefed, and a memo was sent to him for approval.”
He pointed out certain ambiguities in the existing laws and provisions that grant MACRA authority over the acquisition of monitoring equipment.
“The current Act has an open-ended provision regarding MACRA’s authority. It explicitly states that the regulator may use electronic equipment for monitoring. It’s a broad and non-specific provision, lacking specific details,” he noted.
In a written response to a PIJ questionnaire, the regulator, through its Public Relations Officer, Wezzie Nkhoma Somba, clarified that CEIR is essentially a database designed to store unique identifiers of mobile devices, specifically IMEI numbers. These identifiers are crucial in tracking and managing mobile devices to prevent unauthorised or illegal activities.
The regulator affirmed that the primary objective of the CEIR system is to combat the growing issue of mobile fraud. Through this system, MACRA intends to establish connections with all Mobile Network Operators (MNOs) networks to facilitate comparisons of what they refer to as the International Mobile Equipment Identity (IMEI).
Addressing concerns about potential government intrusion into citizens’ private affairs, the regulator stated emphatically:
“No, CEIR does not access the contents of communication between subscribers; it solely deals with call identification data.”
Furthermore, the regulator clarified, “CEIR is NOT and DOES NOT harvest people’s data. Its function is to aggregate existing call identification data. … Both Airtel and TNM currently employ Equipment Identification Registry (EIR) systems, and it is standard practice for mobile operators worldwide to have such systems in place.”
In Defence of The Data Centre
While there have been quiet suspicions regarding the recently launched National Data Centre (NDC), suggesting it may function as a ‘big brother’-style server for monitoring the local cyberspace by both local and international authorities, MACRA has asserted that it will not engage in data harvesting through the CEIR system to feed the NDC, despite both systems being housed under the same roof.
The statement, “All MACRA systems are hosted in the NDC,” highlights the co-location of these systems.
Parliament Backs MACRA
An independent IT expert we consulted with echoed MACRA’s stance on using CEIR.
The Parliamentary Committee on Media Information and Communication, which oversees the regulator, also is satisfied that the acquisition poses no harm.
“CEIR is one of the measures MACRA has implemented to combat mobile fraud in the country. Consultations on the CEIR have arisen from discussions on mobile fraud and cybersecurity matters. The Media Committee has been actively engaged and is well-informed about this initiative. We, as a Committee, have visited MACRA to gain an understanding, including visiting the [Computer Emergency Response Team] CERT in Blantyre. Our briefing on the CEIR occurred during our meeting with MACRA in Blantyre at Malawi Sun,” stated Susan Dossi, the Committee’s Chairperson, in an interview with PIJ.
It’s worth noting, however, that these consultations have occurred at the committee level and have not yet advanced through the larger legislative process to become law or formal gazetted regulations.
What Else Can $27 Million in Surveillance Achieve?
While the government denies any intention to increase surveillance on its citizens and claims it is acquiring capabilities for other purposes, there have been instances where the state has shown an interest in such capabilities. Unfortunately, these powers have been occasionally used to infringe upon the rights of private citizens.
Recently, Malawi’s Minister of Homeland Security, Ken Zikhale Ng’oma, revealed that the Malawi government has sought the assistance of Zimbabwean cybersecurity experts to investigate cybercrimes within the country.
This move has raised further suspicions regarding government surveillance. In the past, the police have arrested private citizens for comments deemed offensive by the state. In more severe cases, journalists like PIJ’s Gregory Gondwe have been arrested in attempts to compel them to reveal the identities of whistleblowers and sources.
Yet, as the state grapples with delivering fundamental social services such as education, healthcare, and road infrastructure, the significant funds invested in building a surveillance network could be allocated elsewhere.
For instance, the purported $27 million expenditure could be used to construct a certain number of teachers’ houses, establish healthcare centres, or provide clean water to several villages.
TNM’s Perspective on the CEIR
In response to our questionnaire, TNM, one of the Mobile Network Operators (MNOs), endorsed the CEIR system, citing its potential advantages.
According to Limbani Nsapato, TNM’s Corporate Affairs Manager, they welcome the deployment of the CEIR and play a pivotal role in integrating MACRA’s CEIR into TNM’s existing network. This integration allows MACRA’s CEIR to obtain information on devices utilizing the TNM network.
Despite acknowledging concerns about potential subscriber losses due to the probable blocking of numerous counterfeit handsets prevalent in the local market, TNM remains supportive of the CEIR.
Nsapato explained, “A significant portion of the handsets in the market are counterfeit, and their potential blocking, if implemented, may affect existing users. However, having a tool to combat fraud is beneficial. It enables us to swiftly identify the user/handset responsible for reported fraudulent activities.”
He continued, “While original handsets may come with a higher cost, and the blocking of counterfeits might impact penetration, TNM is actively exploring other initiatives to boost digital penetration. Ultimately, it is in everyone’s best interest to utilize quality, original handsets that deliver optimal performance.”
Despite previously taking the regulator to court over another electronic monitoring system, the CIRMS, TNM expresses confidence in the CEIR, considering it a world-class system widely employed by regulators globally. As a result, they extend their support to the CEIR, albeit with some reservations.
“However, our support is contingent on how the implementation and integration with existing systems are executed,” stated Nsapato.
Airtel’s Perspective on the CEIR
Airtel Malawi, a significant player in the mobile service market, joins TNM in embracing the CEIR system, recognizing it as a crucial step in cleansing the mobile gadget market and combatting mobile phone theft.
“The CEIR is a long-awaited system that identifies, records, and tracks device equipment numbers to detect stolen, lost, fake, and duplicate mobile devices. Once the CEIR is operational, all stolen, malfunctioning, or counterfeit mobile devices will be barred and rendered unusable on any network,” said Norah Chavula-Chirwa, Head of Brand & Communications, PR & CSR at Airtel Malawi Plc.
She expressed enthusiasm about this positive development:
“We believe the CEIR will play a key role in curbing mobile device theft in our market. Additionally, we anticipate collaborative efforts with neighbouring countries in this endeavour.”
Airtel acknowledges active engagement with the regulator and participation in discussions with key stakeholders, including the Malawi Revenue Authority (MRA), the Director of Public Prosecutions (DPP), and the Malawi Police, regarding the CEIR and its potential implications.
They share common concerns with TNM, expressing apprehension that implementing CEIR may affect mobile phone penetration. Airtel recognizes the financial constraints of many Malawians, stating that most cannot afford original handsets. Consequently, introducing the quality assurance element in the system may limit accessibility.
“The barring of duplicate devices will effectively hinder economically disadvantaged Malawians from acquiring devices, with a ripple effect on financial and digital inclusion across the country. While advocating for the deployment of CEIR, it is crucial to acknowledge that these systems may adversely impact Malawi’s long-term development goals outlined in the Malawi Digital Strategy and Malawi’s Vision 2063 agenda,” noted Chavula Chirwa.
While Airtel aligns with MACRA in the joint endeavour to implement the CEIR, the company doesn’t share the regulator’s perspective that the system is a comprehensive tool for combating mobile fraud. According to the MNO, addressing mobile fraud requires a more nuanced and comprehensive approach.
“The CEIR, in isolation, is insufficient to combat widespread fraud and social engineering. Law enforcement agencies should focus on implementing effective measures to prevent the entry of telecommunications devices into prisons. Additionally, stringent actions should be taken against offenders and officers involved in smuggling such devices into prisons, which are often the origins of most fraud,” emphasized Chavula Chirwa.
Legal Gaps in Laws Governing Electronic Monitoring
Despite lingering questions about why the local regulator hasn’t drafted specific regulations for parliamentary authorization to procure systems like the CEIR, legal experts suggest that while MACRA has legal backing for its systems, concerns persist.
According to Garton Kamchedzera, a law professor at the University of Malawi, Sections 167 and 168 of the Communications Act provide adequate powers to the regulator for electronic monitoring and enforcement.
MACRA currently derives much of its authority for implementing such systems from the 2015 Communications (Electronic Monitoring) Regulations. Strangely, this legal document is only mentioned on their website without being readily accessible for visitors seeking detailed information or downloads.
To obtain these documents, PIJ had to make a special request from the authority to understand the finer details of the subsidiary laws.
Section 5, subsection 1 of the Communications (Electronic Monitoring) Regulations grants MACRA the authority to establish a monitoring system using any technology to ensure compliance by licensees.
However, Kamchedzera criticizes the 2015 regulations, asserting that they are overly broad and prone to abuse, granting MACRA the power to procure systems that may infringe on personal data rights, as earlier expressed by Kainja.
“When you read the 2015 regulations, they represent a mix between the broad and the specific, describing themselves as a framework. At the level of subsidiary legislation, regulations should be more specific and concrete, not frameworks. Frameworks should be established in the Act,” clarified Kamchedzera.
The challenge lies in the lack of clarity and specificity, particularly concerning the type of systems to be used and their intended purposes.
In conducting a comparative analysis between the subsidiary legislations governing the implementation of CEIR in Uganda and Tanzania and the local counterpart, the Law Professor identified gaps that provide the Regulator with considerable latitude.
“To have regulations describing themselves as a framework for concrete actions at this level can be risky if wielded by individuals with ill intentions or even those with good intentions but harbor personal biases against someone or some organization. It can be prone to abuse,” cautioned the Law Professor.
Interestingly, the same regulations granting this authority also restrain the regulator from processing data in a manner that reveals the contents of communication or the identity of an individual.
While these regulations empower MACRA to utilize any technology, including those with interception properties, for monitoring, they simultaneously serve as a safeguard for consumers, advocating for data protection and creating a contradiction.
Kamchedzera emphasized, “Effective regulations should be fair and impartial. In this context, fairness is not guaranteed, as it leaves much to human discretion.”
The Media in the Dark
The introduction of any monitoring system by authorities in a country raises apprehensions within the media industry. This concern stems from the ethical responsibility of media organizations to safeguard informers and sources, as such systems can compromise this veil of secrecy and protection.
The Media Institute of Southern Africa (MISA) Malawi chapter, acting as a local press watchdog, finds itself in the same position as the general populace—left in the dark about the operations of the CEIRS.
Chisomo Ngulube, the vice chairperson, expressed their uncertainty, stating, “At the moment, we do not fully understand how the system works. Unfortunately, we have not been among the stakeholders briefed or oriented on the system.”
While refraining from directly attributing concerns to the CEIRS, MISA couldn’t conceal its fears regarding state surveillance and its implications, particularly in the media profession.
“In very general terms, without explicitly stating that this equipment has certain capabilities, any state surveillance on the citizenry holds the potential to undermine privacy, restrict expression, and jeopardize journalists, their sources, whistle-blowers, and activists. The looming potential for politicization is always a cause for concern,” Ngulube added.
Addressing Growing Surveillance Concerns
As concerns about surveillance gradually intensify, the media watchdog acknowledges the need for authorities to proactively educate both the media and the public about the capabilities of such systems. This effort aims to dispel fears surrounding potential state surveillance.
Simultaneously, MISA intends to initiate discussions with MACRA regarding the new system to gain a clearer understanding of its functionality.
While it can be inferred, based on global practices and the use of CEIRS, that it is a gadget-based equipment and not intended for eavesdropping on people’s conversations, the introduction and implementation of such systems remain a source of apprehension for numerous stakeholders more so, the media.
Challenges in Implementation
Information from the website of an Indian tech solution firm specializing in the field, 6D Technologies, reveals a significant hurdle in implementing tracking systems. The efficacy of tracking relies on the handsets being original, identified by their unique IMEI. This poses a challenge for countries like Malawi, where most phones in use are counterfeit.
“The concerning aspect is that mobile devices with duplicate IMEI numbers cannot be tracked, presenting a substantial threat to national security. To maximize profits and reduce costs, Original Equipment Manufacturers (OEMs) produce mobile devices with replicated IMEI numbers, contributing to the proliferation of fake devices. This situation has created turmoil for network operators, making it difficult to identify counterfeits and block the original IMEI number in theft cases, leading to criminal incidents or misuse,” highlighted the technology firm.
In Uganda, authorities are grappling with the challenge of eliminating counterfeit gadgets already in use. Journalist Andrew Kaggwa suggests that this process may take the next five years or more.
The CEIR serves as a system designed to track electronic gadgets connecting to service networks in the event of theft. It can block both the service number and the gadget itself, preventing further use.
Nevertheless, the Malawi Communications Regulatory Authority (MACRA) leverages its law-given mandate and powers to introduce not only the CEIR but also other systems with potential applications in interception—a crucial aspect of state surveillance.
Upon scrutinizing the laws and regulations employed by MACRA, a comparison with those in neighbouring countries reveals a need for greater precision and specificity. The current regulations lack a streamlined approach tailored to individual systems to be procured or procured by the authority.
A legal expert advocates for a review or amendments to the guiding regulations (subsidiary laws) to clarify provisions and eliminate the existing mix-up.
Service providers openly express concerns, fearing that the systems could impede the growth of mobile users in the country due to its quality assurance function. However, they contest MACRA’s claim that it will effectively address mobile fraud, as stated in the regulator’s justification for introducing the CEIRS.
Despite its potential benefits, digital rights activists remain sceptical of the underlying motives behind the operation of advanced technology, particularly when wielded by regulators with access to personal data gathered through various biometric technologies. In this context, they criticize the regulator and government for formulating regulations enabling electronic monitoring before enacting Personal Data Protection laws.
- In the first article in a series of articles on surveillance by state and non-state partners, dubbed ‘Big Brother Is Watching,’ the Platform for Investigative Journalism (PIJ) reports on how the Malawi state is violating all its stated spending priorities and allocating billions on technology to spy on citizens.