UNVEILING MACRA’S SOPHISTICATED PHONE & PC DATA EXTRACTING TOOL: BALANCING SECURITY AND PRIVACY IN MALAWI
In 2019, MACRA procured a data extraction machine closely associated with law enforcement. It’s a tool Malawi Police Services has sought for years (and still does). It’s a system with intrusive capabilities that can be abused.
A real-time monitoring platform for cyberattacks and Malware at MwCert offices-pic by PIJ
Big Brother Is Watching PART TWO:
BY EARLENE CHIMOYO
A recent investigation by the Platform for Investigative Journalism (PIJ) reveals a significant expansion in the Malawian government’s state-run surveillance capabilities, including deploying the Cellebrite UFED system. This move, defended by the government as essential for national security, is raising concerns over potential intrusions into citizen privacy and the erosion of rights.
The Cellebrite UFED, a sophisticated tool capable of extracting deleted data from electronic devices such as phones and laptops, is at the heart of these fresh findings. The Malawi Communications Regulatory Authority (MACRA) initially denied possessing such technology. However, they later admitted that the system is indeed operational and managed by their specialised cybersecurity unit, the Malawi Computer Emergency Response Team (MwCert).
The investigation also reveals that the Malawi Revenue Authority (MRA) owns a similar system. According to their Corporate Affairs Office statements, the MRA uses the UFED system to investigate tax evasion, assuring that court warrants are obtained before its use on private citizens.
Through its specialised cybersecurity unit, MACRA maintains that private citizens’ privacy is not compromised during its Penetration Tests (Pen Tests). These tests, designed to evaluate digital infrastructure resilience, are conducted only upon request and with proper authorisation.
Meanwhile, the Cellebrite UFED system, central to this expanding surveillance, is a product of Israeli firm Cellebrite Digital. Prior to MACRA’s acquisition, a tender for procuring a similar system was advertised, intended for the Malawi Police Service. However, police officials report they are still awaiting procurement of such technology.
Cellebrite Not Pegasus
It’s important to note that Cellebrite Digital’s UFED is distinct from systems like Pegasus, produced by Israeli security firm NSO Group. Unlike Pegasus, which is known for its advanced and often controversial capabilities, such as remote eavesdropping on communications across various devices, UFED does not fall into this category of high-level intrusion systems. For context, Pegasus is among the world’s most expensive surveillance systems, priced at $1.1 million.
The MACRA system primarily functions to retrieve deleted data and bypass passwords. It can access information from various electronic communication and storage systems, including cloud storage. This involves physical connections between data domains and extraction devices. The system is also capable of decrypting encrypted passwords, decoding passcodes, and analysing the retrieved data, according to various guides and sources familiar with its operations.
The Platform for Investigative Journalism (PIJ), in collaboration with other Southern African investigative journalism centres under the IJ-Hub network, focuses on these surveillance systems. This series of coordinated articles aims to break the silence around surveillance topics, exposing overreach in both private and public surveillance while highlighting the ongoing conflict between surveillance practices and privacy rights.
MACRA Bid For Malawi Police
In related developments, MACRA called for bids to establish the Malawi Police digital forensic lab on 1st September 2021. The tender submission deadline was later extended to 8 September 2022. Ultimately, the contract was awarded to the Kenya-based firm CyberSecurity Africa for approximately $1,761,715 (K2,994,915,500).
Sources close to the deal indicate that the procurement of a digital forensic lab for the Malawi Police Service did not proceed due to a shortage of foreign exchange. However, MACRA proceeded to acquire the Cellebrite system, which is reportedly utilised predominantly by law enforcement agencies, such as the police. This system tracks cybercrimes, and MACRA also offers some of its services to the Malawi Police Service for various investigations.
“A system like Cellebrite was previously available only to law enforcement agencies,” a source revealed.
Initially, MACRA’s Public Relations Officer, Wezzie Nkhoma Somba, denied the regulator’s possession of such a system. However, she later confirmed that MACRA does own the system, which operates under one of its specialised units, MwCert.
Nkhoma Somba then directed PIJ to the head of MwCert, Christopher Banda, who affirmed the unit’s ownership of the tool.
“As for the Malawi Cert, yes, we do have this tool; we use it for our digital forensic services,” Banda stated, dismissing concerns that the lab could be misused for political purposes or unwarranted privacy intrusions.
MRA’s Own UFED System
Steven Kapoloma, Head of Corporate Affairs at the Malawi Revenue Authority (MRA), explained the purpose of their UFED system. According to Kapoloma, the system is crucial in investigating tax evasion cases. However, he emphasised that MRA always secures court warrants before utilising the system for data extraction.
“In the Malawi Revenue Authority context, the device is used as part of investigations to gather digital evidence relevant to financial transactions, tax evasion, and other financial crimes. So, basically, we use it to extract data from a wide range of mobile devices that would help us to have evidence relating to financial transactions or any illicit activities relating to taxes,” Kapoloma elaborated.
He noted a significant decrease in tax evasion incidents since deploying the system and stated that it saved substantial government revenue. However, Kapoloma did not provide specific figures regarding these savings.
“We obtain a warrant from the courts, and then we go for the data extraction from their electronic equipment, including phones, and then we transfer the data to our lab for further analysis using the same system,” Kapoloma added.
Old School Surveillance
The Malawi Police Service’s Cybersecurity Unit, lacking a dedicated forensic lab, largely relies on external agencies like MACRA for assistance in solving cybercrimes. This dependence extends to utilising human sources for alerts on potential investigations, obtaining search warrants for the physical seizure of necessary documents or gadgets, and conducting physical inspections, as reported by well-informed sources within the service.
Moreover, the police also heavily depend on undercover operations, including officers infiltrating criminal groups and encrypted messaging platforms and a network of informants in various areas.
A source from within the service shed light on the challenges faced by the cybercrimes unit. “The issue about equipment is the cybercrimes unit doesn’t have all the needed equipment because we don’t have a fully-fledged forensic lab. So, MACRA officials at one point in time were on the verge of buying equipment for the police, but I think it was an issue to do with the shortage of currencies, the dollars, and the like, which made the program flop,” the source disclosed.
Sources indicate that the Malawi Police Service has not abandoned plans to acquire its own surveillance system. In late 2023, a delegation from Area 30, the national police headquarters, travelled to Kenya. The purpose of their visit was to observe how the Kenyan police utilise Spektor, a system akin to Cellebrite, which the Malawi Police hope to procure.
The Malawian security agents were able to participate in this training due to their membership in Afripol, a technical institution of the African Union. Afripol’s mandate is to bolster cooperation among the police agencies of AU member states, particularly in combating organised transnational crime, terrorism, and cybercrime.
There was an expectation that each member state, as part of their involvement with Afripol, would receive a Spektor package to start using in their respective law enforcement agencies.
Shifting focus back to Cellebrite, MACRA procured its system through the International Telecommunication Union (ITU). In 2019, the ITU provided technical support in setting up MwCert and assisted MACRA in the international tendering process for procuring the Cellebrite system.
The Black Box
The Cellebrite UFED, as described by its manufacturer, is a comprehensive data extraction technology suite that includes both hardware and software components. This tool is primarily utilised by law enforcement agencies for digital forensic investigations, aiding in evidence gathering.
During a visit to the MwCert Offices, our reporter was given a glimpse of the Cellebrite toolkit. The kit includes a black, hard-bodied box secured within a black case, featuring an array of USB-like cables and a black tablet encased in a rugged pouch. For security reasons, photography was not permitted during this preview.
Recent developments suggest a potential operational challenge for the Cellebrite UFED system in Malawi. Sources familiar with the system have indicated that the manufacturer has ceased issuing licence renewals to several countries, including Malawi. These renewals are crucial for the system’s functionality, as they provide necessary updates in line with technological advancements.
This development presents a significant challenge for MACRA, as procuring a new system may necessitate substantial expenditure. The communication regulator has also indicated plans to re-tender the procurement process for the Malawi Police Service’s digital forensic lab.
Christopher Banda, a spokesperson for the agency, elaborated on the situation. “Within that bid, that tender, we had included Cellebrite; in January (2023), when they announced that they are pulling out services in many countries, not only in Africa but also in Asia, they have been bought by an American company. They want to reorganise. So, the issue now is how do we handle equipment which we had already procured, but the supplier says will not supply,” explained Banda.
forensics
Fear of Abuse
While the manufacturer of the Cellebrite UFED system does not classify it as spyware and denies its alleged capabilities, various rights organizations have raised concerns. They point to its intrusive potential, such as the ability to decrypt encrypted communications and recover data from cloud storage, as significant issues.
According to Cyber Express Magazine, authoritarian states have exploited such systems to access the private information of political adversaries and critical journalists. The magazine cites the example of Ugandan authorities using the system to target government critics following their arrest.
In Malawi, there have been instances involving the Malawi Police Services where journalists and civil society officials have had their devices confiscated. A notable case involved Gregory Gondwe, Director of the Platform for Investigative Journalism (PIJ). The incident raised concerns about the safety of sources and whistleblowers within his investigative journalism unit, particularly after police sought information from one of the unit’s articles. It remains unclear whether the police intended to use the system to decrypt Gondwe’s passwords or recover any deleted information.
Under current law, law enforcement agencies in Malawi, including the Police, the National Intelligence Services, and the Anti-Corruption Bureau, are granted the authority to intercept communications and conduct certain intrusions, provided they have justifiable grounds for criminal investigations. Typically, these agencies must obtain court orders for search and seizure operations.
However, the specific legal procedures MACRA’s unit followed before deploying its system remain unclear. Christopher Banda, a representative of the unit, shed some light on their operational protocol. “We work with everyone (MDF, NIS, MPS), but it’s all about following procedure. If it’s related to a request from the police or whichever organisation, we go by the procedure. We don’t just do it anyhow; there is a proper search warrant and approval process,” Banda detailed their device sharing processes.
Legal Perspective Comes with Caution
In an interview, Law Professor Garton Kamchedzera voiced concerns over the potential to misuse these legal provisions. He emphasised the necessity for compelling justifications for each instance of interception employed by these agencies.
Professor Kamchedzera highlighted Section 44 of the Malawi Constitution in the context of ongoing concerns about privacy violations.
This section outlines the permissible limitations on rights such as privacy under specific conditions.
“Section 44 provides that no restriction or limitation may be placed on the exercise of any rights and freedoms provided for in the Constitution, unless the restriction or limitation: (a) is prescribed by a law; (b) is reasonable; (c) is recognised by international human rights standards; (d) is necessary in an open and democratic society,” Kamchedzera explained, citing the specific legal provision.
Human Rights Demands State Accountability
In a separate discussion, veteran rights activist Undule Mwakasungula emphasised the importance of accountability within the state’s surveillance system.
He advocated for robust safeguards: “Effective checks and balances are crucial. This includes judicial oversight, legislative scrutiny, and transparency to the public. Without these measures, surveillance could become a tool for political repression or abuse of power.”
Mwakasungula, a veteran rights activist, emphasised the importance of privacy and freedom of expression in a democratic society.
“In a democratic society, respecting individual privacy and freedom of expression are fundamental rights. Excessive surveillance could lead to self-censorship and undermine democratic participation,” he argued.
On the other hand, a security expert, preferring to remain anonymous, highlighted the delicate balance between accountability and the highly sensitive nature of security-based surveillance and intelligence systems.
These systems are often classified, even in advanced democracies, due to their sensitivity.
The expert acknowledged the growing concerns in Malawi about the potential misuse of government surveillance powers.
“Human rights organizations and privacy advocates have raised issues regarding the lack of sufficient legal safeguards and oversight mechanisms to prevent abuse of surveillance capabilities. It’s important for citizens and policymakers in Malawi to engage in discussions about the appropriate use of surveillance technologies,” the source mentioned.
In response to public concerns, particularly regarding the intimidation and surveillance of journalists, the Cellebrite team has expressed its stance.
“Cellebrite vigorously supports the democratic ideals of freedom of speech and freedom of the press. We do not condone the use of Cellebrite’s solutions to access the personal information of journalists, activists, or others who are working against the interests of repressive regimes and doing so outside the bounds of a legally sanctioned investigation expressly violates the terms of our licensing agreements,” the company stated.”
