This article was originally published in Issue 3 of Southern Africa Digital Rights, an online publication produced under the project "The African Declaration on Internet Rights and Freedoms: Fostering a human rights-centred approach to privacy, data protection and access to the internet in Southern Africa".
In July 2022, Malawi’s state president inaugurated the country’s first data centre in its commercial city, Blantyre. This initiative resulted from a partnership between the Government of Malawi and the Chinese technology company Huawei. It builds upon previous data collection programmes, starting with the biometric national ID registration in 2017 and the mandatory SIM card legislation in 2018.
The government has provided several justifications for these programmes, emphasising their benefits. They have been largely met with acceptance, evidenced by the minimal resistance from civil society organisations within the country and the compliance demonstrated by Malawians. However, it is essential to consider potential implications; some argue that these initiatives might have adverse effects on human rights, particularly digital rights, due to their potential role in enabling surveillance.
Data centre
In July 2022, Malawi became the latest African country to commission a National Data Centre in partnership with the Chinese company Huawei. Huawei has partnered with other African countries, including Zambia, Uganda, South Africa, Mozambique and Senegal.
These partnerships are part of Huawei’s drive to expand its African data centre programmes. The company’s Vice President of Public Affairs and Communications told Africa News that his company is a “partner to build the data centre, to provide the equipment, the platform and to improve the connection with the applications of the different partners.” [1] Malawi President, Lazarus Chakwera, believes that the National Data Centre is a “positive step into the country’s digital future.” He holds the view that they would guarantee the “security of information” and thus attract investors in the “manufacturing, financial, retail, and service sectors.” [2]
There is no reason to doubt the president’s commitment to his statements and his genuine intentions for the country. Undoubtedly, the fourth industrial revolution demands that nations embrace emerging digital technologies, including big data. However, such investments necessitate concurrent commitments to robust data security, including the establishment of comprehensive data protection laws, a facet currently absent in Malawi’s governance.
Moreover, the lack of public access to the terms of the Malawi Government’s collaboration with Huawei, raises pertinent questions about access to information within the National Data Centre. This concern holds merit, especially considering Huawei’s contentious track record in data centre projects.
Notably, in 2019, an investigation by The Wall Street Journal [3] revealed instances where Huawei employees, embedded within cybersecurity forces in Uganda and Zambia, intercepted encrypted communications and utilised call data to monitor political opposition. Despite Huawei’s denial of involvement, their persistent investment in data centres prompts scrutiny.
The dismissal of The Wall Street Journal’s report as Western media in certain circles reflects the geopolitical tensions between the West and China. This tension arises from allegations asserting Huawei’s cybersecurity risks in the USA and the UK. However, despite such dismissal, the report prompts crucial inquiries about the potential misuse of these infrastructures by the state for citizen surveillance and potential human rights violations.
Notably, there have been numerous instances in Malawi where individuals faced detention and arrest over WhatsApp conversations and journalists were targeted for their professional work. [4] These incidents serve as indicators of the state’s inclination towards monitoring its citizens. Therefore, any technology facilitating surveillance would likely find acceptance in such a context.
National ID registration
In 2017, the Government of Malawi launched the biometric national ID registration, mandating registration for all citizens aged 16 years and older. The National Registration Bureau (NRB), as stipulated by the National Registration Act of 2010, holds the responsibility to execute, coordinate, manage, and sustain Malawi’s National Registration and Identification System (NRIS). [5]
Norman Fulatira, the NRB’s spokesperson, highlighted in The Nation (2021) newspaper that Malawi trailed behind other Southern African nations in implementing citizen registration and issuing national identity cards. Fulatira asserted that the nation’s status as the last in the region to roll out national ID cards has been advantageous for Malawians, who have now been issued smart cards. [6] The NRB asserts that the primary objective of the national ID is to ensure “positive identification of every individual in the country.”
Additionally, according to the NRB, the national ID enhances both national and international security by facilitating the “easier traceability of foreigners.” [7]
The programme received substantial participation, registering nine (9) million people within the initial six months. Since its implementation, the national ID has replaced previously separate ID systems, including passports, driving licenses, and voter registration cards.
All government entities now require the national ID for services such as passport issuance, driver’s license acquisition, tax number registration, SIM card registration, voter registration, accessing agricultural subsidies, and participating in cash transfer programmes. Banks mandate customers to undergo a ‘Know-Your-Customer’ process, necessitating the presentation of their national ID.
The National Democratic Institute (NDI) [8] observes that digital ID systems offer convenience but raises concerns regarding control over information collection, data storage, and utilisation, which pose significant challenges for democracy. NDI further contends that centralised ID systems could potentially be exploited to intimidate specific communities, perpetuate existing inequalities, and discriminate against marginalized groups historically excluded from exercising their civic and political rights.
Mandatory SIM card registration
In 2018, the Government of Malawi enforced mandatory SIM card registration, as outlined in section 92(1) of Communications Act No. 34 of 2016. [9] This regulation mandates that any user of a generic number or possessor of a SIM card for voice telephony services must “register that generic number or SIM card with any electronic communications licensee or with the distributor, agent, or dealer authorised by the electronic communications licensee to provide or sell generic numbers or SIM cards.”
Section 92(1)(a) stipulates that subscribers must provide the following details: (i) their full name; (ii) identity card number or any other document that proves the identity of the subscriber; and (iii) residential and business or registered physical address of the subscriber.
The policyholder, Malawi’s telecommunications regulator, the Malawi Communications Regulatory Authority (MACRA), stated that the SIM card registration would help achieve the following: [10]
- Prevent SIM boxing. [11]
- Help recover stolen phones.
- Protect subscribers from hate texts, threats and incitation of violence.
- Create a conducive environment for all phone users and instil discipline in those abusing phones.
- Help law enforcers track down criminals who use phones for illegal activities.
- Curb fraud and theft that occurs through the use of phones.
Hence, SIM card registration purportedly aimed to safeguard subscribers from criminal activities and facilitate the identification of offenders. This rationale gained the trust of Malawian citizens, resulting in the implementation encountering minimal public opposition.
However, the implementation of SIM card registration occurred in the absence of robust data protection legislation and adequate legal safeguards to shield subscribers from potential data misuse, considering that mobile phone users in the country can no longer maintain anonymity. Furthermore, the SIM card is directly linked to the national ID.
While the Malawi Communications Regulatory Authority (MACRA) has enumerated various accepted forms of identification for SIM registration, it is apparent that all licensed agents responsible for registering SIM cards mandate a national ID for the registration process. [12]
Privacy International warns that SIM card registration can facilitate surveillance and having their private information misused. It can also facilitate discrimination and exclusion of those unable to register SIM cards because they do not have identification. Malawi’s national ID has an expiry date, [13] and there are increased cases where national ID cards take months to be renewed upon expiration.
While the introduction of SIM card registration in Malawi proceeded without significant resistance or adequate legislation to safeguard subscribers, evidence indicates that this measure has not effectively curbed crime in the country. In February 2023, MACRA disclosed that cybercriminals siphon approximately $117,000 monthly in Malawi, a concerning statistic considering that 10.1 million out of 17.5 million Malawians possess a mobile wallet. [14]
Despite the clear security implications, there exists no collaboration between MACRA and security agencies to mitigate this fraud, underscoring the need for increased capacity within the police force. [15]
Efforts have been discussed to foster collaboration among the police, MACRA, and bolster security agencies; however, no tangible steps have been taken. These systemic inefficiencies imply that mandatory SIM card registration has fallen short in curbing fraudulent activities. If anything, incidents of mobile money-related crimes have risen post-SIM card registration. Privacy International observed that despite accumulating evidence highlighting the costly and intrusive nature of mandatory SIM registration, many governments persist in implementing it annually, despite its inefficacy in addressing the underlying issues they aim to solve. [16]
Conclusion and implications
Implementing the National Data Centre, the biometric national ID registration and the mandatory SIM card registration means that the Malawi Government has assembled a robust data collection and centralisation programme within five years. Malawians’ acceptance of these programmes implies that people willingly surrender their data without knowing how it will be handled, who has access to it and for what purposes. Although privacy is provided for under section 21 of the Malawi Constitution, Malawi lacks robust data protection law to actualise section 21, which provides that “every person shall have the right to personal privacy, which shall include the right not to be subject to a) searches of his or her person, home or property; b) the seizure of private possessions; or c) interference with private communications, including mail and all forms of telecommunications”.
The Data Protection and Privacy Bill 2021 remains in its draft form. However, the Bill indicates that the government is aware of the need for a robust data protection law, especially in the digital era.
The draft Bill’s memorandum states that “as the Malawi economy becomes increasingly reliant on digital technologies, there is a need to protect personal data of individuals collected, generated, stored and utilised by public and private sector institutions including in the provision of healthcare, health and other types of insurance, education, banking and financial services, hospitality services, civil registration, voting, immigration, national ID and delivery of social programmes”. [17]
As reported by TechTarget, data protection is the process of safeguarding important information from corruption, compromise or loss. The report observes that “the importance of data protection increases as the amount of data created and stored continues to grow at unprecedented rates”. This captures the essence of the data centralisation programmes’ problem without data protection law. The mass collection and centralisation of personal data without legal guidelines make people vulnerable to human rights abuses, particularly surveillance. Surveillance undermines human and digital rights, including privacy, freedom of speech, association, assembly, thought, and protection of citizens’ reputations. Glenn Greenwald noticed: “People radically change their behaviour when they know they are being watched. They will strive to do that which is expected of them. … They do so by adhering tightly to accepted social practices, staying within imposed boundaries, avoiding actions that might be seen as deviant or abnormal.” [18]
Thus, the Government of Malawi ought to enact the data protection bill to fill the legal gap and prevent possible human rights violations. Furthermore, civil society organisations should proactively monitor government initiatives that could jeopardise digital rights, rather than reacting only after policies and legislation are in place.
Notes:
1. João Marques Lima (2021), Huawei Lines Up for Africa Data Centre Expansion. Available at: https://thetechcapital.com/huawei-linesup-for-africa-data-center-expansion/ (accessed 20 March 2023)
2. Regtech Africa (2022), Malawi: Malawi Opens First National Data Centre in Blantyre. Available at: https://regtechafrica.com/malawi-malawi-opens-first-national-data-centre-in-blantyre/ (accessed 20 March 2022)
3. Joe Parkinson, Nicholas Bariyo and Josh Chin (2019) Huawei Technicians Helped African Governments Spy on Political Opponents. Available at: https://www.wsj.com/articles/huawei-technicians-helped-african-governments-spy-on-political-opponents-11565793017
4. Jimmy Kainja (2022), Arrests Mar Malawi’s Digital Rights Landscape. Available at: https://www.apc.org/en/news/arrests-mar-malawis-digital-rights-landscape (accessed 20 March 2023)
5. National Registration Bureau. Available at: https://www.nrb.gov.mw/index.php (accessed 20 March 2023)
6. Norman Fulatira (2021), Why do National IDs Expire? Available at: https://mwnation.com/why-do-national-ids-expire (accessed 20 March 2023)
7. NRB, National IDs, a Solution to Malawi’s Problems. Available at:https://mwnation.com/why-do-national-ids-expire/ (accessed 20 March 2023)
8. Priyal Bhatt, Sarah Moulton and Elizabeth Sutterlin (2021), Assessing the Impacts of Digital ID on Civic and Political Participation of Marginalised Communities. Available at: https://www.ndi.org/sites/default/files/Identified%20but%20Unheard%20FINAL.pdf (accessed 20 March 2023)
9. The Malawi Gazette (2016), Communications Act, No. 34 of 2016. Government Press
10. MACRA, Why is it Important to Register SIM Card? Available at: https://macra.mw/frequently-asked-questions-2/ (accessed 20 March 2023)
11. What is SIM Boxing? Available at: https://www.dignited.com/44776/what-is-sim-boxing/ (accessed 20 March 2023)
12. MACRA, What are the Acceptable Documents? Available at: https://macra.mw/frequently-asked-questions-2/ (accessed 20 March 2023)
13. Norman Fulatira (2021), Why do National IDs Expire? Available at: https://mwnation.com/why-do-national-ids-expire/ (accessed 20 March 2023)
14. Johnstone Kpilaakaa (2023), In Malawi, Mobile Money Users Get Scammed of About $117K Monthly. Available at: https://www.benjamindada.com/malawi-mobile-money-wallet-fraud/ (accessed 20 March 2023)
15. Duncan Mlanjira (2022), MACRA to Establish Digital Forensic Lab with Malawi Police to Counter Mobile Money Fraud. Available at: https://www.nyasatimes.com/macra-to-establish-digital-forensic-lab-with-malawi-police-to-counter-mobile-money-fraud/ (accessed 4 April 2023)
16. SIM Card Registration: The Mandatory Registration and Identification of all Mobile Phone Users Purchasing a pre-paid SIM card. Available at: https://privacyinternational.org/learn/sim-card-registration (accessed 20 March 2023)
17. Paul Crocetti, Stacey Peterson, and Kim Hefner, What is Data Protection and Why is it Important? Available at: https://www.techtarget.com/searchdatabackup/definition/data-protection (accessed 20 March 2023)
18. Glenn Greenwald (2014), The Harm of Surveillance. Available at: https://policyoptions.irpp.org/magazines/old-politics-new-politics/greenwald/ (accessed 20 March 2023)