UPDATED: May 2017 | SOURCE: Vodafone Group with support from Hogan Lovells
Provision of Real-time Lawful Interception Assistance
THE ELECTRONIC COMMUNICATIONS ACT 2008 (ACT 775) (THE “ECA”)
Under Section 100 of the ECA, the President may, by executive instrument, make written requests and issue orders to operators or providers of electronic communications networks or services requiring them to intercept communications and provide any user information or otherwise in aid of law enforcement or national security.
ANTI-TERRORISM ACT 2008
According to the Anti-Terrorism Act, 2008 (Act 762) a senior police officer (not below the rank of an Assistant Commissioner of Police) with the written consent of the Attorney-General and Minister of Justice (AG) may apply to a court for an order to require Vodafone to intercept customer communications for the purpose of obtaining evidence of commission of an offence under the Anti-Terrorism Act
Disclosure of Communications Data
THE ELECTRONIC COMMUNICATIONS ACT 2008 (ACT 775) (THE ECA)
The ECA gives the power to the National Communication Authority (NCA) and certain public authorities to obtain metadata relating to customer communications such as traffic data, service use information and subscriber information.
Under Section 4(2)(a) of the ECA, telecommunications providers have an obligation to provide information required by the NCA for regulatory and statistical purposes. Section 8(2) authorises the NCA to request the disclosure of lists of subscribers, including directory access databases. Section 68 of the ECA empowers the NCA to request information from service providers concerning the communications network, the use of spectrum granted and the use of the communications network or service.
REGULATION 103 OF THE ELECTRONIC COMMUNICATIONS REGULATIONS, 2011 (L.I. 1991)
Regulation 103 of the Electronic Communications Regulations, 2011 (LI 1991) also requires telecommunications providers to submit to the verification of electronic communications traffic by the NCA.
THE ELECTRONIC TRANSACTIONS ACT, 2008 (ACT 772) (THE “ETA”)
Under Section 101 of the ETA, the government or a law enforcement agency may apply to a court for an order for the disclosure of customers’ communications that are in transit or held in electronic storage in an electronic communications system by a communications service provider.
National Security and Emergency Powers
The Electronic Communications Act 2008 (Act 775) (the “ECA”)
Under the ECA, during a state of emergency, communications service providers are required to give priority to requests and orders for the transmission of voice or data that the President considers necessary in the interests of national security and defence.
Section 99 of the ECA states that where a state of emergency is declared under the Constitution or any other law, Vodafone will be required to give priority to requests and orders for the transmission of voice or data that the President considers necessary in the interests of national security and defence.
Section 99(6) gives power to the President to assume direct control of electronic communications services and issue operation regulations in the event of a declaration of war.
Oversight of the Use of Powers
Regarding applications made pursuant to the Anti-Terrorism Act 2008, a senior police officer will first require the written consent of the Attorney-General before making an application to court and seeking judicial approval.
Applications made under section 101 of the Electronic Transactions Act, 2008 (Act 772) by the government or a law enforcement agency must first go to the court to seek judicial approval. Then, an order can be granted relating to the disclosure of customers’ communications that are in transit or held in electronic storage in an electronic communications system by a communications service provider. The court will not make the order unless it is satisfied that the disclosure is relevant and necessary for investigative purposes or is in the interests of national security.
There is no judicial oversight or approval of the use of powers under the Electronic Communications Act 2008 (Act 775) (the ECA).
SHUT-DOWN OF NETWORK AND SERVICES
Electronic Communications Act 2008, Act 775
Under Section 99(6) of the Electronic Communications Act 2008 (Act 775), the President may assume direct control of communications services in times of war. The powers are wide and likely to include the power to order a shut-down of networks and/or services.
BLOCKING OF URLS & IP ADDRESSES
See Section 1 ‘Shut-down of network and services’ above; given the wide nature of the President’s powers, it is likely that he or she would be able to order the blocking of URLs and IP addresses.
POWER TO TAKE CONTROL OF VODAFONE’S NETWORK
See Section 1 ‘Shut-down of network and services’ above.
Oversight of the Use of Powers (Censorship-related)
There is no judicial oversight of the President’s powers under Section 99(6) of the Electronic Communications Act 2008 (Act 775).
Encryption and Law Enforcement Assistance
1. Does the government have the legal authority to require a telecommunications operator to decrypt communications data where the encryption in question has been applied by that operator and the operator holds the key?
Yes. Under Section 99(3) of the Electronic Transactions Act 2008, a law enforcement officer with a court warrant may require the telecommunications operator to provide access – and to decrypt information if necessary – to customer data in connection with the investigation of an offence.
2. Does the government have the legal authority to require a telecommunications operator to decrypt data carried across its networks (as part of a telecommunications service or otherwise) where the encryption has been applied by a third party?
Under the Electronic Transactions Act 2008, a law enforcement officer with a court warrant may require a telecommunications operator to provide access to decryption information, code or technology necessary to decrypt customer data in connection with the investigation of an offence. Such decryption information, code or technology could include ‘equipment interference’ technology.
A telecommunications operator may be required to provide such information, code or technology even where the encryption is applied by a third party to the extent that the telecommunications operator has access to the decryption information, code or technology. It is questionable whether the telecommunications operator could be legally compelled to decrypt encryption that has been applied by a third party given that, practically, this would usually mean that the telecommunications operator would not have access to the decryption information, code or technology. Vodafone is not aware of any legal precedent in this area. There is no reported case law on the subject matter.
3. Can a telecommunications operator lawfully offer end-to-end encryption on its communications services when it cannot break that encryption and therefore could not supply a law enforcement agency with access to cleartext metadata and the content of the communication on receipt of a lawful demand?
Currently, there is no law expressly prohibiting a telecommunications operator from doing so. The National Communications Regulations 2003 (LI1719) encourage operators to employ international best practices in the telecommunication industry to promote privacy, secrecy and security of communications carried or transmitted by them, or through their communications system, and of the personal and account data related to their subscribers. Thus, if the purpose of the end-to-end encryption is to encourage confidentiality of its subscribers, a telecommunications operator can proceed to implement the service with prior written notice to the National Communications Authority.
We note, however, that the Electronic Transactions Act 2008 (Act 772) mandates the National Information Technology Agency to establish a Certifying Agency whose functions include issuing licences and monitoring the conduct of an encryption service provider. The Certifying Agency is yet to be established. Until the Certifying Agency is established, the National Information Technology Agency (NITA) is required to act in the interim. NITA is, however, yet to commence the licensing or regulation of encryption services in Ghana. When NITA or the Certifying Agency (when established) commence the implementation of the relevant provisions of the Electronic Transactions Act, the telecommunications operator may be required to obtain a licence from NITA or the Certifying Agency in order to carry out its end-to-end encryption on the BAU Service. OTT service providers providing end-to-end encryption services may also be required to register with NITA or the Certifying Agency except when they are licensed by foreign licensing authorities recognised by NITA or the Certifying Agency.
That said, there is no legal precedent that Vodafone is aware of which addresses whether the introduction of end-to-end encryption, which would disable a telecommunications operator’s ability to comply with its existing law enforcement assistance obligations under the Electronic Communications Act 2008 and Anti-Terrorism Act 2008, would put a telecommunications operator in breach of those laws. There is no reported case law on the subject matter.
4. Please provide examples in this jurisdiction where legislation which predated the advent of commercial encryption (which Vodafone estimates to be circa 1990) has been applied to contemporary cases involving encryption.
The laws on encryption and lawful interception in Ghana are relatively new and undeveloped. Vodafone is not aware of any such precedent.