UPDATED: May 2017 | SOURCE: Vodafone Group with support from Hogan Lovells
Provision of Real-time Lawful Interception Assistance
COMMUNICATIONS ACT 2012
Section 44(1)(f) of the Communications Act 2012 (“Communications Act”) provides that a person may not intercept communications or messages unless authorised by a court of competent jurisdiction. Therefore, the government does not have the legal authority to require Vodafone to intercept individual customer communications or messages without a court order.
In Lesotho, there appear to be no specific laws that grant law enforcement agencies with legal powers to allow direct access into a communication service provider’s network outside of the operational control or oversight of the service provider.
Disclosure of Communications Data
TELECOMMUNICATIONS AUTHORITY REGULATIONS 2001
Regulations 32(1) and (2) of the Telecommunications Authority Regulations 2001 provide that no person, while engaged in the operation of a telecommunications service may disclose information about a customer, unless disclosure is required in connection with the investigation of a criminal offence or for the purpose of criminal proceedings.
CRIMINAL PROCEDURE AND EVIDENCE ACT 1981
According to the Criminal Procedure and Evidence Act 1981 (Sections 46 to 49), a judicial officer may issue a warrant authorising the search of a property, if he or she has a reasonable suspicion that there is anything on the property that amounts to evidence of an offence, or which will be used in a criminal offence. However, a policeman/woman (with the rank of warrant officer and above) may conduct the search without a warrant if he or she believes that first obtaining the warrant will defeat the purpose of the search.
THE PREVENTION OF CORRUPTION AND ECONOMIC OFFENCES ACT NO.5 OF 1999
The Prevention of Corruption and Economic Offences Act (Act) provides for the disclosure of information in connection with the investigation or prevention of corruption and economic offences. Section 8 of the Act states that the Director of Prevention of Corruption and Economic Offences may, by notice in writing, require any person to furnish, notwithstanding the provisions of any other enactment to the contrary, all information in his or her possession relating to the affairs of any suspected person, and to produce or furnish any document or certified true copy of any document relating to such suspected person, which is in the possession or the control of the person required to furnish the information.
OMBUDSMAN ACT 1996
The Office of the Ombudsman was established under Section 134 of the constitution of Lesotho, among other things, to investigate action taken by any officer or authority in the exercise of the administrative functions of that officer or authority in cases where it is alleged that a person has suffered injustice in consequence of that action.
Section 9 of the Ombudsman Act 1996 states that in the performance of his or her functions the Ombudsman will have the power ‘to summon and subpoena in writing any person to produce any records in the custody, possession or control of that person, which the Ombudsman may deem necessary in connection with any inquiry before him; and for such purpose he shall have similar powers to those of a High Court Judge but subject to the same rules relating to immunity and privilege from disclosure as apply in High Court’.
National Security and Emergency Powers
NATIONAL SECURITY SERVICES ACT NO. 11 OF 1998 (NSS)
Section 26 of the NSS states that ‘The Minister may, on an application made by a member of or above the rank of Higher Intelligence Officer, issue a warrant authorising the taking of such action in respect of any property specified in the warrant as the Minister thinks is necessary to be taken in order to obtain information which: (a) is likely to be of substantial value in assisting national security services in discharging any of its function; and (b) cannot be reasonably obtained by any other means’.
EMERGENCY POWERS ORDER 1988
Section 5(3)(b) of the Emergency Powers Order 1988 (Emergency Powers Order) states that the Minister responsible for defence and internal security may, during a declared state of emergency, issue regulations (Regulations) that authorise the acquisition of any property in Lesotho, and take possession and control of such property. Section 5(3)(b) of the Emergency Powers Order has not been enacted to date. The Regulations are made by the Minister’s office, but have to be issued in the Government Gazette to be generally enforceable. Any further processes detailing the right to access customer data and/or the network would presumably be set out in those Regulations.
Oversight of the Use of Powers
Interception of communications is only allowed if authorised by a court order, and the court, which has to be of competent jurisdiction, has discretion in this regard. The court will allow the interception of messages if it is reasonable and serves a lawful purpose.
Section 26(3) of the NSS provides that such ‘a warrant shall not be issued unless: (a) it is signed by the Minister, or (b) in an urgent case where the Minister has expressly authorised its issue and a statement of that fact is endorsed on it, it is signed by the Director General or an office authorised by the Director General’. State conduct will always be subject to the constitution of Lesotho, which guarantees freedom from arbitrary seizure of property and freedom from arbitrary searches. These rights can be limited where state security or public order (among other things) requires. Therefore, laws of general application that limit the rights in question, such as the Regulations that can be enacted in terms of the Emergency Powers Order, will be valid and enforceable, as long as the means (search or seizure) are proportional, or rationally related, to achieve the end result (state security or public order).
SHUT-DOWN OF NETWORK AND SERVICES
Communications Act 2012
According to Section 20 of the Communications Act 2012 Vodafone may be prevented from providing all or some of its network or services in Lesotho if either the regulatory body, the Lesotho Communications Authority, revokes Vodafone’s licence or the Minister issues an emergency suspension notice.
The Minister may only issue an emergency suspension notice if he or she has a reasonable basis to conclude that the continued operation by Vodafone of its network poses a substantial threat to national security or public order, and that there is no other way to forestall the danger. Section 20(3) states that the emergency order by the Minister must be in writing; set out the basis for the suspension; and remain in effect for no more than 72 hours unless extended by a court of competent jurisdiction.
BLOCKING OF URLS & IP ADDRESSES
The government in Lesotho does not have the legal authority to order a network provider (such as Vodafone) to block URLs or IP addresses.
POWER TO TAKE CONTROL OF VODAFONE’S NETWORK
Emergency Powers Order 1988
Under Section 5(3)(b) of the Emergency Powers Order 1988, the Minister responsible for defence and internal security may, during a declared state of emergency, issue regulations that authorise the acquisition and taking into possession and control of any property or undertaking. A state of emergency may be declared by the King by proclamation in the Gazette when it is in the interests of public safety and public order. It is therefore possible that, during a declared state of emergency, the Minister might take control of Vodafone’s network in Lesotho. No such regulations have been made to date.
Oversight of the Use of Powers (Censorship-related)
COMMUNICATIONS ACT 2012
Vodafone may appeal to the judicial courts on an urgent basis for relief before the 72-hour suspension starts if it feels that there is no proper basis for the Minister’s suspension of its network or services.
EMERGENCY POWERS ORDER 1988
The conduct of the Minister responsible for making the regulations in a state of emergency pursuant to the Emergency Powers Order 1988 will always be subject to the constitution of Lesotho. The constitution of Lesotho upholds the freedom of its citizens from arbitrary seizure of property and arbitrary searches. These rights can, however, be limited where state security or public order (among other things) requires. Against that context, a regulation ordering the seizure of Vodafone’s network would be valid and enforceable provided it is proportionate and rationally related to achieving its objective – namely that of maintaining state security and public order.
Encryption and Law Enforcement Assistance
1. Does the government have the legal authority to require a telecommunications operator to decrypt communications data where the encryption in question has been applied by that operator and the operator holds the key?
Generally, the government of Lesotho does not have the legal authority to require a telecommunications operator to intercept communications without a court order (see earlier in this chapter under ‘Provision of real-time lawful interception assistance’).
Were a court to order a telecommunications operator to perform an interception on its network, there is nothing in the law to prevent the court from ordering a telecommunications operator to remove any encryption that it had applied in order to enable the interception.
2. Does the government have the legal authority to require a telecommunications operator to decrypt data carried across its networks (as part of a telecommunications service or otherwise) where the encryption has been applied by a third party?
There is, currently, no legislation in Lesotho that would give government the legal authority to require a telecommunications operator to decrypt data carried on its networks, as part of a telecommunications service or otherwise, where encryption has been applied by a third party.
3. Can a telecommunications operator lawfully offer end-to-end encryption on its communications services when it cannot break that encryption and therefore could not supply a law enforcement agency with access to cleartext metadata and the content of the communication on receipt of a lawful demand?
There is no legislation which specifically governs encryption of data communication. Our understanding is that decryption is an integral part of data interception. Vodafone is therefore, of the view that offering end-to-end decryption which Vodafone is unable to break would amount to flouting its statutory obligations if interception can be ordered.
Vodafone is of the view that the position would be different where a telecommunications operator customer accesses and downloads a third-party app via a third-party app store, because there would have been no positive action taken by a telecommunications operator in encrypting the data.
4. Please provide examples in this jurisdiction where legislation which predated the advent of commercial encryption (which Vodafone estimates to be circa 1990) has been applied to contemporary cases involving encryption.
There are no such examples in Lesotho.