UPDATED: May 2017 | SOURCE: Vodafone Group with support from Hogan Lovells
Provision of Real-time Lawful Interception Assistance
THE ELECTRONIC AND POSTAL COMMUNICATION ACT
The Electronic and Postal Communication Act of 2010 (the EPOCA) does not specifically make provision for the interception of customer communications. However, the existence of intercept powers can be implied from Section 120 of the EPOCA which states that no person without lawful authority under the EPOCA or any other written law can intercept, attempt to intercept or procure any other person to intercept or attempt to intercept any communications. An application must be made under ‘any other law’ to the director of public prosecution (the DPP) for authorisation to intercept or listen to any customer communication transmitted or received. Only public officers or an officer appointed by the Telecommunications Regulatory Authority (the TCRA) and authorised by the Ministry of Science and Technology and the Ministry of Home Affairs may be permitted to intercept such communications.
Section 120 of the EPOCA provides that any person who, without lawful authority under the EPOCA or any other written law:
a. intercepts, attempts to intercept or procures any other person to intercept or attempt to intercept any communications;
b. discloses, or attempts to disclose to any other person the contents of any communications, knowingly or having reason to believe that the information was obtained through the interception of any communications in contravention of this Section; or
c. uses or attempts to use the contents of any communications, knowingly or having reason to believe that the information was obtained through the interception of any communications in contravention of this Section.
This Section therefore implies that any person with lawful authority may intercept customer communications.
TANZANIA INTELLIGENCE AND SECURITY SERVICE ACT
The Tanzania Intelligence and Security Service Act Cap 406 R.E. 2002 (the TISSA) states that the Tanzania Intelligence and Security Service (the Service) has a duty to collect by investigation or otherwise, to the extent that it is strictly necessary, and analyse and retain, information and intelligence in respect of activities that may on reasonable grounds be suspected of constituting a threat to the security of Tanzania or any part of it. Section 15 of the TISSA further states that the Service has the power to investigate any person or body of persons whom it considers, or which it has reasonable cause to consider, a risk or source of a risk of a threat to state security. The Service may conduct any investigations which are required to provide security assessments.
Section 10 of the TISSA allows the Director-General of the Service the command, control, direction, superintendence and management of the Service and all matters connected with it. However, all orders and instructions to the Service issued by the Director-General are subject to any orders issued by the President of the United Republic of Tanzania, unless the minister responsible for intelligence and security directs otherwise in writing.
PREVENTION OF TERRORISM ACT
According to Section 31 of the Prevention of Terrorism Act of 2002 (the PTA), subject to obtaining prior written consent from the Attorney-General, a police officer may make an application, ex parte, to the court for an interception of communications order to obtain evidence of the committing of an offence of terrorism under the PTA. The court to which an application is made may make an order:
a. requiring a communications service provider to intercept and retain a specified communication or communications of a specified description received or transmitted, or about to be received or transmitted by that communications service provider; and
b. authorising the police officer to enter any premises and to install on those premises any device for the interception and retention of a specified communication of a specified description, and to remove and retain such device.
This can only be done if the court is satisfied that the written consent of the Attorney-General has been obtained and that there are reasonable grounds to believe that material information relating to a terrorism offence or the whereabouts of a person suspected by a police officer to have committed an offence is contained in a certain communication or communications.
CRIMINAL PROCEDURE ACT
Section 10 of the Criminal Procedure Act Cap 20 R.E. 2002 (the CPA) provides or grants the powers to police officers to investigate the facts and circumstances of a case where they have reason to suspect the committing of an offence. Further, section 10(2) of the CPA specifically gives the police officers powers, by order in writing, to require any person (natural or legal) who from information given in any other way appears to be acquainted with the circumstances of a case, or who is in possession of a document or anything else relevant to the investigation of a case, to attend or to produce the document or other item.
Disclosure of Communications Data
THE ELECTRONIC AND POSTAL COMMUNICATIONS ACT
Section 91 of the EPOCA allows that a database be kept with the TCRA in which all subscriber information will be stored. Every application services licensee must submit a monthly list to the TCRA containing its subscribers’ information.
Regulation 4(2)(b) of the Electronic and Postal Communication (Telecommunications Traffic Monitoring System) Regulations of 2013 (the TTMS Regulations) allows the TCRA to acquire, install, operate and maintain traffic monitoring and measurement devices at the operator’s premises. Moreover, Regulation 8 of the TTMS Regulations allows, inter alia, the traffic monitoring system to collect call detail records without intercepting any of the contents of communications such as voice or SMS. Call detail records have been defined as information generated by telephone exchanges which contains details of calls originating from, terminating at or passing through the exchange.
In addition, Regulation 13(4) of the TTMS Regulations states that the TCRA must ensure that call detail records data are collected exclusively to monitor compliance with the TTMS Regulations; they must be encrypted and stored with the last three digits of the calling numbers hashed in order to protect confidentiality; and call detail records collected are not to be transmitted or given to third parties, public or private, except as permitted by law.
The EPOCA provides that information may only be disclosed by an authorised person where it is required by any law enforcement agency, court of law or other lawfully constituted tribunal authority with respect to subscriber information.
However, according to the Electronic and Postal Communications (Licensing) Regulations of 2011 (the Licensing Regulations), a licensee may collect and maintain information on individual consumers where it is reasonably required for its business purposes. It further provides that the collection and maintenance of information on individual consumers must be:
a. fairly and lawfully collected and processed;
b. processed for identified purposes;
d. processed in accordance with the consumer’s other rights;
e. protected against improper or accidental disclosure; and
f. not transferred to any party except as permitted by any terms and conditions agreed with the consumer, as permitted or approved by the Authority, or as permitted or required by other applicable laws or regulations.
Under Section 99 of the EPOCA, a person will not disclose any information received or obtained in exercising powers or performing duties in terms of the EPOCA except where the information is required by any law enforcement agency, court of law or other lawfully constituted tribunal.
Notwithstanding this, any authorised person who executes a directive or assists with its execution and obtains knowledge or information of any communication may:
i. disclose such information to another law officer to the extent that it is necessary for the proper performance of the official duties of either of them; or
ii. use such information to the extent that it is necessary for the proper performance of official duties.
National Security and Emergency Powers
THE NATIONAL SECURITY ACT
The National Security Act Cap 47 R.E. 2002 (the NSA), which makes provisions relating to state security, states in Section 15 that where the DPP is satisfied that there are reasonable grounds for suspecting that an offence under the NSA has been or is about to be committed, and that some person may be able to provide information about it, he or she may, by writing under his or her hand, authorise a named officer to require that person to give a police officer any information he or she has relating to the suspected or anticipated offence.
TANZANIA INTELLIGENCE AND SECURITY SERVICE ACT
Section 5 of the TISSA gives authority to the Service to obtain, correlate and evaluate intelligence relevant to security, and to communicate any such intelligence to the minister and to persons whom, and in the manner which, the Director-General considers it to be in the interests of security. In doing so, the Service will cooperate as far as practicable and necessary with other state organisations and public authorities within or outside Tanzania that are capable of assisting the Service in the performance of its functions.
CONSTITUTION OF UNITED REPUBLIC OF TANZANIA
The Constitution of the United Republic of Tanzania of 1977 as amended from time to time (the Constitution) provides Parliament with the power to enact and enable measures to be taken during a state of emergency or in normal times in relation to persons who are believed to engage in activities which endanger or prejudice the security of the nation.
Article 31 of the Constitution provides that any law enacted by Parliament will not be void for the reason only that it enables measures that derogate from the right to life to be taken during a state of emergency or in normal times in relation to persons who are believed to engage in activities which endanger or prejudice the security of the nation.
Oversight of the Use of Powers
Other than as outlined above, there is no judicial oversight of these powers. However, Section 114 of the EPOCA states that the TCRA may take enforcement measures against any person who contravenes the licence conditions, regulations and provisions of the EPOCA.
SHUT-DOWN OF NETWORK AND SERVICES
Electronic and Postal Communications (Licensing) Regulations 2011
Regulation 36 of the Electronic and Postal Communications (Licensing) Regulations of 2011 empowers the Tanzania Telecommunications Regulatory Authority (TCRA) to cancel or revoke the licence of a telecommunications provider (such as Vodacom) where the terms and conditions of that licence have been breached. The TCRA must issue a written notice to the licensee 30 days prior to the revocation of the licence. Were the TCRA to revoke Vodacom’s licence, Vodacom would not be able to provide any telecommunications services and, in effect, its network would shut down.
BLOCKING OF URLS & IP ADDRESSES
Tanzania Communications Regulatory Authority Act 2003
The TCRA may, in fulfilling its functions, require a network provider (such as Vodacom) to block certain websites if they contain obscene material (the term ‘obscene material’ is not defined in the Act). The TCRA may do so by issuing a compliance order on the network provider concerned according to Section 45 of the Tanzania Communications Regulatory Authority Act of 2003. A compliance order is enforceable as an order of the High Court.
POWER TO TAKE CONTROL OF VODACOM’S NETWORK
Electronic and Postal Communication Act 2010
The police or the TCRA have the power to take control of Vodacom’s network but only in the limited circumstances set out in Section 163 of the Electronic and Postal Communication Act of 2010. Under Section 163, a police officer or employee authorised by the TCRA may seize network equipment where he or she has reasonable grounds to believe that the electronic communication system supported by that equipment contravenes the terms of the licence issued to it by the TCRA or is otherwise in breach of the 2010 Act (or any regulations made under the Act). If no prosecution follows a seizure, the network equipment can be re-claimed within two months of the date of seizure or it is deemed forfeited.
Oversight of the Use of Powers (Censorship-related)
ELECTRONIC AND POSTAL COMMUNICATIONS (LICENSING) REGULATIONS OF 2011
There is no judicial review of the TCRA’s use of its powers under Regulation 36 of the Electronic and Postal Communications (Licensing) Regulations of 2011.
TANZANIA COMMUNICATIONS REGULATORY AUTHORITY ACT OF 2003
There is no judicial review of the TCRA’s use of its powers according to Section 45 of the Tanzania Communications Regulatory Authority Act of 2003.
ELECTRONIC AND POSTAL COMMUNICATION ACT OF 2010
Where a network provider’s equipment is seized according to Section 163 of the Electronic and Postal Communication Act of 2010, it is possible for that network provider to seek the release of its equipment. When the network provider applies to the TCRA, the matter is referred to the Resident Magistrate’s court or a district court by the TCRA who preside on the TCRA or police officer’s action and decide whether the network equipment should be forfeited or released.
Encryption and Law Enforcement Assistance
1. Does the government have the legal authority to require a telecommunications operator to decrypt communications data where the encryption in question has been applied by that operator and the operator holds the key?
Vodafone is not aware of any express legal powers in this area. Vodafone would presume that the government would have the authority to require any network operator to decrypt communications data where it has applied the encryption – but only to the extent that such decryption was necessary for the law enforcement assistance (see ‘Provision of real-time lawful interception assistance’ and ‘Disclosure of communications data’ earlier in this chapter).
The most significant and relevant legal development has been the passing of the new Cybercrimes Act of 2015 (the CA), which may be applicable to this question. That said, the CA does not specifically seek to regulate encrypted material. However, Section 22(2), which creates the offence of obstruction of investigation sets out the following:
A person who intentionally and unlawfully prevents the execution or fails to comply with an order issued under this Act, commits an offence and is liable, on conviction, to a fine of not less than three million shillings or to imprisonment for a term of not less than one year or to both. [own emphasis]
It is clear from this provision that a service provider may become criminally liable if it fails to adhere to an order made according to the CA.
In particular, when looking at the law enforcement assistance orders concerning ‘search and seizure’ as set out in Part IV of the CA, the CA (among other things):
a. provides the ability to compel disclosure of data derived from being in the service provider’s possession or control; and
b. states that the data disclosure must be in a form that is legible and can be taken away.
Points (a) and (b) appear to be highly relevant to the issue of decryption and would suggest that a communications service provider could be required to decrypt data that is within its possession or control in order to make such data legible to the party serving the order.
To Vodafone’s knowledge, there has been no matter before the Tanzanian courts that has tested the precise reach of this provision. In Vodafone’s view, however, the provision seems capable of being applied to compel a service provider to decrypt data in the circumstances set out above.
In respect of the disclosure and collection of traffic data where there are reasonable grounds that a computer system is required for the purpose of investigation, the provisions are extensive. They allow orders to be made by the police or the court for the disclosure, collection or recording of the traffic data associated with a specified communication during a specified period. They also permit and assist the law enforcement officer to collect or record that data. It is Vodafone’s view here that these provisions may extend to the issue of compelling decryption.
2. Does the government have the legal authority to require a telecommunications operator to decrypt data carried across its networks (as part of a telecommunications service or otherwise) where the encryption has been applied by a third party?
The key issue here is the extent that the encrypted data is in the service provider’s possession or control.
This, in Vodafone’s view, would have to be determined by the relevant body or court. If there is only a remote chance of the telecommunications operator being able to decrypt the data because the data in question has been encrypted by a third party, then this may nullify issues of whether the service provider is in possession or control.
The CA does not appear to compel a service provider to go to any lengths regarding the data that passes through its network and this is clear, for example, in Part V of the Act, which deals with liability of service providers. There are no monitoring obligations, for example. However, it is noteworthy that:
The Minister may prescribe procedures for service providers to:
a. inform the competent authority of alleged illegal activities undertaken or information provided by recipients of their service; and
b. avail competent authorities, at their request, with information enabling the identification of recipients of their service.
With regard to whether a telecommunications operator would be required to provide equipment interference or other forms of assistance, it appears that the CA has the potential to be able to proscribe such a procedure. Bearing in mind the provisions set out in the National Security Act (NSA) and the Tanzania Intelligence Security Services Act (TISSA), there appear to be a number of avenues available to the Tanzanian authorities to be able to compel the telecommunications operator to decrypt data – even to the extent of providing some form of ‘equipment interference’ if the telecommunications operator was determined to be a source of risk threatening national security following Section 15 of the TISSA. The TISSA also provides the ability to enact specific regulations that would enable the Service to carry out its duties under the Act.
3. Can a telecommunications operator lawfully offer end-to-end encryption on its communications services when it cannot break that encryption and therefore could not supply a law enforcement agency with access to cleartext metadata and the content of the communication on receipt of a lawful demand?
The law does not specifically refer to end-to-end encryption. It is Vodafone’s view that if certain services are out of scope to the telecommunications operator, then the data cannot properly be said to be in the telecommunications operator’s possession or control. See also the answer to Question 2 above.
That said, because the telecommunications operator may be perceived as having deliberately enabled a technology that puts its customers’ data out of the telecommunications operator’s possession or control, and therefore prevents the telecommunications operator from complying with its existing law enforcement assistance obligations as described earlier in this chapter, the telecommunications operator providing access to and/or facilitating such a service might be deemed controversial.
4. Please provide examples in this jurisdiction where legislation which predated the advent of commercial encryption (which Vodafone estimates to be circa 1990) has been applied to contemporary cases involving encryption.
Vodafone has not come across any ‘old law’ apart from the Constitution, the NSA and the TISSA, which in their original forms predated 1990 and the advent of commercial encryption.
However, the legal powers referred to earlier in this chapter (eg the legal powers under the Constitution, the NSA, the TISSA and the Emergency Powers Act) are broad where national security issues are at stake. In this context, therefore, it is not farfetched to conceive of a situation where specific legislation would be enacted to compel the telecommunications operator to decrypt data, and/or to put in place whatever it could, to assist the authorities if, for example, this was deemed necessary to thwart a perceived real national security risk.
In Vodafone’s view, such conduct would be open to the Tanzanian authorities, notwithstanding the possibility of this being challenged by judicial review in certain circumstances.