The right to privacy in Sudan: A call to enact a data protection act

The former totalitarian Sudanese regime used various types of unethical and rights-infringing tactics to remain in power, including privacy invasion through unjust laws and surveillance tactics via imported technologies. 

The regime, deposed ^[1] after a series of pro-democracy protests ended 37 years of power earlier this year, now faces intense critique over its violations. Sudan is now at a critical moment in history to stir up a debate about the interplay between the state, private sector and citizens in terms of privacy rights. 

As Sudan embarks on a three-year transition toward democracy and civilian rule, transitional authorities must consider reforms aimed at promoting and protecting the right to privacy. 

Imported technologies

To spy on users and citizens, the deposed regime used surveillance and tracking technologies sold by Western companies. The regime had to import these technologies secretly due to US sanctions ^[2] that prohibited the regime from acquiring them.  

In July 2013, Citizen Lab, a Toronto-based interdisciplinary laboratory that does research at the intersection of technology and human rights, identified the presence of the Blue Coat ProxySG device ^[3]on Canar ^[4] network, a privately-owned Sudanese internet service provider. The device, sold by the California-based company Blue Coat Systems, before it was acquired ^[5] by another American software company in 2016, allows for the interception of users’ encrypted sessions on the internet.

In February 2017, Citizen Lab published another report that mapped ^[6] the use of spyware sold by Hacking Team, an Italy-based company, to governments across the world, including repressive regimes. The study found that 21 governments, including Sudan, used the company's Remote Control System (RCS) which ‘’enables government surveillance of a target’s encrypted internet communications, even when the target is connected to a network that the government cannot wiretap.’’ According to the same report: 

RCS’s capabilities include the ability to copy files from a computer’s hard disk, record Skype calls, emails, instant messages, and passwords typed into a web browser Furthermore, RCS can turn on a device’s webcam and microphone to spy on the target

This collaboration between Hacking Team and the Sudanese government did not go unnoticed and the international community questioned it. In June 2014,  the United Nations asked Hacking Team to provide information about its sales to the Sudanese government. According to a report ^[7] by the Intercept, “the internal records proved that Sudan’s National Intelligence and Security Service paid  960,000 euros [$1,071,504 United States dollars] for Remote Control System.”

Existing legal framework

Under Sudanese law, authorities could access user data after obtaining an order form a prosecutor or judge. Article 74 of the 2018  Telecommunications and-Postal Regulation Act ^[8] clearly permits interception, surveillance and eavesdropping — only on order from the prosecutor or a specialized judge — and violators are punished with five years in prison, fine or both. 

Unauthorised interception and eavesdropping is illegal. For example, the 2007 Cybercrime Act ^[9] prescribes a punishment of up to three years in jail, a fine or both against anyone “who taps, captures or intercepts any message through an information network or computer hardware or similar without permission from the public prosecutor or the competent authority or the party to which the information belongs.’’ The term ‘’competent authority’’ is not defined, making the law subject to abuse.  

Article 28 of the 2007 Electronic Transactions Act ^[10] punishes anyone who discloses encrypted data for any unauthorized party or access any piece of information without approval, with ten years in prison or fine or both. The Act deals with financial transactions such as online payments and legal contracts. 

While the 2016 Anti-corruption Act ^[11]cherished the privacy rights of whistleblowers, punishing anyone who reveals their personal data with two years in prison, or fine or both.

Legal void

While these laws offer some protection, in practice they are not enough to protect Sudanese users’ privacy and data from government surveillance. 

In fact, the use of surveillance tools such as Hacking Team’s RCS system and Blue Coat ProxySG by the former regime, is evidence of how it was possible for the authorities to violate users’ privacy, without needing to obtain a court order.

The use of vague terms such as  “competent authority”— as in the 2017 Cybercrime Act — without any clear definition, gives telecommunications companies a pretext to hand over user information to security agencies — even in the absence of a court order.

Independent supervision over how the government and the private sector handle personal data is lacking in Sudan. For example, in February 2014, the Sudanese parliament publicly discussed the invasion of privacy by the National Intelligence and Security Service ^[12] ( NISS) through ISPs and telecommunication companies, such as MTN-Sudan ^[13], ZAIN ^[14], SUDANI ^[15] and CANAR ^[4].

No independent investigation was launched and local media reported that the then-telecommunications minister refused ^[16] to answer whether or not monitoring of phone calls and online activities was legally taking place. 

In fact, Sudan has no data protection authority and no data protection law ^[17] that regulates the collection, storage and use of personal data by governments and the private sector. A basic principle of an effective data protection law is the establishment of an independent regulator that oversees the law’s implementation. In the absence of such a legal framework, personal data will remain at risk of misuse and abuse not only by the government but also the private sector. 

The current, existing legal framework does not include any provisions that require companies, websites and organizations to share or have a written policy that explains their data collection and sharing practices. 

Sudanese websites, applications, online platforms MUST have (Terms and conditions of Use ) and (Privacy policy ) hich explains how information about customers is collected, used disclosud and analysed. #privacylaws ^[18] #Sudan ^[19]

— Amr Mohsen (@AmrMohsenadvo) October 31, 2019 ^[20]

For example, emerging online businesses in Sudan that depend primarily on e-payment, lack transparency about how they handle their users’ information. Online shopping platforms Dukan ^[21], Maglag ^[22] and  Sahla ^[23] publish privacy policies that reveal limited to no information on data collection, retention and sharing. Others such as e-commerce site ma3roud ^[24] do not publish privacy policies. Ride-sharing applications such as Tirhal ^[25], lemon ^[26] and Tarha ^[27] provide privacy policy links on their app pages, perhaps as an attempt to fulfill registration requirements for Apple and Google Play stores. These only direct users to their websites — which do not actually include privacy policies. 

As part of a power-sharing agreement to guide Sudan’s three-year transition toward civilian rule, the Transitional Military Council and the political coalition that represents the protesters, Forces of Freedom and Change ^[28], signed the Constitutional Charter for the 2019 Transitional Period ^[29].

Article 54 of the charter enshrined the right to privacy. It states: ‘’No one’s privacy may be violated, nor shall it be permitted to interfere in the private or family life of any person in his home or correspondence, except by law.” 

However, in the absence of reforms aimed at reinforcing and protecting privacy, this right remains under threat. An effective data protection law in Sudan is crucial to fulfilling legislative gaps, in accordance with the international human rights standards and best practices ^[17] for data protection.