- The Pegasus Project, a collaborative journalistic investigation, coordinated by the Forbidden Stories consortium, revealed Rwandan authorities’ use of NSO Group’s Pegasus spyware, a sophisticated surveillance tool, which may have potentially targeted more than 3, 500 individuals, including journalists and politicians in Rwanda.
- We join global calls for the imposition of a moratorium on the sale, transfer, and use of surveillance technology in Rwanda, given inadequate legal frameworks and due process guarantees and documented human right risks.
- These surveillance revelations also highlight the need to strengthen encryption protections in Rwanda. A strong encryption environment is crucial for the promotion and protection of Rwanda’s commitments to freedom of expression, privacy and data protection under the African Charter on Human and Peoples’ Rights (African Charter), amongst others.
- A strong encryption environment will also promote Rwanda’s trade and e-commerce objectives, in accordance with its commitments to protect privacy and data protection and strengthen its cyber security environment, under the Agreement Establishing the African Continental Free Trade Area (AfCFTA) and the African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention).
“Despite Rwandan authorities denying their use of Pegasus’ spyware, reports of targeted surveillance must be taken seriously and fully investigated given the human rights implications. We call on the government to invite regional and international special mechanisms tasked with promoting and protecting freedom of expression and privacy, to undertake investigative and fact-finding missions. We also call on the Attorney General to develop and deploy a comprehensive and independent investigation plan with support from relevant stakeholders. Further, we urge the Rwandan Parliament to strengthen encryption safeguards by aligning the draft Data Protection Bill and reforming surveillance and interception laws in line with regional and international human rights standards,” said Mugambi Kiai, Regional Director at ARTICLE 19 Eastern Africa.
Over the past week, there have been various revelations on the use of spyware technology called Pegasus developed by the Israeli cyber-intelligence firm, NSO Group under the Pegasus Project. Under this project, the Forbidden Stories consortium, including the not-for-profit organisation with technical support from Amnesty International’s Security Lab, documented that ‘more than 50,000 phone numbers [were] selected for surveillance by the customers’ of NSO Group. Pegasus works by covertly breaking the encryption of communication devices such as mobile phones and personal computers, among other Internet-enabled devices and then infecting the devices with spyware. Breaking the encryption of one or two devices puts everyone at risk especially since these vulnerabilities are never disclosed to tech companies and thus allow for the vulnerabilities to be misused.
These revelations from the Pegasus Project have also cast suspicion on the Rwandan government. Media organisations, such as the Guardian, reported that Carine Kanimba, daughter of Paul Rusesabagina, has been subjected to a targeted surveillance campaign since at least January 2021. Paul Rusesabagina is a Rwandese activist and politician who inspired ‘Hotel Rwanda’ and is currently facing trial for terrorism charges. Forbidden Stories also documented the reported wiretapping of Ugandan officials by Rwanda, including ex-Prime Minister Ruhakana Rugunda, Foreign Affairs Minister Sam Kutesa and senior intelligence officer Joseph Ocwet.
These reports have been discounted by the Rwandan Minister of Foreign Affairs and Cooperation and Government Spokesperson, Dr. Vincent Biruta, who reiterated the official government position that the country does not use NSO Group’s spyware. However, it is important to point out that in November 2019, H.E. President Paul Kagame affirmed that Rwanda, like other countries, “…run[s] intelligence… and use[s] human intelligence…” that Rwanda is “…very good at…” However, H.E. President Paul Kagame denied that Rwanda was using Pegasus technology due to its high cost.
Strengthening Rwanda’s digital environment
The concerns raised by the reported findings from the Pegasus project speak to the larger impact of targeted digital surveillance technology on human rights, beyond the right to privacy. We support the call by the UN Special Rapporteur on Freedom of Expression to impose an ‘immediate moratorium on the global sale and transfer of the tools of the private surveillance industry until rigorous human rights safeguards are put in place to regulate such practices and guarantee that Governments and non-State actors use the tools in legitimate ways.’
These revelations also affirmed the need to strengthen encryption safeguards through targeted legal reform, whilst also prioritising oversight, accountability and transparency over Rwanda’s surveillance environment. The use of the authentication techniques derived from encryption, facilitates the exercise of the rights to freedom of expression, privacy and data protection in Rwanda by enabling anonymous speech and private communications.
ARTICLE 19 has noted before that, “…encryption is a fundamental feature of the internet. Without the authentication techniques derived from encryption, secure online transactions would be impossible. Without encryption itself, the electronic communications of every individual, as well as every private company and government agency, would be open to inspection and abuse. For this reason, encryption is used on a daily basis for information and activities such as online banking, privileged lawyer- client communication, medical data, tax records, and major infrastructure such as electric grids or power plants. It is particularly important for human rights defenders, whistleblowers, journalists and activists who are often the subject of surveillance by intelligence or law enforcement agencies….”
We also affirm that encryption safeguards are important to major players in Rwanda’s e-commerce sector, including banks, as they secure online transactions and personal data, which is recognised as a crucial limb under the Malabo Convention and the AfCFTA. In July 2021, reports indicated the susceptibility of banks in Rwanda to network interception and unauthorised access due to weak encryption protections and safeguards.
Rwanda’s legal obligations to data privacy
Rwanda has obligations under Articles 23 and 38 of the Constitution of the Republic of Rwanda (2003, revised in 2015) to safeguard the rights to privacy and freedom of expression. Rwanda is also a state party to various international human rights treaties as listed here. Importantly, Rwanda also ratified the Agreement Establishing the African Continental Free Trade Area (AfCFTA) on 25 May 2018.
Further, Rwanda ratified the African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention) on 21 November 2019, which protects the right to privacy under Articles 8, 10, 14 and 25.
Additionally, during the 133rd Inter-Parliamentary Union Assembly in 2015, parliamentarians from around the world unanimously adopted the Resolution on Democracy in the Digital Era and the Threat to Privacy and Individual Freedoms. Rwandan parliamentarians committed to, amongst others, ensure that all legislation in the field of surveillance, privacy and personal data is based on the principles of legitimacy, legality, transparency, proportionality, necessity and the rule of law.
Lastly, during Rwanda’s 3rd Universal Periodic Review, Rwanda accepted 14 out of 53 recommendations it received related to the right to freedom of expression, committing to strengthen its legal system and revise provisions that undermine this right. These recommendations are integral to ensuring the fulfillment of the above legal obligations.
In order for Rwanda to fulfill the above obligations, we call on:
- The Rwandan government to:
- immediately put in place a moratorium on the sale, transfer, and use of surveillance technology, until appropriate human rights laws and safeguards have been put in place.
- invite regional and international special mechanisms tasked with promoting and protecting freedom of expression and privacy, to undertake investigative and fact-finding missions to ensure that the Rwandan government is respecting and promoting human rights.
- develop and deploy a comprehensive and independent investigation plan, with support from relevant stakeholders from both the public and private sectors. This investigation must investigate any partnership between any Rwandan agency or department and the NSO Group, and if any partnership exists, ensure it is terminated immediately.
- The Rwandan Parliament to strengthen encryption safeguards and protections and:
- align the draft law relating to personal data protection and privacy with Rwanda’s commitments under international law, prior to adoption and operationalisation.
- reform laws that negatively impact encryption and anonymity protections to bring them in line with international privacy and freedom of expression standards, in particular the ICT Law, the Law of Interception (2013) and the SIM Card Regulations (2015).
For more information, please contact:
Mugambi Kiai – Regional Director, ARTICLE 19 Eastern Africa: [email protected]article19.org