Widespread fears of email monitoring in South Sudan are likely unfounded, according to multiple sources in the security and ICT fields, who said that authorities cannot monitor emails sent and received by people within the country.
The country’s ICT infrastructure inhibits government monitoring of emails, according to an ICT professional who has worked in the South Sudan context. He pointed out that many Internet users in South Sudan access the Internet via imported satellite equipment (VSAT), which provides a client-satellite connection.
“If a dedicated satellite connection is used as most actors do the possibility of monitoring is almost zero as no changes on imported VSAT equipment are done by the government and therefore no control of what is being used over such Internet connection,” said the expert, who spoke on condition of anonymity.
An observer familiar with the security services in South Sudan said that claims that the government can monitor email communications are deliberately intended to create fear among the citizens.
“There are substantial claims that they monitor e-mails but this is just to cause and create fear for users,” he said.
Although some security personnel have had technological training in Western or Asian countries, they nonetheless “lack necessary surveillance tools” to enable mass or targeted surveillance of email communications.
“Having knowledge is one thing and quite another to have necessary surveillance tools.”
Another individual, an ex-National Security Service officer, said outright that they do not have the capacity to monitor email exchanges.
The ICT expert reiterated there was “no concern” from his point of view that the government could monitor communications over VSAT connections.
Protections and vulnerabilities
However, the ICT worker said email communications carried out over mobile network connections may be more vulnerable to interception. The mobile providers offering Internet access services in South Sudan include Zain, Vivacell and MTN.
The source said that some technology companies sell “a simple surveillance box which can be put into a network,” adding, “The South Sudanese government most likely doesn’t possess such a box but the different mobile companies might and [could] pass on the information to the government.”
However, “those boxes might have limitations when it comes to read encrypted email connections,” he noted.
The expert pointed out that most commercial email services have “client-server encryption,” which means that email messages are computer-coded so as to be unreadable without the “key” to the message. On most email services these encryption processes are automated.
Encryption is “commonly used in protecting information within many kinds of civilian systems… to protect data in transit, for example data being transferred via networks (e.g. the Internet),” according to the online Encyclopedia Wikipedia.
Given the difficulties intercepting and decoding encrypted email messages, sources suggested that South Sudanese security personnel seeking to access email messages of targets would have to resort to more rudimentary intrusion techniques such as actually coercing a user to disclose his or her password or ‘phishing’, which involves tricking a user into disclosing his or her password.
Even this latter approach requires a high level of computer training, one source pointed out, claiming the National Security Service has trouble in retaining such qualified personnel owing to “lack of motivation” and pay.
Legal requests to tech companies
In other countries, some law enforcement and security services make formal requests to technology companies to access information from certain users’ email accounts, in cases of suspected criminal activity. These requests are reviewed on a case-by-case basis.
The company Google, which runs the popular Gmail service, says that it receives such requests normally in the form of a subpoena, court order or search warrant. These are formal legal documents.
According to data published by Google on these requests, governments in some countries regularly make many requests, for example Singapore, Germany and the United States, while the government of South Sudan has never made a request to Google for disclosure of user information.
Similarly, the company Yahoo, which runs the Yahoo Mail service, has published data showing the number of such requests by country. South Sudan is not listed. This indicates that the companies Yahoo or Google have apparently never given user information to the South Sudanese government.
‘Atmosphere of fear’
In a joint report in August 2014, Amnesty International and Human Rights Watch warned of an “atmosphere of fear” facing journalists and human rights defenders in South Sudan.
The report, titled ‘The Price of Silence,’ said that widespread concern about government surveillance hinders the ability of citizens to engage in frank conversations, restricting the flow of information within the country.
The human rights groups stressed, “For a surveillance program to be lawful, it must be prescribed by law, necessary to achieve a legitimate aim, and proportionate to the aim pursued”
“As there is currently no legal basis for communications surveillance in South Sudan, any surveillance that takes place constitutes a violation of the right to be protected by law against arbitrary interference with privacy, and may have a chilling effect on, or otherwise constrain, the exercise of the right to free expression.”
The two human rights organizations also warned that there are particular concerns about surveillance of conversations over mobile telephones.
Other sources confirmed existing albeit limited efforts to monitor telephone conversations in South Sudan, on a targeted and not mass basis.