Lesotho whistleblowers switch to encrypted messaging Apps amid fears of state surveillance of SIM card-based networks
MOUNTING concerns over state surveillance on traditional SIM card-based communication methods offered by Lesotho’s mobile services providers are forcing many whistleblowers and activists to turn to ‘safer, more secure’ communication platforms to whistleblow and share information.
Investigations by this publication have shown that although WhatsApp is the platform of choice for those who have abandoned traditional Sim card-based mobile networks, a growing number of people are also turning to Signal, Telegram and Facebook Messenger.
Due to end-to-end encryption of information which provides higher levels of privacy from the prying eyes of third parties, including governments and security forces, whistleblowers say the apps are a “welcome breathe of fresh air as they are providing them with cheaper and more secure ways to continue exposing graft and injustice in state institutions with little fear of detection”.
“What’s more, unlike traditional Sim card-based applications, Whatsapp and other encrypted apps have greater capabilities when it comes to sharing sensitive and top-secret documents, videos, and messages. We are therefore empowered to continue feeding journalists with juicy scoops as well as leaking data to fight corruption safe in the knowledge that our identities and security aren’t being compromised,” said one government official who spoke on condition of anonymity for fear of reprisals.
Lesotho, a small landlocked kingdom hemmed in all sides by South Africa, is home to about 2, 1 million people. It is currently undergoing a long-drawn-out process to implement constitutional, governance, security sector, judicial, and media reforms to achieve lasting peace and stability which is crucial for economic development in an impoverished nation that is heavily reliant on foreign donor funding, food aid and remittances from its citizens in the diaspora.
Lesotho’s vibrant media and the public depend on whistleblowers, activists and other sources to expose corruption in government and the private sector.
Successive, short-lived governments have complained about leaking of what they say is sensitive state information. Some like former Prime Minister Pakalitha Mosisili’s administration even attempted to ban Facebook and Twitter (now known as X) in 2016.
Flash-forward to 2023 and the current Prime Minister Sam Matekane’s regime is expanding the state’s surveillance capabilities by enforcing a year-old law that requires all mobile network subscribers to register their Sim cards.
Since June 2022, Lesotho’s two mobile communications operators, Econet Telecom Lesotho and Vodacom Lesotho, have been registering the Sim cards of their customers and recording their personal data as well as their biometric details for onward transmission to the quasi-government Lesotho Communications Authority (LCA).
This is in line with the requirements of the Communications (Subscriber Identity Module Registration) Regulations gazette issued on 24 December 2021 by then Communications Minister Samuel Rapapa.
The regulations require citizens, diplomats, foreign nationals and visitors to register their Sim cards with mobile service providers or their agents.
The regulations are meant to make it easier for mobile service providers and the LCA to monitor citizens’ private communications and information which can be then passed on to the security agencies should the need arise.
In an interview this week, LCA Chief Executive Officer Nizam Goolam defended the mandatory SIM card registration law.
“We are in the fourth industrial revolution, where the thrust is digital transformation,” Mr Goolam said, adding, “We can see, especially in the financial sector, that a lot of financial transactions are now happening online or on the mobile phone”.
“More people are using mobile communication to electronically transfer money. However, the digital platform is overwhelmed by fraudulent activities, hence the need to register SIM cards so that perpetrators can easily be traced.
“It is important to protect the people. We therefore found it fit to register SIM cards. Registering your mobile SIM card does not mean that information will be used for surveillance. Surveillance is when you are monitoring the movements of people from point A to point B. The networks are designed to provide services, not to track people,” added Mr Goolam.
However, whistleblowers and others including the opposition are not buying his and the state’s explanations. They insist the real motive is to protect the government and ruling party officials from scrutiny for their actions while in public office.
Journalists and media organisations have also expressed fears that they will be targeted for exposing corruption in high places.
Prominent human rights lawyer, Fusi Sehapi, who has accused the state of running an illegal phone-tapping operation and hacking private communications, insists the law on the mandatory registration of Sim cards and capturing of biometric details is meant to give a cloak of legality to “illegal, clandestine surveillance operations which have long been practiced by the state”.
“My phone gets illegally tapped and traced from time to time I handle controversial cases against the government and/or politicians to the detriment of my security of person and life,” alleges Advocate Sehapi.
“The police, army and intelligence tap our phones. I may not be aware of the technology they use, but it has happened on several occasions that after consulting with clients over the phone, even before filing any papers in court, I will either be called to the police station for interrogation or see armed forces roaming around my residential area. Sometimes I will observe a vehicle without registration details tailing me. I believe these will be intelligence operatives. These things happen when I’ve taken cases against the government.
“All of this was happening even before the compulsory registration of Sim cards. It is clear to me that the Sim registration law is just meant to formalise the surveillance and give it a cloak of legality,” further states Adv Sehapi. According to papers obtained by this publication, the prominent lawyer is seeking the nullification of the controversial SIM card registration law on the grounds that it violates his constitutional rights to privacy, religion and free expression among others.
Embracing encrypted apps
Instead of fighting the issue in court like Adv Sehapi, information obtained by this publication shows that many whistleblowers, activists and even ordinary people are taking a different route. They are dumping traditional Sim card-based communication in favour of encrypted messaging apps such as Telegram, WhatsApp, Facebook Messenger, and Signal.
The information has been obtained through interviews, court documents and random surveys of various people in the capital, Maseru.
As is the case in several other countries, WhatsApp is the most popular app. Like other apps, WhatsApp offers end-to-end encryption, ensuring that under normal circumstances, only the sender and recipient can access the content of messages. This encryption is also meant to ensure that even authorities at WhatsApp cannot view the communications of their clients.
Such is the fear of state surveillance and faith in WhatsApp that when one government official was phoned for comment on his Sim card-based mobile network number, she promptly terminated the call and called back via WhatsApp.
“In all likelihood, my phone is being monitored and I can’t risk talking to a journalist on normal voice call,” said the official who requested anonymity.
“Therefore, I’ve opted to call you back via WhatsApp to discuss your concerns. As long as I have my handset and as long as it hasn’t been infected with any malware, it’s virtually impossible for the NSS (National Security Service) to monitor my communications. Apps like these have end-to-end encryption which means that no third party can access any part of our communication. I have even activated the two-factor authentication to make it difficult for anyone to access my WhatsApp conversations without my knowledge and consent,” the official said.
Two-factor authentication (2FA) is a security process to ensure that whoever is seeking to access a service or app like WhatsApp is really the person they claim they are. The process requests users to provide two different authentication factors before they are able to access an application or system, rather than simply their username and password.
According to fortinet.com, two-factor authentication “makes it more difficult for cybercriminals to steal users’ identities or access their devices and accounts. It also helps organisations keep attackers out of their systems, even when a user’s password has been stolen. The process is increasingly being used to prevent common cyber threats, such as phishing attacks, which enable attackers to spoof identities after stealing their targets’ passwords”.
Even with such greater protection, not everyone is sold on WhatsApp. A close associate of Mr Matekane recently baulked at answering questions sent to her by this publication regarding the infighting currently engulfing the prime minister’s fledgling Revolution For Prosperity (RFP) party.
He insisted that this journalist downloads and installs the Telegram app for any interaction to take place.
Once on Telegram, the official waxed lyrical abut the app’s supposed superiority over WhatsApp, saying, “Telegram comes with the option of ‘Secret Chats’. Not only are these protected through end-to-end encryption, the chats can even self-destruct. Telegram also offers comes with a password protection feature for individual chats, thus giving an added layer of security,” the official added before giving juicy details about his faction’s ultimately successful moves to sway Mr Matekane from appointing a member of a rival faction to the powerful post of government secretary.
Apart from WhatsApp and Telegram, Signal as well as Zoom and Teams Meeting apps have also become popular with those seeking to escape surveillance.
South African networks and good old-fashioned face-to-face meetings
Lesotho is the only African country which is completely hemmed in all sides by just one country. Its proximity to South Africa means that even the neighbouring country’s mobile networks like MTN can be accessed in Lesotho. The fact has not been lost on some Lesotho nationals who have resorted to using the South African networks whenever they want to communicate sensitive information.
Corruption and laxity in enforcing South Africa’s own Sim card registration laws mean that working Sim cards can be purchased from retail shops, on street corners in Lesotho and South Africa as well as the popular Park Station in Johannesburg.
Some Basotho who were surveyed by this publication said often purchased South African SIM cards and threw them away “once they had served their purpose of communicating sensitive information”.
“Even if the South African authorities were to release the information to their Lesotho counterparts, the communication cannot be traced back to me because the South African Sim cards we buy would already be registered under someone else’s name,” said one Lesotho national.
Another whistleblower, who has exposed several scandals years, over the years, said Maseru’s proximity to the South African city of Bloemfontein and Ladybrand town meant that whenever he had any important information to discuss with colleagues or share with journalists, they would simply arrange good old-fashioned meetings across the border in South Africa.
“Bloemfontein is just over an hour away while Ladybrand is just minutes from Maseru. It doesn’t take much to meet across the border yet it offers greater security than discussing issues over the border,” the whistleblower said.
Abiding security concerns
Despite the much-touted advantages of the encrypted apps, security concerns persist nevertheless.
While Telegram, Signal, WhatsApp and other apps enforce end-to-end encryption to ensure that only the sender and recipient have access to communications, they are by no means foolproof.
It has been proved in other countries that if the state agents were to gain access to a user’s mobile phone or other communication device, they could potentially intercept messages before they are encrypted or after they are decrypted, rendering encryption redundant.
In an interview last week, an information technology expert attached to the NSS boasted that they had sophisticated surveillance tools capable of cracking the encryptions if they so wished. He, however, refused to shed light on the matter.
A 2018 auditor general’s report revealed that former Prime Minister Mosisili’s government diverted R28 million meant for student loans to purchase spy equipment from an unknown destination. The expert may have been referring to the equipment purchased with the R28 million.
As Botswana has recently shown, Israeli firms like Cellebrite are known to produce sophisticated software for hacking into people’s phones and other communication devices.
Such sophisticated software can gain unauthorised access to devices to capture messages before they are encrypted to protect them from third parties.
Despite the privacy concerns around them, Lesotho’s mobile service providers, Vodacom Lesotho and Econet Telecom Lesotho, are set to remain market leaders for the foreseeable future. This is due to various factors, including the fact that they offer mobile money and banking services to huge sections of the hitherto unbanked population. The SIM card will remain in use because in any case, even those who are using WhatsApp, Telegram, Signal and others still rely heavily on the communications networks and their SIM-based services for data to power the encrypted communication apps.
Herbert Moyo is a journalist researching digital surveillance, with support from the Media Policy and Democracy Project run by the University of Johannesburg’s Department of Communication and Media.