Ghanaian High Court Stops Regulator and GVG from Violating Mobile Phone Privacy

The High Court in Accra has ordered Ghana’s National Communications Authority (NCA) and their private sector supplier GVG to destroy data that monitored the movements and activities of all Ghanaian mobile phone users, reports the Ghanaian Times. The data collection began in 2020 when President Nana Akufo-Addo signed Executive Instrument (EI) 63, which he justified by arguing that increased data gathering was needed to understand the spread of COVID-19. However, Justice Rebecca Sitties agreed with the plaintiff, Francis Kwarteng Arthur, a lawyer who brought the suit in a private capacity, that the President had exceeded his constitutional powers by instigating a comprehensive data grab that included information about each customer’s phone calls, text messages, mobile money transactions, and who they bank with.

In total, Arthur successfully sued five parties for interference and invasion of privacy:

  • the Ghana Telecommunications Network, which trades as Vodafone Ghana;
  • Scancom, which trades as MTN Ghana;
  • Kelni GVG, the Ghanaian subsidiary of international RA audit business Global Voice Group (GVG);
  • the National Communications Authority (NCA), Ghana’s communications regulator; and
  • Ghana’s Attorney General.

Justice Sitties observed that EI 63 violated and continues to violate the privacy rights of every Ghanaian. She ordered Vodafone, MTN and GVG to immediately stop the collection of data and that all data previously collected under EI 63 be destroyed. Justice Sitties also instructed Vodafone, NCA and GVG to each pay damages of GHS20,000 (USD3,300) to Arthur for using his personal data without sufficient consent.

The Ghanaian government has a deeply unhealthy relationship with GVG, paying them USD1,491,225 per month to perform what is sometimes described as a revenue assurance audit of telecoms traffic. KelniGVG won the contract on the pretext that they would prevent tax evasion by telcos, and by saying they were a Ghanaian business that invested in local people despite never having won any previous contracts in Ghana. It later transpired that they flew a team of NCA delegates to Spain for training about GVG systems, begging the question of why an established Ghanaian business would be incapable of training Ghanaians in Ghana. One critic of the KelniGVG contract alleged he had received death threats whilst an opposition MP said it was “very likely” that the systems were being used to spy on ordinary Ghanaians. The Ghanaian government keeps arguing the expensive contract has paid for itself by reducing tax evasion, but only provides superficial figures to support this claim and refuses to explain why none of the supposed tax evaders have been prosecuted.

GVG openly promotes their systems to governments across Africa, but the rationale keeps changing from place to place. In Ghana, they originally said they would collect lots of telecoms data to prevent rampant tax evasion by telcos. A few days ago the CEO of GVG told South Africans that they need his ‘regtech’ to protect them from cybercrime. But back in Ghana, the same systems were also being used to somehow monitor COVID-19 by analyzing how people spent their money! The truth is that all the supposed uses of GVG technology are just different excuses for the same underlying system: an enormous national telecoms database that captures who is calling whom, where they are, and any other data that can be obtained from phone usage. Whether you call it surveillance to prevent tax crimes, or surveillance to prevent cybercrimes, or surveillance to prevent the spread of disease, each is still a form of surveillance.

Governments may say they are buying a revenue assurance audit or they may instead talk about regtech, but ultimately they buy from GVG the capacity to turn phones into surveillance devices. This leads to a serious question that none of these governments have been willing to answer: what makes them all believe that this particular supplier is the only one that can satisfy their surveillance needs? It speaks volumes that a system that the Ghanaian public has been told is necessary to prevent tax evasion can be transformed overnight into a disease monitoring system, irrespective of what the constitution says about privacy. Nor is it surprising that GVG is in the middle of yet another scandal about who is receiving what benefit from the surveillance capabilities they provide.

I may sound like a broken record, but if professionals cannot see the overlap between revenue assurance and privacy violations then they must be deliberately averting their eyes. One way to spy on people is to use the methods uncovered by the Pegasus Project, where software on the target’s phone provides back door access to spies. However, governments have no need to go to the trouble of obtaining and installing sophisticated software on millions of mobile phones if they are willing to simply order telcos to pipe the same data to a centralized national monitoring database. Professionals working in this sphere must responsibly highlight all the ways that data can be used and abused so real safeguards can be implemented. Telecoms professionals must perform this task because the public lacks the insight to analyze the risks for themselves, and the politicians lack the motivation to place limits on themselves.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.