Back to main site

    Privacy and Data Protection Violations

    Module 2: Digital attacks and Online Gender-Based Violence

    Overview

    • Different forms: ICT-related violations of privacy exist in a wide range of different forms that are rapidly changing and evolving as new technologies develop and become widespread, and as both users of these tools and perpetrators find innovative new tools and loopholes to target the growing volume of personal information available online. Some examples include:
      • Cyberstalking, which includes repeated, intrusive, and persistent behaviour over digital channels such as messaging or calls or placing a subject under surveillance aimed at harassing or creating fear in the subject.
      • Sextortion, in which a perpetrator blackmails a victim into either creating sexually explicit material like images or videos engaging in unwanted sexual acts for payment or using threats against the victim or their loved ones.(1) It therefore includes other forms of violence such as hacking accounts, intercepting communications and NCII.
      • Doxxing, or the publication of personal data of an individual without their consent and with the intent to embarrass, humiliate or expose a victim to harassment.(2)
      • Hacking, which includes the unauthorised access of a person’s device, network, or account for nefarious purposes, for example obtaining personal data.
      • Impersonation, creating a fake account using the person’s name, image, or both in order to post false, misleading, inciteful, maligning or inflammatory content.(3)
    • Targets: Privacy violations such as the examples above are frequently used as tactics to target and attack women journalists, frequently in combination with other digital attacks. It is clear that there is significant overlap between privacy violations and other forms of digital attacks, especially the various forms of cyber-harassment which often involve a component of intruding into one’s personal space or collecting personal information without consent.

    Cyberstalking: How can journalists be targeted?

    Cyberstalking can manifest itself in many forms. A few examples of ways in which journalists can be targeted include:

    • The use of emails or messages to send sexist, suggestive, or threatening content to the victim;       
    • The repetitive and excessive tagging of the victim on their own or unrelated posts; ·            Unwavering participation in the target’s online activities, through liking, commenting, retweeting, or sharing their online content;
    • The creation of fake posts, e.g., with sexually explicit videos or photos of themselves, to embarrass and shame the victim.  

    The hacking into or hijacking of the target’s online accounts, laptop, or smartphone camera to track or record the victim’s movements and activity.(4)  

    Spyware: The threat of Pegasus and Predator

    In recent years, Spyware has emerged as a significant concern, enabling covert access to information on target computer systems or devices. Predator and Pegasus are prominent spyware programs capable of clandestinely infiltrating mobile phones and other devices running Android and iOS, exploiting the latest mobile operating systems. Journalists, politicians, government officials, chief executives, and directors are often targeted.  

    Notable Incidents:

    • In 2019, Amnesty International documented network injection attacks in Morocco, infecting human rights defenders and journalists with NSO Group’s Pegasus spyware.
    • In 2021, Egyptian exiled politician Ayman Nour and an anonymous news program host were hacked with Predator spyware developed by Cytrox.
    • In 2023, the Predator Files global investigation revealed the widespread use of surveillance technologies and government failures in regulation.
    • The Citizen Lab reported a similar system targeting a political opposition figure in Egypt with Intellexa’s Predator spyware in September 2023.
    • As of 2024, 11 nations, including Angola, Armenia, Botswana, Egypt, Indonesia, Kazakhstan, Mongolia, Oman, the Philippines, Saudi Arabia, and Trinidad and Tobago, are suspected Predator customers.  

    Protective measures:  

    Amnesty International has developed some practical guidance for individuals who may be at risk of these digital attacks:

    • Keep your web browser and mobile operating system software updated to mitigate security vulnerabilities.
    • Enable the enhanced security “Lockdown Mode” on Apple devices to increase resistance against compromise.
    • Use a reputable VPN provider to enhance privacy and prevent surveillance from ISPs or governments.
    • Utilise features like Signal’s “Relay Call” mode to obscure metadata and reduce exposure to network attacks.
    • Employ disappearing messages and regular device restarts to minimize exposure to spyware infections.
    • Seek expert assistance if you receive warnings of state-sponsored attacks to assess ongoing risks for your accounts or devices.

    If you are concerned about an attack or have been attacked, reach out to Amnesty’s Security Lab at securitylab.amnesty.org for assistance.

    International law and standards

    The rights to privacy and gender equality are interlinked, with digital security attacks targeting women journalists being incidences of gender-based violence and discrimination.(5) International law also protects against both unlawful and arbitrary interference and interceptions of telephonic, telegraphic, and other forms of communication, such as the interception of personal communication are prohibited.(6)

    Doxxing is an example of a privacy violation that also has various rights:

    • Privacy: Frequently used to abuse, intimidate, and silence, women journalists. In instances in which a perpetrator retrieves and discloses personal information and data to the public with “malicious intent,” is a “clear violation of the right to privacy.”(7) Privacy is protected by Article 17 of the ICCPR and is found in regional instruments such as the Malabo Convention(8) which, under Chapter II, protects personal data and calls on States Parties to “punish any violation of privacy.”(9)
    • Freedom of expression: PEN America notes that doxxing, through the use of “harassment, intimidation, extortion, stalking or identity theft,”(10) is used to silence and shame journalists and malign their reputation and character, leading to its identification as a “global threat to journalists.”(11)
    • Media freedom: Further, doxxing can be used as a tactic by perpetrators to lift the veil of digital anonymity for journalists working in critical environments or using pseudonyms to protect their online identity, which is central to media freedom. Concerningly, doxxing also increases the threat for “at-risk confidential sources”(12) and can place the families of journalists in a vulnerable situation, making them inadvertent targets as well.(13)
    • Data protection: Under international law, illegally obtaining and releasing journalists’ private information, or confidential information that is not in the public domain, amounts to an infringement of their right to privacy, including the right to informational privacy (also known as data protection).

    National laws

    Several countries within the SSA region have passed data protection legislation in recent years that seeks to provide redress for victims of privacy violations in the online and offline realms, in addition to the more generalised anti-harassment laws discussed above.

    The state of privacy and data protection in Africa

    Dataprotection.africa is an online platform that maps the state of data protection legislation in all 55 AU-recognised countries. It highlights that 36 countries currently have laws in place, while a further three and considering draft bills.  

    Most recently, Nigeria signed the Data Protection Act into law in 2023(14) and Tanzania’s Personal Data Protection Act came into effect in May 2023.(15)  

    Some countries also have relevant provisions in their Cybercrimes legislation. For example, section 17 of Kenya’s Computer Misuse and Cybercrimes Act, 2018 criminalises the “unauthorised interception” of data to or from a computer system over a telecommunication system.(16)  

    Concerningly, many SSA countries do not have holistic legal frameworks to combat and prevent doxxing and cyberstalking. As such, “depending on the jurisdiction in which it took place… [they] may be prosecuted under the legal provisions relating to violation of privacy or harassment.”(17)

    Affected journalists can seek redress via civil and criminal law, especially where the perpetrators can be clearly identified and where personal information not in the public domain was illegally obtained.(18) As discussed in the case below, doxxing cases can also be raised in the context of the right to freedom of the press and the importance of the role of the mass media in a democratic society.

    Case note: Litigating ‘Doxxing’ against Journalists

    The South African case of Brown v Economic Freedom Fighters, related to journalist Karima Brown, who was subjected to an extended and severe doxxing attack following the public and unauthorised disclosure of Brown’s personal cellular telephone number on Twitter by a prominent political leader, Julius Malema of the Economic Freedom Fighters (EFF). This was ostensibly as punishment for her erroneously sending a message to the political party’s WhatsApp group.  

    As a result, Brown began to receive threatening and “graphic messages on social media as well as her phone through voice and WhatsApp messages, many threatening rape and murder” and many with deeply charged racial connotations. Colleagues who came to her defence online were likewise subjected to a torrent of online abuse and harassment.(19)  

    Brown lodged an application before the High Court of South Africa in 2019 founded on the obligations of political parties and their leaders under the Electoral Code of Conduct. The High Court observed that the threats fell “well within the ambit of being harassing, intimidatory, hazardous and threatening” and that Mr Malema and the EFF had failed to properly discharge their obligations under the Electoral Act by failing to issue specific instructions to EFF supporters to stop intimidating or threatening Brown.(20)  

    Footnotes

    1. UNSR on VAW Report on online violence above n 5. Back
    2. Amnesty International, ‘What is online violence and abuse against women?’, 20 November 2017 (accessible at https://www.amnesty.org/en/latest/campaigns/2017/11/what-is-online-violence-and-abuse-against-women/). Back
    3. Pen America above n 21. Back
    4. Sheri Gordon, ‘What Is Cyberstalking?’, 16 August 2021 (accessible at https://www.verywellmind.com/what-is-cyberstalking-5181466) Back
    5. UNHRC ‘Report of the Special Rapporteur on the right to privacy’, (2020) at para 19(e) (accessible at https://documents-dds-ny.un.org/doc/UNDOC/GEN/G20/071/66/PDF/G2007166.pdf?OpenElement). Back
    6. UNHRC, ‘CCPR General Comment No. 16: Article 17 (Right to Privacy), The Right to Respect of Privacy, Family, Home and Correspondence, and Protection of Honour and Reputation’ (accessible at https://www.refworld.org/docid/453883f922.html). Back
    7. UNSR on VAW Report on online violence above n 5. Back
    8. Media Defence, ‘Module 4: Data Privacy and Data Protection’, (2020) (accessible at https://www.mediadefence.org/ereader/wp-content/uploads/sites/2/2020/12/Module-4-Data-privacy-and-data-protection.pdf). Back
    9. Id. Back
    10. Pen America above n 21. Back
    11. Kathrine Huntington, ‘Journalism in the Age of Doxxing’, 2020 (accessible at https://cedar.wwu.edu/cgi/viewcontent.cgi?article=1632&context=scholwk). Back
    12. UNESCO ‘The Chilling’ above n 6. Back
    13. Pen America ‘Protecting from Doxing’ (accessible at https://onlineharassmentfieldmanual.pen.org/protecting-information-from-doxing/). Back
    14. DPA, ‘Nigeria: President Bola Tinubu signs the Nigeria Data Protection Act 2023 into law,’ (2023) (accessible at https://dataprotection.africa/nigeria-president-bola-tinubu-signs-the-nigeria-data-protection-act-2023-into-law/). Back
    15. DPA, ‘Tanzania: Personal Data Protection Act comes into effect,’ (2023) (accessible at https://dataprotection.africa/tanzania-personal-data-protection-act-comes-into-effect/). Back
    16. The Computer Misuse and Cybercrimes Act, No. 5 of 2018 (accessible at http://kenyalaw.org:8181/exist/kenyalex/actview.xql?actid=No. 5 of 2018). Back
    17. Safety of Journalists ‘Practical and legal tools to protect the safety of journalists’ (accessible at https://safetyofjournalists.trust.org/). Back
    18. For more case law regarding doxing and cyberstalking affecting journalists in jurisdictions including Australia, Finland, France, Singapore, amongst others, see: The Law Library of Congress, ‘Laws protecting journalists from online harassment’ (2019) (accessible at https://www.loc.gov/item/2019713411/). For other online harassment cases, see: Pen America, ‘Online Harassment Case Studies’ (accessible at https://onlineharassmentfieldmanual.pen.org/online-harassment-case-studies/). Back
    19. CPJ, ‘South African journalist doxxed by Economic Freedom Fighters leader, threatened’, (2019) (accessible at https://cpj.org/2019/03/south-african-journalist-doxxed-by-economic-freedo/). Back
    20. High Court of South Africa, Gauteng Division, Case No. 14686/2019 (accessible at http://www.saflii.org/za/cases/ZAGPJHC/2019/166.html). Back