Africa under surveillance: Digital espionage and political control

In the space of a decade, a layer of control has been discreetly added to African networks: urban cameras, interception boxes on operators' premises and spyware capable of turning a telephone into a microphone. Supplied by foreign companies and presented as tools against crime, these devices are also used to monitor opponents, journalists and activists. Africa is not an exception, but a laboratory where security ambitions, industrial interests and institutional fragility intertwine. Following the chain, from foreign supplier to local public user, sheds light on the immediate risks to freedoms.

The "Safe City" programs popularized by Huawei are a showcase for this transformation. In Nairobi, almost two thousand cameras, plate recognition and secure links supply the police; in Abidjan, around a thousand cameras are integrated into traffic and emergency management. Designed for early warning, these architectures also enable facial searches, crowd tracking and coupling with biometric databases. In states with weak safeguards, the line between urban security and social control is tenuous: the crux of the problem is data governance: who accesses, who decides, who audits, who deletes. The public's main concern is the promise of efficiency, much less the accumulation of data and the risks of misuse.

Use for partisan purposes is not hypothetical. In 2019, a Wall Street Journal investigation claimed that Huawei technicians in Uganda and Zambia had helped services hack into opponents' accounts and e-mail accounts; the governments concerned, and the company categorically denied this. Regardless of the outcome of these accusations, the episode highlighted a structural fact: when the same provider installs, maintains and trains mass surveillance systems, the risk of alignment between security infrastructures and political objectives increases, especially in the absence of independent control bodies.

When it comes to individualized targeting, spyware "mercenaries" dominate. The Pegasus Project, coordinated by Forbidden Stories and Amnesty, documented the use of NSO Group's tool against journalists and opponents in Morocco; French officials were even among the potential targets. In 2024, new analyses questioned the use of Pegasus against Rwandan opponents. In Togo, Reporters Without Borders found traces of Pegasus on the phones of two journalists. In Egypt, experts attributed a high level of confidence to attempts to infect a former parliamentary candidate with Predator (Cytrox/Intellexa). This market privatizes capabilities once reserved for the secret services.

Alongside these active implants, the ecosystem includes network access technologies. Circles (affiliated to NSO) markets platforms exploiting the SS7 protocol to locate and, in some cases, intercept calls and SMS without touching terminals; independent mapping has identified customers in southern and eastern Africa. Widespread compulsory registration of SIM cards, sometimes with biometrics, reinforces traceability: the correlation between identities, numbers and movements makes it easier to track an opponent, map a militant network or hinder the work of a journalist, particularly when the authorities combine identification data, cameras and telecoms metadata.

The law is making progress, but the security exception remains the norm. The Malabo Convention, which came into force in 2023, lays a continental foundation; its effect depends on actual ratifications and transpositions. Kenya (2019), Nigeria (2023) and South Africa (POPIA) have adopted data protection laws, but with broad exemptions for national security and law enforcement. In 2021, the South African Constitutional Court declared mass interception carried out without safeguards illegal, revealing the gap between administrative practices and constitutional requirements. In many countries, protection authorities lack independence, budgets and investigative powers.

Supplier liability is also on the rise. In 2021, Washington blacklisted NSO Group, restricting its access to American components and services. In the same year, the European Union revised its regulations on "dual use" goods and, in 2024, published guidelines imposing increased due diligence on the export of cyber-surveillance technologies. In France, the Amesys/Nexa affair illustrates the criminal exposure of vendors: the company and several executives have been indicted for complicity in acts of torture, following the sale of eavesdropping systems to Gaddafi's Libya and then to Egypt. These signals will only change the situation if they are followed by effective controls and dissuasive sanctions.

The challenge now is to install credible safeguards. On the government side: procurement transparency (publication of contracts and impact assessments), individualized judicial authorizations, parliamentary controls and independent technical audits. On the supplier side: enforceable human rights clauses, tamper-proof circuit-breaking and logging, obligation to suspend or deactivate in the event of documented abuse. On the civil society side: increasing forensic expertise, strategic litigation and support for targeted newsrooms. Security is legitimate, but without standards, transparency and accountability, the techno-security temptation transforms cities and networks into surveillance machines. Africa's digital sovereignty will be measured less by the density of cameras than by the ability to protect critical voices and, at last, to supervise a shadowy industry.