It is the worst thing to experience; except you do not experience it at all. Well, at least first-hand. Not that such an outcome cushions what is by all accounts a sledgehammer blow. In the glow of an inescapable comparison, one easily comes to the conclusion that its works bear an ineluctable and intentional resemblance to those of a malignant cancer.
This spyware silently infiltrates gadgets, leaving a trail of devastation. Unbeknownst to the gadget owner, the spyware gains access to messages, the camera, the microphone, and the like. Such is the scale of the damage caused by hacking software that once it has wormed its way on your gadget it can, without you noticing, turn it into a 24-hour surveillance device.
So how did Uganda develop what is by any measure a gargantuan appetite for spyware technology that threatens democracy?
The air of sophistication and invasiveness that surveillance software like Pegasus carry awe as much as boggle the mind. In recent years, Ugandans have accustomed their eyes to revelations about digital intrusions occasioned by Pegasus. The general consensus is that no-one is immune to attack vectors surreptitiously being installed on their devices. It was at the backend of 2021 when twin messages flicked on the screens of scores of US diplomatic staff in Uganda. Warning that “state-sponsored attackers are trying to remotely compromise the iPhone associated with your Apple ID”, the candour and sensitivity of the message gave it an uneasy relatability. Sure enough, the US diplomats had heard about the military-grade surveillance suite before. But to think that government functionaries in Uganda would have the brazen assurance to use the controversial software sold by NSO Group—an Israeli cyber-weapons company—to hack their iPhones stretched credulity.
This, however, did not stretch the limits of what can be considered possible as the hard evidence the US diplomats were confronted with proved. It would come to light that in 2019 the Government of Uganda (GoU) spent north of UGX35bn to get its hands on the military-grade surveillance suite. Documents that the Financial Times accessed in 2021 show that President Yoweri Museveni’s son, Gen Muhoozi Kainerugaba, brokered the deal that also involved Shalev Hulio, the co-founder and chief executive of NSO Group. To get a sense of why the GoU spends princely sums of money to surveil people, often in ways that violate fundamental human rights enshrined in not just the country’s constitution but also international conventions, and domestic laws, the 2025 Cyber-Security and Cyber Terrorism Awareness Workshop offers some answers. It was organised by the Eastern Africa Standby Force (EASF) and hosted by the GoU in Uganda’s capital, Kampala, from 17-21 November, 2025.
While opening the workshop, Brigadier General David Gonyi, Chief of Staff of the Uganda Air Force, said ICT-related terror financing, legal frameworks, digital forensics, threat intelligence, infrastructure protection as well as data security and cooperation necessitated the nine countries that contribute to the EASF to think and talk in lockstep. “While this technological advancement offers immense opportunities, it also presents new risks that we as a community must confront, not as an individual, but together as a region.”
How have laws in Uganda contributed to the normalisation of use of surveillance tools, including commercial spyware?
In Uganda, the panoptic real-time surveillance of the private lives of independent journalists, opposition politicians, activists, and even diplomats is made possible by a string of draconian laws. The laws in question fail to give sufficient weight to the ambiguities that arise in deciding questions around either rights protections or independent oversight. The rights-violating surveillance laws nevertheless embolden insofar as using—even abusing—spyware for law enforcement and national security purposes.
Observers pay ardent attention to seven laws that have expanded surveillance’s reach, depth, and impact in the East African nation. It allows the state to spy on perceived external enemies and internal dissidents with a predatory ruthlessness. The rights-violating surveillance laws are: (1) Regulation of Interception of Communication Act, 2010; (2) The Computer Misuse (Amendment) Act, 2022; (3) Anti-Terrorism (Amendment) Act, 2022; (4) The National Information Technology Authority, Uganda Act, 2009; (5) The Uganda Communications (Amendment) Act, 2017; (6) The Electronic Signatures Act, 2011; (7) The Electronic Transactions Act, 2011.
The common threads that run through the rights-violating surveillance laws are interception of gadgets, social media monitoring, and public space surveillance.
What makes the Anti-Terrorism Act qualify as a piece of legislation that illegally undermines the rights of those under surveillance?
Speaking to national security threats, the law, first enacted in 2002, prescribes—in Section 19—interception of telegraph and telephone communications via wiretapping as well as offline and digital surveillance together with attendant stake-out activities like taking photographs. This comes against the backdrop of Section 8 that criminalises abetting terrorism and Section 9 that makes it an offence to publish information that can be connected to terrorism. In Section 10, the interior minister is handed the authority to designate anyone a terrorist suspect.
How about the Regulation of Interception of Communication Act?
Augmenting the Anti-Terrorism Act more than anything else, this legislation makes it possible to automate the interception and analysis of mobile and internet traffic using, discloses Section 8, “hardware and software facilities and devices.” The labours of a monitoring centre that Section 3 establishes are made that much easier by provisions in Section 9 that make the registration of SIM cards mandatory. Moreover Section 11 makes the telecommunication service of telcos susceptible to interception. In so doing, the security minister and law enforcement agencies are given the all clear to—with a warrant from a judge—intercept private conversations on digital devices. The threshold for securing the aforesaid warrant mentioned in Section 4 is kept astonishingly low in Section 5.
What are the eyebrow-raising provisions in the Electronic Signatures Act?
Section 88 of the law gives the police “unlimited access to computerised data” for law enforcement and national security purposes. If activities are either considered as subversive or framed as national security threats the police has sweeping powers to compel suspects to furnish its officers with “necessary password[s], encryption code[s], decryption code[s], software or hardware and any other means required to enable comprehension of computerised data.” Further testament to the expansion of rights-violating surveillance can be found in Section 91 that gives police officers unfettered access to records, accounts, and identification documents if suspicions loom suffocatingly large.
How does the Uganda Communications (Amendment) Act cross the surveillance rubicon?
The law, first enacted in 2013, wills the Uganda Communications Commission (UCC) into existence, with Section 5 casting in stone its roles that include monitoring, inspecting, licensing, supervising, controlling, and regulating communication services. Section 5(u), for one, delivers an exceptionally strong mandate insofar as the establishment of “an intelligent network monitoring system to monitor traffic, revenue and quality of service of operators” is concerned. It is on this basis that the UCC set up the social media monitoring centre as well as the interception of communication monitoring centre to monitor multiple data formats of citizen agencies. The legal provision has also been used to block social media access during times when widespread dissent is anticipated.
Why does the National Information Technology Authority, Uganda Act pique interest?
The pervasive surveillance in Uganda that is eroding citizen rights and agency is anchored in this piece of legislation. It established the National Information Technology Authority, Uganda (NITA-U), an autonomous statutory body that—with the backing of Section 5(c)—reduces to the basest level and desecrates citizens’ right to privacy. The legal provision gives NITA-U leeway “to co-ordinate, supervise and monitor the utilisation of information technology in the public and private sectors.” While the ambiguity of “utilisation” in that particular clause resists specificity, Section 5(d) is bold without shame. It gives NITA-U carte blanche “to regulate and enforce standards for information technology hardware and software equipment procurement in all Government Ministries, departments, agencies and parastatals.” Simply put, it normalises state surveillance of GoU employees.” NITA-U is also given the green light to set up, or be it in a vague way, a national databank in subsection ‘e’, with the effect of subsection ‘f’ being the policing of Internet content. To cap things, sections 19, 20, 21 give the Minister of ICT and National Guidance wide-ranging powers that have often come with a dizzying pace of misconduct and abuse.
Does the Computer Misuse (Amendment) Act’s reputation precede it?
In its attempt to define and punish so-called computer misuse offences, the draconian law, first enacted in 2011, devotes sections to cyber harassment (24), cyber stalking (25), and misuse of social media (29) to ramp up surveillance capabilities that perhaps unintentionally but not unsuccessfully, limit citizen agency. A person is to be found guilty of cyber harassment, says the law, if a computer is used to, firstly, make sure “any request, suggestion or proposal which is obscene, lewd, lascivious or indecent”; and, secondly, threaten “to inflict injury or physical harm to the person or property of any person.” There is a power dynamic to this, with the legislation frowning upon the ruled who dare to speak ‘irrelevantly’ to their rulers as indeed the likes of Stella Nyanzi and Tom Voltaire Okwalinga (TVO) have previously done. And, perhaps, continue to do. Similarly, provisions on misuse of social media shrink civic space while also precluding citizen agency from actively contributing to political discourse.
How about the Electronic Transactions Act?
The surveillance practices that the Electronic Signatures Act, 2011 provides for in the name of security facilitation and regulation of electronic communications as well as transactions often choose power interests over citizen agency. For instance, Internet Service Providers (ISPs) are empowered to remove, block or bar users from gaining access to any content.