The first episode in the new series of The Communications Risk Show discusses real-life examples of corruption affecting the electronic communications industry and what should be done to tackle it. Kenyan business advisor Joseph Nderitu speaks about his first-hand experience as a victim of government corruption whilst he was working for Vodacom Tanzania, as well as sharing his views on how to attain the correct balance between regulation and private enterprise.
Sossina Tafari, a US-based consultant who advises countries on how to regulate the communications sector, also discusses the pursuit of fair regulatory regimes that serve the interests of ordinary customers as well as governments and telcos.
Topical news items were also debated by the show’s three regular presenters, industry analyst Ed Finegold, senior risk executive Lee Scargall, and the Editor of Commsrisk, Eric Priezkalns.
Transcript (auto-generated)
Hi, I'm Eric Priezkalns, and this is The Communications Risk Show, the live-streaming conversation show produced by Commsrisk in collaboration with the risk and assurance group RAG. Every Wednesday, we talk to risk experts from around the world about joint communications, and we broadcast live so you can also join in the conversation, submitting questions and observations as we go along. Now, you can ask a question during the show by typing it into the box immediately beneath the streaming window on our website at tv.commsrisk.com. Messages on the website are anonymous, so write your name into the message window if you want me to read it out. Now, we do respect your privacy, which is why we don't collect your personal data, but it is nice to know who's watching, so do include your name if you're not shy. Now, we're also streaming this show on LinkedIn. Feel free to leave a comment on LinkedIn, as a member of our team will also be keeping eye on comments over there, and we aim to respond to those as well. Today, we'll be talking about corruption and regulation in the telecom sector. Later on, we'll be having interviews with Joseph Nderitu, director at Kenyan consultancy Integrated Risk Services. Joseph will share his insights both as a business advisor, but also as somebody who's been personally the victim of an extortion racket run by Tanzania's government, and we'll be interviewing Sossina Tafari, a US-based consultant of African origin, who gives advice on the development of regulatory regimes for electronic communications. But now, let me introduce my co-hosts. Joining us, Ed Feingold joins us from Chicago in the USA. He's an author, analyst, and strategic advisor to tech and telecoms businesses. And coming to us loud and clear from Manamar, capital of Bahrain, Lee Scargall. Lee's career has seen him switching between executive management and freelance consulting roles for a wide variety of communications providers around the Middle East, Europe, Caribbean, and Asia. Ed, Lee, welcome. How are you both today? Doing pretty well. Happy to be here, Eric. Thanks for having me. Just doing our chat as we were getting started about what's been stolen more, phones or credit card numbers or vehicles. So, though I doubt the data, it was a lovely chat to get us started. Lee, you're looking forward to the show? I am, Eric. I'm doing well. Mustn't grumble. Mustn't grumble. Mustn't grumble. He's no longer in the mansion up north, but he's still in some kind of palatial apartment there in the Middle East. So, let's get straight into the first topic. Elon Musk. Is the man crazy like a fox or just playing crazy? His policy towards two-factor authentication led to him to switch off two-factor authentication by SMS for non-paying customers. The idea being to reduce expenditure on ATP SMS, which Musk said included $60 million of fraudulent SMS messages generated by bots that foreign telcos had set up just to generate income from Twitter. His actions been damned by a heck of a lot of the tech press. Ed, you're a writer on tech issues. Do you agree with the rest of the tech press that Musk has gone too far this time, that he's putting everyone's security in jeopardy? Or is there a good reason why he switched off these SMS messages? Yeah. I mean, it seems like a really misinformed discussion or public outcry. I don't want to go too far down that track because I'm not a sociologist and I don't fully understand where people feel like there's some sort of public trust in a private entity that they have an entitled right to controlling. There's a whole narrative about that that I don't understand. The part I do understand is SMS. I know that it's been a really bad crutch for years. It's constantly attacked. The fact that it's attacked in this way and costing a business like Twitter a lot of money, because it's this thing that's already been deprecated and is still abused. From a business perspective, it's hard for me to argue with the decision to say this is costing us money and it's not secure. This is dumb. Let's shut it off. Now, there's a missing piece to that though. If you're going to make a big, bold move like that, what are you replacing it with? To wrap it up, I mean, in that discussion about SMS is bad, what do we replace it with? There has not yet been a winning answer as an observer. I think that's a whole set of discussions that have shown itself that we can have. What should that winning answer be? Lee, what's your thoughts on this topic? Well, it's a pretty big claim that 390 telcos are artificially inflating traffic from these fake Twitter accounts. I'd like to see some more information about that before I could actually agree that it was the telcos doing it. He's not going to show you that. Be realistically. Come on. He's not. But, I mean, let's face it, there's plenty of players, right, in the A2P revenue chain, right, which they would also benefit from. They would benefit from the artificially inflating the traffic. So it's not just the telcos. But, you know, doesn't this fit with Elon's narrative that one, he kind of overpaid for Twitter because they wouldn't release information to him on the fake bot accounts? And two, you know, he needs to slash costs right now, right? So is he just simply cutting back on the security costs by removing two-factor authentication? But I would say, look, anybody who thinks that SMS OTPs being used for two-factor authentication, you know, is vital for security, then they need to get their heads tested. We've been saying this for a long time now, Eric. It's like it just isn't safe, right? There's lots of vulnerabilities in SS7, which we know. But people, they just share their OTP passwords, right? Either by entering it into a fake smishing website, right? Or they get called by some kind of government agency and they say, look, we just want to authenticate you. We're going to send you an OTP. They receive the OTP and they read it back, right? So it's not safe, right? What I'd personally like to see more is moving away into some type of invisible security that's done in the background. So things like binary SMS, silent SMS, flash calling. So I think that- Why are apps not good enough? Apps are great. You can do all of this with apps. You can do it with apps and that's fine. Let's do it with apps. Yeah. But the problem with that- And that way you could argue that Elon is pushing people to start using apps. So you could argue this is actually a win for security rather than holding on to the scratch. SMS is a children's type. It was never meant for security. We put more and more and more burden on SMS. And as a result, we're getting more and more and more SIM swaps. We're creating a nightmare scenario. And now we've got people driving around the streets of Paris with IMSI captures because IMSI capture is getting cheaper and cheaper. This is the best wake up call ever, surely, from Elon Musk. He's giving everybody now the excuse to start switching off SMS and forcing people to do something more sensible going forward. I mean, I see you nodding your head there, Ed. Yeah. I'm just agreeing with you. Whether you like Musk or not, this is kind of the way he does things. He kicks it. This is how I think it should be and I'm going to give it a good kick. It could be a completely wrong thing. In this case, though, I think you're right. I do think there's some method to the madness of looking at the literature and saying, yeah, OK, if I can have an influence on this, I'm going to. But going out and trying to explain that to people publicly, no one's been able to do that. So I'm just going to do it and people will grumble about it and then they'll get used to it as opposed to trying to explain to everyone this really complicated thing they don't understand. OK, well, thanks, guys. We've got a couple of comments coming in here from the viewers. So Timo says, cheers from Canada. Thank you, Timo. We knew you'd be a loyal viewer out there. And the comment here, who may well be somebody who works for KPM in the Netherlands, are saying flash calls will not be supported by KPM and a lot of other telcos. So there you go, Lee. KPM is saying they're not going to do what you want them to do, no matter how much you want them to do it. So we better look to look to other solutions. Now, after we'll come back to this topic in a moment, guys, because here's a message from our serious sponsors, Blue Gem. Blue Gem is a global provider of testing services for telecoms, government and software businesses, creating real events like calls, SMS and update sessions on real network devices, allowing Blue Gem to give you insights into a number of key areas such as roaming service assurance, product defects and customer experience management, billing accuracy, fraud detection and regulatory compliance. They can measure in precise detail how many data bytes are sent across mobile networks in order to provide a customer with a certain kind of service, such as video streaming or social media. And then they can reconcile what they find with the values used when billing customers. That's important, given that mobile data consumption is expected to exceed 900 million terabytes this year. Or suppose your business is planning a major platform migration. You don't want your customers to identify issues that you could have spotted first. Using Blue Gem's test services means you have the confidence that everything is running smoothly and error-free before the changeover affects your customers. Some businesses rely on internal testing, but a bespoke solution gives much more precise results, ensures a more comprehensive test plan and obviously saves a lot of work for your staff. So whether you want to ensure your customers are able to use 5G whilst running abroad, or you want to check how much data traffic is generated by a new device, or even if you just want to get CLI verification to tackle a sandbox fraud, then you should call upon the experienced team of specialists at Blue Gem. Back to the topical chat guys, and now I'd like to ask your opinions, and this includes again opinions from the audience, so keep on typing away at your keyboards out there. Your opinions on managing hacker threats and whether telcos are too passive. Now we've had some stories in the last few weeks, one of them originating from Brian Krebs, the well-known American security journalist. He's been monitoring hacker groups on Telegram that claim to breach the systems of T-Mobile US more than 100 times during 2022 in order to provide SIM swapping fraud as a paid service to criminal customers. Meanwhile, reporters from bleeping computer said source code and employee information for Canada's number two operator Telus was being sold on the hacker forum. Now clearly the perimeter walls of security are being breached repeatedly, but even journalists learn about hackers breaching security before telcos do. Should telcos be doing what the journalists are doing, going on to shady Telegram channels, the dark web, and places like this to identify criminals and their activity before the rest of the world is finding out about it and other criminals are taking advantage? Who wants to go first? Ed, would you like to take this one first? Yeah, there's a lot to unpack there, and so you might have to steer me here, Eric, in case I answered the wrong question or the wrong part of the question. But what you got me thinking about was like the difference between what should be done versus what resources will be expended, right, which again is kind of its whole own discussion. But if I step away from that for a second, yeah, I mean, I think the two things stood out to me as I've read about this. One is obviously like there's something missing in the defense. There's a defense in depth aspect to this that's missing, right, practically. Something's happening that these gaps can be exploited again and again and again. The other side of it, though, when you take the technical part off is more and more we see more imposter scams, more bribes, more people-to-people insider fraud driven types of things. And I almost feel like the more that I've studied what has been applied on the technology side, the more I have seen those types of scams emerge because they like they completely dodge the technical channel, or at least they make themselves look like what the technical thing wants them to look like. So they pass the checks and more often than not get through. And that's where it becomes, I think, hard for me to form an opinion or be critical about like, well, how do we solve that? How do you stop those types of attacks? And the reason I say that is because I think we all know like a lot of people who are professionals in this that work really hard to stop a lot of things. And then when you parse it out, there's a lot of different buckets of things to be stopped. And I don't like us to end up in a place where we're saying, oh, telcos and all the people that are involved in security or fraud or anything like this, you collectively are somehow missing this thing that got called out in the news. Like, okay, I don't want to go off on it, but there's a bigger picture here about like all of us living in the midst of a cyber war and all of us doing a lot to defend it. And are we properly equipped and properly resourced? So in that sense, I'm just trying to be fair to the people on the telco side. But I know I am, I am. And that's why I want to kind of come around with a hammer, which is to say that we've seen enough instances of data being stolen, customer data and employee data to drive phishing and robocalling. And we know that flow. So right there, just because like from a sensibility and like a visibility point of view, and you know who the experts are and what the data is and what's happening, like, yeah, I think it's time to prioritize those resources and stop it, put a stop to it. And there isn't an excuse anymore. Where's the liability side of it? Right. And which is another discussion. Now, Lee, you've been all over the world. Is it the same all over the world? Are we are we losing the war against the cyber criminals, this cyber war, because a lot of them are now state sponsored actors as well. Or are there places where they're putting up a better fight? Yeah, I mean, there's places where they are putting up better fights. But, you know, to go back to your question, you know, should it be part, you know, if they're not going on these shady websites and checking out what's available on there, then they should be. I mean, it's all part of open source intelligence or part of the OSINT or threat intelligence reports. I've always found it beneficial myself by going on these sites and checking out, you know, to try and gather intelligence on companies. I mean, it is really surprising what you can learn. And look, there's so much freely available hacking software out there that requires no coding ability, no IT experience. All you do is you just point these weapons towards a victim and it does it all for you. So tools like Kali Linux, Metasploit, these were actually primarily designed for like red teamers, but now they're being used by hackers to target companies. And it's just so easy to do. Now, you know, if you watch, I mean, you'd be horrified if you watch some of these YouTube channels that teach you how to use Metasploit or Kali Linux. And it's just so simple for anybody to do. And I would say if anybody's interested in getting into cybersecurity defense as a hobbyist, then you might want to start checking out David Bombal's site on his YouTube channel. Very interesting guests on there, very informative. And it just shows how easy it is to do this type of stuff. Well, I can't believe you're advertising somebody else's stuff before you add. We only just started doing our own series here. I hope advertisers are showing return. Apologies, guys need to keep the pace moving forward. So let me take this opportunity to share another one of our new weekly features on the show, the symmetry prism fact of the week, an interesting fact supplied by the team at Symmetry Solutions and their prism fraud intelligence service. The kind of people are going out there who are finding out what's happening out there, doing the kind of OSINT stuff Lee was talking about. Now this week's fact relates to the team at Symmetry and the work that they do. Over the course of 2022, they identified over 11,800,000 phone numbers advertised for sale to fraudsters. That is an average of 32,455 new phone numbers offered for sale to fraudsters each and every day of the year. So you might want to keep that kind of scale in mind when you next see somebody offer you a hot list of fraud numbers that includes no more than a few dozen ranges. Clearly a few dozen ranges isn't going to cut it if you want to keep up to speed with all the fraud numbers, all the numbers out there being used for fraud. My gosh, now let's get back to the chat. Guys, so many things to go through on our first episode here. I'm going to throw the first one over for you, Lee, so be warned. Topical subject, what should be the job of the International Telecommunication Union, the ITU, in the internet era and is the ITU competent to do it? And they gave me, I got a bit of a grump, I'll admit, last week with the ITU. Now if Elon Musk was on the web promising to use artificial intelligence to monitor communications networks to make countries more sustainable and to promote inclusion, and I think there'll be a million journalists and a million tweeters asking really hard questions about his motivations and whether he should be allowed to use artificial intelligence in that kind of way. However, when AI is being used to monitor African phone users, it seems like nobody in the ITU gives a damn about the risks. That was a takeaway from an ITU online summit called AI for Good, which last week featured Global Voice Group CEO James Claude. Now the thing with a business like Global Voice Group, GVG, proposing to do what they're doing is that if it was in a white country, we'd have the Gigi Sones and the Alexandria Ocasio-Cortez of the world banging on and on about the danger of surveillance capitalism, algorithms being used for racial profiling, all of this, and yet nobody's asking any hard questions at all about what GVG is doing, even though they've got a tremendously poor track record of breaking the law in African countries, collecting more data than they should be allowed to collect from African phone users. Is the ITU's attitude, this question for you Lee, a tough one, let's see what you've got to say about this one, is the ITU's attitude in this situation that they're not fit for purpose as a United Nations agency, or is it that nobody knows what their purpose is anymore? Because nobody seems to be dealing with the threats of network surveillance outside of those rich white countries, though we know that there'll be a big press and a big fuss about it if something happened there. Lee, what do you think? Well, it's not like you to be grumpy, Eric, is it really? Right? No, look, Eric, you know, I feel the same. I've never really understood the role of the ITU these days. Originally, they were established to standardize the Morse code alphabet, and standardize the international distress call. But these days, they seem to be more about access to telecommunication services in developing worlds. But look, you know, if we want to talk about the ITU, there's 3 billion people out there who don't have access to the internet. And if this is what they're trying to do, then they're not really doing a great job, are they? I think they're failing. But let's hear what Ed has to say about the ITU. You took me to a really, really obscure place here, Eric, in my mind that I don't have to share with you. Because you kind of took me into, like, standards organizations. And I was thinking about what Lee is saying about how an organization like the ITU being established to, you know, standardize something like Morse code, you know, something basic. And over time, you get layers and roots and abstractions and more and more pies that people are involved in, right, all that sort of thing. And that's not unique to ITU, right? That's unique to a lot of the organizations, certainly in the telecommunications industry, right, that deal with things like standards and that kind of thing. And so what's interesting is some of what we're talking about here is how the function of the group gets so abstracted from its original purpose that we don't know what the purpose is. And then we're turning around and saying, are they taking care of things that a group like this should be taking care of? And the answer very rapidly becomes no, right, for a whole laundry list of reasons, right? And I find that what I find frustrating about it, okay, actually, I would come back to the 5G story, right? These things are all interrelated. I'd come back to 5G and that it's like this technology and a standard that's always been seeking a use case and still is. And you can quite literally stand on a rooftop and shout, right, that this is about creating a cloud native platform and it's a different way of looking at the world and looking at networks and thinking very differently about technology, which has been proven, by the way, in the last decade or so, right? And people still come back to like, no, I'm going to define speeds and feeds. I'm still thinking about myself as a phone company and it's being reinforced inside of the halls of a standards organization. You see it again and again. And even when some of the technology that's exposed is like, hey, this new thing, a lot of times people still don't know what to do with it. And so if I translate that back to the ITU, like how much of that is going on with any of these issues, right? Where it's like, there are these real issues that need to be attended to. We turn to the group and say, you should be dealing with them. And what lens are they looking at those issues through? And do they even have the correct lens to be able to address the issues correctly, right? And over time, I think the answer has like for a long time, it's probably been no. And the stakes were not as high. The stakes got really high all of a sudden. Ransomware and the rise of imposter scams and like doing some research, looking at like the average amount of like an unauthorized or unauthorized push payment fraud, right? Real-time payment fraud. The average is now higher than like the average monthly income in a lot of countries. You're seeing those numbers go up and up and up. So something's not working. Do you feel any responsibility? Do you think that some of this is to do with the leadership of the United States of America, the new secretary general, of course, an American woman. And there are many countries that have had two secretary generals. So to have another American again is in itself a bit of a statement. And very clearly the Americans pushed very hard to have somebody in charge because they wanted to shut out the Chinese. They wanted to shut out what they saw as oppressive countries, oppressive governments who might well use networks for surveillance. And yet now I'm sat, you know, last week, I'm sat there listening to a guy who's blatantly talking about using AI to surveil Africans and no one cares. This is the art of, this is actually the ITU advertising them as if this is somehow a good thing. Is this a problem with American leadership that America's role in leading the world of telecommunications is too focused on American needs and not focused on what the rest of the world needs? Well, I mean, maybe even beyond that to your point. And I don't know if this is unique to the United States, but certainly like what you're referring to in the, it's more about whether I'm going to get my invite to Davos than it is about solving a problem. Absolutely. And you know, has like the US exported that culture? I don't know, maybe, but it's yeah, for sure. And I think the description that you're giving that says, why have American Americans on the political side been aggressive about wanting to lead something like the ITU? It's exactly for the reasons that you're discussing, right? They're geopolitical. Again, it's not about solving problems that come down to the individual level for sure. I mean, I absolutely agree with you on that point of view, but then it's like, who's the person that's in charge and what is their agenda? Right. And again, it's someone who's on the rise going through these rises and, you know, ladders of bureaucracy. Because again, like, I want my invite to Davos. What does that do for me? It's not about, maybe I'm incredibly cynical for saying that. I just don't feel like I'm saying anything people don't already know. We're all entitled to be cynical until we all get our invites to Davos. And at that point in time, we'll be totally fine with everything you say. That's fine with us. When we get invite, otherwise we'll slag you off. My father, Eric, used to call that first you get rich, then you get ethics, which was always a lesson that I, an ironic lesson that I took home. Well, we'll be holding you to it when you get richer. Now, on with the show. Yet another new regular weekly feature to share with everybody. Each week, Jeffrey Russ of Core Authentication, Fraud Prevention, and Geolocation Specialists One Root will take us around the world in our phone. This week, Jeffrey's destination is China. So production team, please roll VT. Hey everyone from One Root. I'm Jeffrey Ross, and this is the world in your phone. Let's talk about China. Did you know that the estimated population in China is over 1.4 billion people? 1.4 billion. It's going to take longer than the two minutes I have today to count that high. And with that many people, to us in the telecom world, means a whole lot of subscribers, and unfortunately, a whole lot of fraud. It's estimated that in 2019, around a billion dollars was lost to fraud. But the Chinese government passed a new law on December 1, 2022, the first ever anti telecom fraud law. It'll be interesting to see how this pans out and how well it is in its effectiveness against fraud. But with that, it also requires the telecommunications company to step up their game, increase security measures, and taking responsibility for fraud. Also, did you know that the Terracotta Warriors, the famous Terracotta Warriors, were found by farmers? In 1974, farmers unearthed these great statues that had sat underground for hundreds and hundreds of years. Also pretty interesting, China is attributed to inventing the compass, paper, gunpowder, and with gunpowder comes fireworks. Thanks, China. Be sure to subscribe to One Route on YouTube where you can catch up with all of our episodes and watch the One Route Roundup, where we spotlight individuals making a positive difference in the telecom industry. Now, all that being said, I'm going to pass it over to you, Eric. Cheers. Thanks, Jeffrey. Jeffrey will be back with One Route's World in Your Phone section next week, where he'll be talking about Ireland. Now let's introduce our main guest for today's show, Joseph Nderitu. Joseph is a director at Integrated Risk Services, a consulting business providing advice about corporate governance, forensic investigations, and business assurance to clients in Kenya and across East Africa. After developing his career as an auditor in Safaricom, Joseph went on to become a risk advisor to many of East Africa's leading telcos, including Barti Airtel and Vodacom Mozambique, before assuming the position of head of revenue assurance and fraud management at Vodacom Tanzania. Joseph's experience at the hands of the corrupt government of Tanzania will be the starting point for our conversation today. Hello, Joseph. Thank you for joining us on today's show. In your own words, please briefly tell the audience about what the Tanzanian government did to you and to several of your colleagues, including the CEO of Vodacom Tanzania, whilst you're working for that company on a contract. Hello, Eric, and happy to be on the show. Thanks a lot for the invitation. So what happened is, happened in 2019, April, I was working as head of revenue assurance for Vodacom Tanzania, and a week before the incident that we are talking about happened, there had been contact from the government to help for us, Vodacom, to help them with an investigation, or rather to help the Tanzanian Communications Regulatory Authority with an investigation in a suspected case of grey route traffic being passed through the PABX of one of Vodacom clients. So we did provide all the data regarding that case. And subsequent to that, we heard that the government had decided to, to launch charges against that client. Now, one week later, though, we, myself, the Vodacom managing director, the chief of legal, the head of sales, and the account manager for that account, were all arrested, or rather, we were invited to make a statement at the police station. And we showed up, gave the same information that we had given. And at the end of the interrogation, the officer who was in charge informed us that we were being charged with economic crimes, and that because economic crimes are non-bailable, we were not going to go home. So it turned all in a matter of hours. We actually reported to the police station about 2pm, and by 7pm, we were behind a locked doors at the police station. Maybe just for the viewers to understand, the economic crimes act of Tanzania is structured in a way that you don't find the principles of law being applied. So normally, if you sue a company, or if there's a wrongdoing on the part of a company, we treat a company as a legal person, and you sue the company. And then unless you are actually able to identify that the individuals, the principal officers are behind it in an individual capacity, it's only when you go for them. But the economic crimes act of Tanzania, which was in use, and is still in use at the moment, specified that the principal executives of the company are to be held personally responsible if the company is found to have done anything wrong. So it's a very convenient situation in terms of shifting the responsibility onto individuals who are not really in a position to defend themselves, Joseph. Exactly, and it's a very nice way to leverage on what the government was doing, which is where we bring in the corruption angle. What was happening in the political scene of Tanzania at the time, is that the government of President Magufuli had really fallen out of favour with the international community, was facing a lot of internal opposition. There was a lot of opposition politics going on, holding them to account because of human rights. There were cases of forced disappearances of government critics, arrests of media persons, and so the flow of funding was being cut. The President had also made it a habit to really talk ill of the West and say that, you know, the mining companies and the telecom companies and the multinationals that were operating in Tanzania were responsible for impoverishing the people. Unfortunately, the opposition was seeing through that, and they were calling out the excesses of his regime, especially the expenditure that he was using on a lot of infrastructure projects, and where he had actually appointed some of his close friends. So there was a lot of pressure on him, and he needed to raise the funds and also show the people that in fact he was fighting for them. There was an election coming, he was facing an election in two years time, and he needed also to raise the funds. So what then he did was to leverage the Economic Crimes Act to go after very many companies. So the Volcom case is very well known because it's a major company, but he had actually gone after all the other telecom companies, each by its own time, and extorted amounts because once you get the managing director and a few executives in jail, then regardless of whether the company is innocent or whether the individuals are innocent, they are going to have to come to the table to name them, they are going to have to come to the table to negotiate. You cost distress to them, you cost distress to their families, you cost distress to their colleagues in the office, and therefore you can then un-twist them into pain. So it was nothing, it was a script that had been running, it's just that the Volcom case is very well known because it was a major company and there was quite a bit of attention on it. And it wasn't, as you say, it wasn't alone. The Vietnamese telecoms company, Viettel, had a subsidiary in Tanzania and they'd been stung several times by exactly the same extortion racket. I also seem to recall that a smaller Tanzanian telco, the chief officers of that company were in prison for literally years because the case never came to court. The people were on bail, no evidence was ever presented, they were just being held pending a court case, pending a court case, but really in reality being held pending, paying the amount that the government wanted to extort from them, and they were just going to be held indefinitely in prison. And you were in the same situation, were you not chosen? Yeah, precisely. I think you raise a very important case. You're referring to the case of Sixtelcom. So Sixtelcom, what happened is once the directors were arrested, they did not choose to negotiate. So they refused to cave in and they say they are going to fight the case in court because they were insisting, you know, we're innocent and you have not adduced any evidence to show that we did what you're claiming we did. So the government then, you know, first of all, the law is on the side of the government because you can't go home, so you're held in remand. And then secondly, the independence of the judiciary is not much to talk about there. So the prosecutor just goes to court every week and says we have not completed the investigation. However, these are economic crimes and the people, they are not entitled to bail, and therefore you just go back to prison. Incidentally, I had the chance to meet one of the directors at Keiko Prison where he was being held, and he told me he's not going to pay. If he's going to die in prison, that's the price that he's going to pay. And I say, you know, more power to the man. I didn't have, I didn't have that type of courage to face up to the government in such a way, but you do get the feel of how things were going to play out. So when you look at something like that, you then know that if you decide to fight the case and not to pay up, then that's the fate that you're looking at. And so you're being held in prison, a prison that's holding people like murderers. You're being held with no real knowledge of when your case will be come to court. You know that you could be in prison for years if Vodacom doesn't choose to negotiate with the government. What's going through your mind when you're in prison in a situation like that, Joseph? Yeah, I think the first few days, you know, you are in a lot of disbelief. You don't, I don't think for the first two or three days I had processed what had happened. There's that feeling of, you know, is this a dream? Is this really happening? Because how do you wake up on a fine Tuesday morning and go to the office? And, you know, you don't see your, you don't see your desk, your office desk job ending in prison. I mean, it's not a hazard you face. I mean, you know, before the show we were talking about, with you about some of the hazards of activities that we engage in. I love cycling, so I know that one day I may fall off my bike or, you know, one day I may go for a walk and something happened, I sprained my uncle, something that, you know, those are hazards that, that you know, you encounter as part of your life. Going to prison as a revenue assurance professional is not something that you, you ever think of. In fact, since I was also working in fraud management, you know, prison and, and dealing with the law are things that happen when I, I catch people doing the wrong thing, you know, that, that then as, as I may advise the company to make a complaint against a person or make a complaint against a fraudster. So it's not something that you actually process, but after two or three days, then I realized that, you know, once you, you start talking to the people in prison and there were a lot of people who are there because of economic crimes. And that's what I keep saying. The Vodacom case is well known because it's a big company, but there are a lot of people who are actually going through a lot of things. So small businesses, medium and small enterprises. And you realize that this is how it's happening and you are part of it and there's only two ways for you to get out. I mean, it's either you remain in or the company pays. So, you know, there's no question here. It's corruption, it's government corruption, neither you nor your colleagues did anything wrong. Even if the, even if the case had any substance, which it didn't, we're talking about putting you, putting the CEO, putting a whole bunch of other people from Vodacom Tanzania in a prison with murderers about a case, which on the face of it is about whether some little company was using VoIP to make some phone calls across the border without permission. So, it's completely out of any kind of reasonable bounds of the response. The reason to punish you is not because they think this is a serious crime. The reason to punish you is because you work for Vodacom Tanzania and therefore Vodacom being a big international group, they're assuming that Vodacom will pay up and stump up the money to get you out. So, please tell us Joseph, how did the situation resolve in the end? Yeah. So, just to touch on what you've just said. So, the reason behind it was, I say Magufuli, the president, he painted himself into a corner. He had created this narrative that multinational companies have been impoverishing the people. And to cover his own excesses, he had to present, you know, these cases and show how serious he was in terms of fighting these companies that were impoverishing the people. And that's the script that he repeated on a lot of companies. But back to the point on how this all ended. So, after about eight days in prison, there had been a lot of negotiations with Vodacom management and Vodafone management. They went, they met with the prosecutor. The prosecutor was, of course, adamant that it's either you pay the money that we are claiming that through your actions, through the actions of your people we lost, or they stay in. And he's told them, I'm going to put in their files the certificate of objection to bail. So, once that goes into a file, then the magistrate really can never release you for that. So, afterwards, we were then, when the agreement, I mean, I call it an agreement, but, you know, when the company had no other option but to pay and said, yeah, we're going to process the payment, we quickly were taken to the court. The charge sheet was read to us. We were forced to plead that we did that. And then we were held in the court cells. And as soon as the wiring of the money was done, we were free to go. Our passports were returned to us. We were never fingerprinted. And to the best knowledge I have, they don't even have any, you know, entry of criminal record in the court registry for us in terms of that. So, it really was about the money, $2.5 million, they got in a nice, clean afternoon. Now, Eric, if I could just say, afterwards, just this year, 2023, February, we realize the new president who took over after Magufuli's death reveals that, in fact, all the money that was being collected, or rather, most of the money that was being collected as part of those plea bargains cannot be accounted for by the director of public prosecutions. And she says that, in fact, there is an account in China which was held in the name of one of Magufuli's confidants that was actually being used to transfer that money once it was transferred into the government of Tanzania account. And they actually expected a report, March 2023, so this month, end of this month, they are doing a review to just confirm what happened. So, again, you know, it just shows you, this was a plot to get a slash fund, and I think that slash fund was really about funding the elections, which, again, the elections were very much rigged and in terms of the democratic space in Tanzania really shrunk as part of those elections. So, yeah, a true case of corruption and making people who work for telecoms pay with their own personal liberty so that the government can appear to be fighting corruption. I think that's really the true meaning of corruption. You use the corruption fight to commit corruption. I mean, I couldn't get it more twisted than that. I'm so sorry that you had to go through that, Joseph. And apologies also for being indelicate now, but it seems to me that the government of Tanzania, they weren't as satisfied with taking two and a half million dollars of FODA.com. They wanted to destroy the reputations of people involved. I recall that there being a lot of aggressive publicity around it, the use of TV cameras as if you, in some sense, had done anything wrong. When you had no real court date, you were never able to put up a defense for what you were doing. And also, there was a lot of xenophobia, a lot of implying that foreigners cannot be trusted to work in Tanzania and that foreigners, including a Kenyan like yourself, are the root of a lot of evil in Tanzania. Now, President John Magufuli, he applied this same extortion racket, pretending to be fighting corruption against other companies. He got his own just desserts. In the end, he was a COVID denier who said vaccines were dangerous because they were produced by foreigners and that prayer would defeat COVID in Tanzania. Well, of course, there was a lot of embarrassment when Magufuli was treated for COVID in a Kenyan hospital and that led his political supporters to deny those allegations, even though that occurred just before Magufuli's death. But let's step back one step. You've worked around East Africa, you're from Kenya, you've worked in a whole bunch of different countries. Was Tanzania's government under Magufuli especially warped? Or are there more widespread problems with telecoms being corrupted by governments elsewhere too? Yeah, so I think Tanzania's government was especially on an extreme level. So, I mean, there is corruption happening in a lot of African countries. Part of it, you know, driven by a company that you just mentioned in the previous segment, GVG. And so, and we'll probably talk a bit more about that. In terms of what Tanzania was doing, and Tanzania is a really fine country, very nice people, very hospitable, impoverished segments of the population because of mismanagement of the ruling party. But, you know, what was happening even before was not, it's not that there was, there was a, there was a system of systematic corruption under the previous government. What was there is that it was the normal, I would say normal, and I know when I say normal corruption, that's a misnomer in a way, but there was, there was the type of corruption that you find in a lot of African countries where, you know, single sourcing of certain products, kickbacks to government officials, you know, nepotism and things like that. So they were not, or rather the government of Tanzania previously was not anything special. What happened with Magufuli is that he painted himself as the Messiah, as the savior of the people. But then you start to continue doing, covering for the corrupt things that he was doing. I have seen the same in other countries. I've seen, I've been, I've worked in DRC as well, and I know, you know, there's a lot of, of regulatory interference, a lot of harassment of telco companies there, locking up offices every now and then, confiscating passports of executives who, who refuse to pay certain types of, you know, unjustified levies, which are not supported by the law. So that, that type of thing is happening a lot in Africa. But Tanzania took it a bit, a bit to another, to another level under Magufuli. And he was able to really make the people believe that it was all, all in their name and that it was for their good. And he created that perception that, you know, it's the foreigners who are responsible for a lot of bad things that have happened, for the poverty of the people. Whereas now that he's not here, the media that he had really crushed under his foot is now starting to reveal some of these things. I was reading the article that I mentioned that revealed what happened with the, with the funds that were collected as part of plea bargaining. That article now uses words like billions of Tanzania shillings that were squeezed from companies. During his time, the same media would never talk about something like that. What they were talking about, and I'm sure, Eric, you did go through a lot of this probably much more than I did in terms of what was published during the case. They were talking about the fine and they would talk about the economic crime sheet and they would just paraphrase what the government had said, but they would not talk about the extortion. There are now they're using words like squeezing the money. They're using words like slash funds. They're using words like personal accounts. And therefore, I think that's, that's what corruption does. It really debases all the systems of the country and places them towards that single objective where there is actually nobody who is safe. So everybody, the media, instead of actually doing what it's supposed to do, also kind of just tries to, to save its own scheme. Well, thank you for sharing all of that, Joseph. And you mentioned there the Democratic Republic of Congo, DRC too, where there's been some recent activity with head offices being shut down and paperwork being seized by the government, claiming that they're not getting enough tax money, receiving enough tax money from telcos. Lee, I want to bring you in here. You've worked all around the world, all sorts of countries. I think in the West, there's sometimes a perception that internet companies, they can work where they're like, they can do things, they can choose not to do things. Companies like Google get a lot of criticism for their compromise with demands placed upon them by governments like the Chinese government. But the internet ultimately arrests on physical infrastructure. And that has to be in a country, it has to be run by companies who are subject to the ruling regime in that country. Does that mean Lee, there will always be a degree of corruption in electronic communications, because there's always going to be corrupt governments? The short answer is no, not everybody gets into bed with a devil, right? So if you take Telenor as an example, they decided to leave Myanmar last year, when the military actually made them turn on some surveillance type technology. Now that would have put Telenor in violation of the EU, and also the Norwegian sanctions. So they actually ended up selling Telenor Myanmar to the M1 group, and they actually made a loss, it was a write down of about 750 million. So I don't think it applies to everybody. I think some people have some ethics. But you know, it, it can go both ways as well. I've seen it going the other way. Ed, now, we quite often turn to the USA and the US has some remarkable laws in place to try and stop corruption outside of its country. It's got a law that's called the Foreign Correct Practices Act, which is quite often used in all sorts of cases that aren't directly related to the USA. Thinking back to what we were talking about, the ITU, is it necessary for a country like the USA to step up and take the lead if we are going to reduce corruption in international telecoms? Good question. I think the world would benefit if that happened, and it was done competently. So there's a lot of caveats. My concern always with any country in the US, in particular, taking on the sort of policing role for everyone and being looked to, right, it's always kind of a rough spot to be in, because it's, the expectation is that you're going to do it and do it right. It's easy for everyone else to be a critic, right, and not want to take the leadership role. And in some ways, I would kind of say this is a, you know, this is a, you know, this is a US-centric or US-first problem, per se. You know, and if there's any aspect of US law or experience, that's a model for what's possible if you tamp down corruption in countries. And I think that's at least, I'll say as an entrepreneur, that that's helpful, because I work in the United States, I've built businesses for 25 years, and I have never been in a situation working in the United States, where it was expected that I would bribe someone, or expected that I had to give someone a kickback in order to get an opportunity, right, that I'm sure it happens here, but it isn't the baseline for doing business here in the United States. And so to be able to go be a small business owner or entrepreneur, that's a huge advantage. If you don't have an environment like that, right, if you're in a corrupt environment, it's got to be almost impossible to start a business, you know, and certainly without someone haranguing you, like the local mafioso who wants his beak wet, like in The Godfather, right, like I- Well, I mean, but, you know, I jump in here and just observe that the US does seem to like to levy some big fines. I mean, I don't agree with Erickson paying bribes in countries like Afghanistan, but it's not obvious to me that the US taxpayer has to be receiving $1 billion in an initial settlement, and then more recently, another $200 million. Why is the US taxpayer benefiting as a result of some Swedes doing some dodgy business in Afghanistan? I mean, it's a heck of a cash and carry window, like spectrum auctions and all these amazing things that are created and bought and sold and become economies of their own. I don't, I mean, I'm not an expert at this. I don't understand it, but I acknowledge the hypocrisy, right, of what you're calling out. But let me go back to what you said before. If the US, okay, just to play devil's advocate, if the US is going to be the police officer and going to be the one who's going to set the standard for what's expected in terms of corruption in business, there has to be some kind of enforcement. So yeah, you want us to be cops? Great. We're going to find the heck out of you. And it's going to pay into the US Treasury. Now, my dear wish as an American taxpayer is that those funds would be used responsibly. Wouldn't that be great? So that's where that argument falls apart. Okay. Well, we have another interview as well to share in today's show. So let's bring in somebody who I spoke to a few days ago, who has a different opinion about the quality of communications regulations. Sossina Tafari, a US-based consultant who advises various African regimes on how to regulate the communications sector. This is what Sossina had to say about obtaining the right balance between regulations, telcos, and ordinary phone users. Producer James, please run the VT. Is there an argument, do you ever support the idea that a telco should be able to take a regulator to court and defeat them in court if the regulators not exercise their powers correctly? Well, I come from a country that's capable of doing that. So I mean, I live in a country that's capable of doing that. So my initial reaction is yes. If a regulator has improperly accused a telco of breach, then the telco should be able to prove itself and it should be able to defend itself. And if they are at fault, they have to pay the penalty. I mean, that's the reason why we have penalties and sanctions in the regulatory documents. Would you like to see that more often? Would that be, in some sense, a representation of progress in some countries if privately owned businesses were able and were more often taking their regulators to court? With cause, yeah. I mean, that's the reason why rules are there, right? We put rules in place in order to follow them. And if you break those rules, then you have to pay the penalty. I mean, I have to pay the penalty, you have to pay the penalty at the end of the day if we break a rule that we sign off on, that we promise we will abide to. So yeah, absolutely. I think that's something, I mean, there are methods by which, I mean, I think going to court is a last resort. There are steps to cure the process that are in place already. You go through the cure process, and if that cure process does not resolve the issue, then the court should be a fair place to make your case, absolutely. But it has to go through the steps first. If you don't go through the steps to cure them, and both sides have to be able to resolve, I mean, show why. If they can settle outside of court, of course they settle outside of court. But if not, the court is fair play. For me, it's fair play. That's what it's there for. And there's been a tendency in some countries for the people appointed to run the regulator, they get the job as a political favour. They're from a particular political faction. It gets treated as a gift to be handed out to specific supporters, to backers of certain political groups. What can be done to make sure that the appointment of the regulator are the people with the right skills and competencies to do the job as a neutral impartial regulator, not just somebody who is basically, even if legally they're not an extension of government, because they're connections to government, because they're friendships with people in government, they act like somebody who's an extension to government. What can be done about encouraging the appointment of the right qualified people to the job? Sure. That's across the board. That's a global problem. It's not specific to Africa. Are you thinking of the USA when you give that answer? I am absolutely thinking of the USA when I say this. But I think it's an open secret. I think that's something that happens across the board. But as long as the regulator is qualified, I think that's the key word is qualified. And as long as they have the leadership skills, then I don't see any harm in approaching it from that perspective. But they do have to declare that they will act independently, not be influenced. They have to publicly admit that. They have to show that. If they can't show that, then I think and I think this again, Africa is such a young continent when it comes to experiencing and running these type. Right now, there's a lack of enough people who would step up to work for a government. I mean, there are challenges. There are lots of qualified people. So for instance, I'm of Ethiopian origin. If I want to go back and work for the regulator at the head of the regulator, I can't because I'm not an Ethiopian citizen. I don't have the Ethiopian passport to take on that kind of a position. So there's a lot of us who are capable of doing that work. I'm not capable, but there are a lot of people who are capable of doing that work. But they don't have the required credentials to take on that spot. So they have to recruit from within the country. Now within the country, there are a lot of capable people also who can take on that spot. But finding the right person who has the right qualifications, who have the right attitude, that's the right person who can. And that person could be part of the existing party, it could be from an opposite party. I don't get into the politics of all that because I'm not well versed in it. But I can tell you that most of the regulators that are in Africa that I have been following, that I can follow, I've really learned from them. They're academicians, they are practicing telco folks. They're actually good people. The people at the top of the regulatory bodies are actually really, really good. And they work really hard to deliver for the people. Further down, you may see some issues, but at the top, most of them are very good recruits. And I have personally, I've been motivated. And especially in the last five years, I've seen a big effort to put really good people in good positions. So I have to say, as long as they do their job, it doesn't matter who they are at the end of the day, and whether they are. Well, I think you're too modest, Sossina. I think I'm looking forward to you being charged with one of these regulators in the near future. Thank you so much for your time today, Sossina. We've used up all our time for our interview, and you've given us such great answers. I'd love to keep on talking, but I much appreciate your contribution to today's show. Thank you, Sossina. You're most welcome. Thank you. Well, it's good to hear from Sossina there, but let's keep the conversation moving. Joseph, thank you for staying with us and continuing to talk to us. I know that you'll have some strong opinions about GVG, Global Voice Group, who we were talking about earlier, participating in an ITU summit. Please, can you give me your reaction, Joseph, to GVG's attempts to present themselves as a respectable business? So it's hardly a surprise. Anybody who has followed through what GVG has been doing, especially in Africa especially, you will have noticed the attempts to kind of buy respectability, to get into partnerships that are supposed to give them a modicum of credibility. I'm just not also very surprised that they are trying to get in with ITU, because the ITU, as part of a specialized agency for the UN, has also not had much to show by way of achievement, especially in Africa. I mean, you look at some of the challenges that we face as Africans in terms of telecoms, and I imagine that ITU, if it was actually very much on our side as Africans, would have done a lot more to influence government, a lot more to influence even things like international termination rates, which have provided a way for symboceses to proliferate within the continent. So it looks to me like a partnership of two organizations that have met, because none of them is really delivering much. And I know that might sound biased. I am biased against the UN, as a person who has lived in a continent where the UN has a lot of drive, has a lot of projects and programs. But in terms of if you assess what's happening on the ground, you don't see much. And there have been even publications that show that the effect of the UN on the African continent is nothing much to talk about. Just to finish, there's a book written by Graham Hancock, which talks about, the title is Lords of Poverty, and he actually looks into most of the programs that the UN has done for about three decades. He concludes that's a danger for Africans, because what's happening is the money that's supposed to come and deliver credible programs doesn't come through. But it's also a danger for the Western taxpayers, because the money that is given by governments of the US, Europe, and the developed world to come to help the target communities in these poor countries, actually never arrives. So we are creating poverty on both sides. We are taking money from taxpayers in the West, with the intention of helping them on this side of the divide. We are not delivering that. And now, we are actually getting in bed with a company that is followed by controversy everywhere it goes. I mean, you mentioned GVG, wherever they have operated. They have been in Tanzania, have been in Ghana, have been in Zimbabwe, have been in Lesotho with a lot of controversies there. There's really not much that they have to show. So the UN getting into bed with them is something that's not a surprise, but it's still very much dismay. Well, the good news was that there was hardly anybody watching the ITU summit. There was a bunch of academics from around the world who clearly don't know very much about anything, waffling on about all sorts of things that academics like to waffle on about in terms of, let's have more diverse participation, and let's feel good about differences in gender and so on and so forth. No concrete actions amongst them. In fact, that's why GVG's employees were about 50% of all the people watching the summit, because they're the only company who actually had something constructive to say, although what they were constructively saying was essentially, let's monitor, monitor, and monitor networks, because if you monitor networks, they'll be able to collect more money, which did seem to be quite at odds with what everyone else was saying, but clearly the academics who are listening to these things have so little understanding of telecommunications or business, they couldn't even work out that what GVG was saying was contradicting what everyone else was saying. So it's a frustrating situation, a draw to everybody's attention that the Republic of Guinea right now is fighting GVG in international courts. It feels like international law is set up always for the persecutor, always for the impoverisher of Africans to win at the expense of ordinary people. So let's just recap what's happening with the Republic of Guinea. They are being told they have to pay $20 million to Global Voice Group, just because they weren't satisfied with a contract with a service that had been signed by a military government that had taken over the country, and it seemingly had delivered no value after it had been implemented. So rather than them being able to cancel the contract, because they are a government, and you might think your government could just cancel the contract, no international law comes in, and the Republic of Guinea has to start paying for lawyers in Paris, has to start paying for lawyers in the United States of America to fight to not pay Global Voice Group, Global Voice Group in this instance, an offshore company based in a tax haven of the Seychelles. No one seems to be noticing the irony here that money is being taken out of the pockets of ordinary Africans to go into a tax haven, and yet we're supposed to pretend that somehow or other having this service increases the amount of money going into the pockets improving the lives of ordinary Africans. Clearly the opposite is taking place. Ed, you look pretty shocked there, I don't know if you're aware of what's happening there, but are you surprised that international law always seems to be rigged against the little people in a situation like this? No, not at all, and actually what I was going to ask, and I think maybe you just confirmed it, I was going to say, is there a hedge fund involved somewhere in the background that's catching the dollars or the money that you're talking about, or the things that Joseph's talking about when money's not getting from taxpayers in the West? It's very hard to know where that money is going. It's very hard to know, but what we can say is that Global Voice Group was set up by the former Prime Minister of Haiti. Haiti, as you know, has a terrible reputation for being run by criminal gangs. The former Prime Minister of Haiti, he is the major shareholder of a business that is sat in another tax haven, British Virgin Islands, and we're not sure about the exact relationship between that business and that company in the British Virgin Islands and the one that's in the Seychelles. What we essentially know is that very quickly it becomes almost impossible to know where the money's going with Global Voice Group. They give a lot of different explanations for who they are and where they come from, depending upon where their contracts are. Actually tracing them to see where it's being taxed, much harder to work out where that is. We only know about the British Virgin Islands companies because that was part of the Pandora Papers leak that you may recall from a few years ago, where a lot of powerful people's attempts to hide and evade tax were finally being revealed as a result of this massive leak of information from lawyers. Lee, again, you deal with some remarkable places and some remarkable countries, including the Caribbean. Again, are you surprised by what's been going on there in terms of hearing about GVG? Well, I mean, risk management 101, right? If you're going to sign a contract with these companies, then make sure that if you have a dispute, yeah, the case gets heard in your home country, right? Don't sign up to something like Paris or outside. Yeah, that would be my advice to anybody signing these contracts. Good advice. Well, it looks like we may have lost Joseph's connection. So let's move to wrap up the show, guys. It's been an absolutely fantastic show. And I can't thank Joseph enough for coming on the show and for sharing his wisdom and his insights and telling us, of course, that harrowing story about the way that he was mistreated in Tanzania, as well as showing his insights about corruption more extensively and risk management more extensively across the African continent. Thanks to Joseph. Thanks to Sossina Tafari. That's it for today's show. Ed Lee and I will return next Wednesday with a show about the war in Ukraine and its impact on communication services and communications providers there. Cathal Mc Daid, CTO of Enea Adaptive Mobile Security, will share his insights into the rapid deployment of rogue Russian mobile operators that have been able to function whilst avoiding Western sanctions. We'll also talk about the surprising reliance on civilian coms infrastructure by Russia's army. And we'll also talk about Ukrainian networks, how they've been able to do such an amazing job of staying online, despite facing the most difficult of circumstances. So we'll be live on Wednesday, 22nd March at 4pm UK, 7pm Arabian in standard time, 11am US central. Why not shave the show to your diary by clicking the link on the Comms Risk Show webpage or better still, subscribe to Communications Risk Show broadcast schedule and have every weekly show uploaded to your diary automatically. Thanks again to today's guests Sossina Tafari and Joseph Nderitu. Thanks to my co-presenters Ed Feingold and Lee Scargall for sharing the fruits of the experience and to our hardworking producers of the show, James Greenley and Matt Carter. That's all for today's show. I'm Eric Priezkalns. Remember to visit the Communications Risk Show website, tv.commsrisk.com for the recordings and interviews we've given in the past. Keep reading commsrisk.com for the latest news and opinion about risks in the coms industry and go to the Risk and Assurance Group, riskandassurancegroup.org for access to RAG's free services and content, including the RAG fraud blockchain and RAG's risk catalogues. Thanks for watching today's show and we will see you next Wednesday.