General, News, Read

SA phone companies may be used for spying, but can’t tell you when

Hypertext

6th June 2014

South African mobile phone operators are unable to take part in international transparency reports which highlight how many times government agencies access customer’s voice and data traffic, according to a new report out in the UK this morning.

Vodafone, the parent company of South African operator Vodacom, has published the mobile industry’s first transparency report. It mirrors annual documents produced by Google, Facebook, Apple and Microsoft by listing the number of times government agencies have requested to intercept or access customer data on its various networks around the world. The report covers messages, phone calls, addresses, telephone numbers and other metadata. It’s been published as part of a Sustainability Report, available here, in a section titled ‘Law Enforcement Disclosure Report’.

As with the big tech companies, Vodafone has become frustrated by the use of its infrastructure for state spying and wants to come clean on what it does and why to try and build customer trust.

Ultimately, the report says, the onus should be on governments to publish this data and not the networks, in order that they can be fairly and independently scrutinised.

According to the report, it is not allowed to reveal any details about requests made to Vodacom by the South African authorities, because:

Section 42 of the Regulation on Interception of Communication and Provision of Communication-related Information Act 2002 prohibits the disclosure of any information received pursuant to the Act. This includes, by virtue of Section 42(3), the disclosure of the fact that any demand for lawful interception or communications data has been issued under the Act. Accordingly, to publish aggregate statistics would be to disclose the existence of one or more lawful interception or communications data demands.

In what may be a cunningly crafted introduction to the report, however, the company also says:

The report encompasses all 29 operating businesses directly controlled by Vodafone (including our joint ventures in Australia, Kenya and Fiji), in which we have received a lawful demand for assistance from a law enforcement agency or government authority between 1 April 2013 and 31 March 2014. We have not included countries in which we operate where no such demands were received, nor have we included countries where there may be some form of Vodafone brand presence (for example, through a partner market relationship) but where Vodafone does not own or control a licensed communications operator.

In other words, the fact that Vodacom is on the list – which took months to carefully compile, we’re told – is a tacit acknowledgement that its networks have been used for wiretapping here, it’s just not allowed to say so.

By contrast, the report notes that in Kenya “Local operators are legally prohibited under s.31 of the Kenya Information & Communication Act from implementing the technical requirements necessary to enable lawful interception. We have therefore not received any agency or authority demands for lawful interception assistance.”

That’s pretty definitive, then.

We’ve contacted Vodacom for comment, but have yet to receive a reply. Spokesperson Richard Boorman has told TechCentral that South Africa has strict regulations when it comes to wiretapping, but added that Vodacom would have to comply with a judge’s order if a request for a wiretap is made.

The act of parliament which governs wiretapping is the Regulation of Interception of Communications Act, better know to anyone who’s bought a SIM card as RICA. All South African mobile operators have to comply with RICA which “requires a telecommunication service provider to intercept and stores communication-related information which is commonly referred to as metadata.” Section 17 of RICA provides for the issuing of a real-time communication-related direction, while Section 19 of RICA provides for the issuing of an archived communication-related direction.

RICA states that the gathering of information from mobile networks are illegal unless:

a directive has been granted that permits the prohibited activities;
the party protected by RICA gives requisite consent;
the entity engaging in the above activity was also a party to those communications;
intercepting, monitoring or disseminating information of an employee while carrying on a business;
interception to prevent serious bodily harm;
interception to determine a location during an emergency; or
when entitled to do so in terms of other legislation.

The Vodafone report added that other than RICA or the Criminal Procedure Act, the South African government doesn’t have any other means of obtaining information legally. In some countries, the report reveals, Vodafone has been obliged to fit government cables directly into its network for the purposes of data capture.

“The South African government does not have any other legal authority to invoke special powers in relation to access to a mobile network operator’s customer data and/or network on the grounds of national security.”

Vodafone released a chart in which it details the amount of warrants for legal interception of content and warrant for communications metadata. In Congo, 436 requests have been made for Vodafone communications data and Lesotho had 488. From the data, the country in Africa which has bared the brunt of the request was Tanzania, with 98 765 requests. Ghana, Kenya and Mozambique has had no requests for info.

[Source – The Guardian, Vodacom, image – file]

About Author

Hypertext

Hypertext is one of South Africa’s leading technology news and reviews sites, catering for consumers, small and medium businesses and the technology channel.