SA data leak: ID numbers, POPI and personal responsibility
As the dust settles around South Africa’s largest data leak in the country’s history, questions are still being asked.
How did this happen? How could such a large amount of private data – that of around 60 million citizens, both alive and dead – be made public so carelessly? What are their next steps? And is there a bigger conversation to be had about personal responsibility?
To help unpack all this, htxt.africa interviewed attorney Nick Hall, who has been following developments around the leak. He’s also something of an expert on the forthcoming Protection Of Personal Information Act (POPI), which is handy.
htxt: This data was placed on a public facing server so anyone could have helped themselves if they knew it was there. The data also included details of minors, so it’s highly unlikely this data was tied exclusively to home ownership or financial records. So where do you think it came from?
Nick Hall: Honestly, I have no idea. Some of this information may have come from the Master Deeds office; obviously no child of four can afford to buy property but that doesn’t stop their parents or other parties putting property in their name. If they inherited property, for example, they would be a registered owner.
From what I heard it looks like it’s Deeds Office data that has been significantly enriched, although by whom, I don’t know.
Let’s assume the source was the Deeds Office database…
htxt: And were obviously not saying that was definitely the case.
NH: Yes, this is just an example. The crucial data that would’ve contained would be the ID numbers. Once you have those, the person or people who collected that data, could go to other sources and cross reference information – dipping into credit records or any other data bases that are either openly available or available for purchase.
The Deeds Office database, which I believe you can purchase lawfully, is a good starting point for collecting a data set for whatever your purposes are – whether you’re a real estate firm, debt collector law firm or financial institution.
A company could then enrich that data with from other sources, depending on what they were going to use the data set for. Marketing companies can do something like this so they can properly segment were potential consumers and marketing targets are.
How this data became public, though, is an entirely different question altogether.
htxt: Aren’t there some serious questions to be asked about the ease with which such extensive data harvesting can be done like this?
NH: Well that’s why we have POPI (The Protection of Personal Information Act) – this is one of the issues that it’s meant to address. It’s not just the Deeds Office, it’s company records, it’s credit information. Take a look at CIPC (the Companies and Intellectual Property Commission); anybody can go and get the CIPC database and that has every single company director’s ID number in it. Some of them are very high net-worth individuals making them attractive targets for identity theft.
This is part of the reason POPI is fermenting – to deal with these issues. There’s nothing wrong with data collection. There’s a tension between keeping data secure and not making it easily accessible, but at the same time making relevant information accessible.
What would happen under POPI, while this data would still be available for purchase or for sale, the Act would introduce measures on behalf of the seller to ensure that, first the people affected in the sale know their data will be sold, and second, that the people who are acquiring the data are doing it for lawful purposes and that they’ve conducted checks to make sure the sellers are who they say they are.
htxt: So under current legislation, it’s possible nothing illegal has happened in the SA data leak?
NH: That’s possible.
htxt: But if POPI had been signed into law now, there would be several parties lawyering up?
NH: Oh definitely. If POPI was law now everyone in that database would have a law suit against the owner of that database.
htxt: Given that ID numbers are so easy to get hold of, is there really any danger of one’s ID number being public?
NH: Well, it is public. There’s a confusion about what POPI is going to be doing once it’s law. People think that when POPI becomes law, your ID number won’t be made public. It still will. But there are legally enforceable measures being put in place that will require companies to do more verification on data and ensure it’s secure. They also have to be more open with what they intend to do with the data once they acquire it.
But think about how much information people give out on a daily basis. How much information to you put on Facebook? How much do you put on LinkedIn? What do you put into Google? I think the general public in South Africa has a very tainted view of how private we all are.
htxt: Tainted? Or unrealistic?
NH: Well, unrealistic, sure, but I say ‘tainted’ because we have this perception that we have privacy rights, but then we’re the ones freely and willingly giving our data away on open and free services without really thinking about it.
The truth is that even now, your ID number being available isn’t a big problem. The problem is the massive amount of information that’s been leaked right along with your ID number. It’s the fact this was an enriched database that was leaked that is problematic. And going forward not much is going to change.
POPI does not and will not protect one against one’s own stupidity. We need to have a serious discussion and raise awareness on how people give out their own data in public forums – and how easily and readily they do it.
- Nick Hall was on the htxt.africast back in July talking about the Cyber Crimes Bill.