RICA leaves subscribers vulnerable
RICA-registered South Africans are falling prey to unscrupulous marketers, as the entire SIM registration process is potentially open to abuse.
However, mobile operators downplay this and are adamant their databases are secure, while also admitting the SIM registration Act does not clarify how personal details should be secured.
This means that, for any action to be taken if information is leaked, affected mobile subscribers would have to prove the origin of a breach - a near impossible task. This leaves mobile subscribers open to abuse, with little recourse.
As a result, millions of people are at risk of falling prey to identity theft, because the SIM card registration Act requires that every single person living in SA register their phone numbers, proof of residence, and identity number.
However, this sensitive information is not secure, as the legislation does not make adequate provisions to protect it, and the data handed over by mobile users - to avoid falling foul of the law - is being leaked.
ITWeb has already heard several reports from people who have been contacted by marketers and debt collectors as a direct consequence of registering their details. Moreover, SMS inboxes are overflowing with spam almost as soon as people register.
The problem is only going to get worse, as more people rush to register in time for the deadline next June. The only recourse available is to complain to the Department of Justice and Constitutional Development or the operators, which face a hefty fine if found guilty of selling data. However, it is nigh on impossible to prove the origin of the breach.
Under the Regulation of Interception of Communications and Provision of Communication-Related Information Act (RICA), every SIM card owner must hand over their contact, address and identity details to the operators, or face being cut off from the network.
Cellular companies argue the data is secure, and only accessible by a handful of selected staff members. In addition, it is only used for law-enforcement reasons. Yet this is not the case, as the mounting pile of evidence shows people's details are somehow escaping the database or the collection process.
Lance Michalson, a partner at Michalsons Attorneys, says the RICA Act and regulations are a “bit vague”. Although it only allows information to be available to a limited number of staff, he says this “does impose some sort of requirements on the companies to make sure the information is secure”.
However, the Act does not provide sufficient clarity as to how information must be protected. It states only that operators must keep data safe, and access needs to be limited to a handful of staff. This, argue market commentators, is insufficient to protect a consumer's sensitive information.
Jan de Lange, MD of Biodata Westcon Security, says information stored in terms of RICA is sensitive, because it can link people's cellphone numbers to their identity number and home address. He explains that this is the basic information perpetrators require to steal identities. “Any information is valuable, no matter what it is.”
De Lange says companies are generally more worried about information being stolen by outsiders than its own staff members, while internal theft could make up at least half of all attacks. RICA information is just one more database that needs to be protected, he notes.
Safe as houses?
Vodacom's executive head of corporate communications, Richard Boorman, says the company collects and stores the information in compliance with the Act. The details are ring-fenced in a separate database and “cannot be used by Vodacom”.
He says Vodacom limits access to a small number of “authorised employees” and information can “only be disclosed via a subpoena from a law-enforcement agency or another institution, which by law is entitled to apply for the information”.
Boorman adds, however, that while there is a duty to make sure the information stored is secure and only accessible by authorised Vodacom staff, the Act does not provide more clarity on how to look after the data.
He says Vodacom does not sell customer information to third parties and the penalties for not keeping RICA data safe are severe. Operators face a R100 000 fine each day they are in breach of the requirement to ensure access is restricted.
In addition, companies face a maximum R2 million fine for unlawful disclosure and the individuals found selling information could go to jail for as long as a decade. Boorman says any complaints will be fully investigated by its risk division, which reports directly to the executive committee.
“Vodacom has almost 24 million customers in SA and we have registered almost three-quarters of those customers. If there were a systematic breach in our systems, in all likelihood we would have received direct feedback from a large number of customers,” says Boorman.
MTN says the RICA database is only accessible by designated MTN staff members, and then only to process requests for information from relevant law-enforcement agencies.
The cellular company says it has implemented the “necessary security controls and measures to ensure the RICA database is secure”, but did not elaborate on what these are. The RICA database kept by MTN is also off limits for other purposes, such as billing, says the company.
The operators' assertion that their RICA databases are safe raises the question as to whether information is leaking at the collection stage through RICA agents or other third parties, such as retailers.
There have previously been breaches of confidential information at cellular operators. Last August, a Vodacom staff member was bust after fraudulently creating temporary dual SIM cards, and then diverting one-time PIN SMSes to these cards, which were then deleted. The staff member was part of a syndicate that robbed bank clients of R7 million.
Steven Ambrose, MD of World Wide Worx, explains breaches can occur from within mobile operators if staff sell the information to external companies, which may then use it for marketing their products.
Every time information is spread, it creates a bigger risk for data to be stolen and used for identity theft, which will become more prevalent as connectivity increases, adds Ambrose.
The Independent Communications Authority of SA (ICASA) says RICA is a Department of Justice project, but points out operators that sell information face penalties. Spokesman Jubie Matlou explains that there are limits on when information can be handed out. Operators breaching this face penalties if found guilty under the ICASA Act.
Tlali Tlali, Department of Justice and Constitutional Development spokesman, says the department has not yet been informed of a confirmed case of insecure RICA data.
Tlali says the Act has sufficient measures to make sure the information is only used for the intended purpose, but the situation will be monitored. “If verified information is submitted to the department, which indicates that the information recorded and stored in terms of the RICA is used for other purposes, the minister may determine security standards regarding the collection, recording and restoring of such information,” he adds.
Justice meets with mobile operators and law enforcement agencies on a regular basis to discuss problems relating to the implementation and application of RICA to make sure it is properly enforced.
Department of Communications (DOC) media relations director Busiswa Mlandu says the issue will be raised with the justice department, although the DOC has not yet received any complaints.
Cell C did not respond to repeated requests for comment.
* Have you seen an upsurge in spam after RICA registration, or been contacted by third-parties when your number is only known to a handful of people? Tell us.