The recent assassination of Lieutenant-Colonel Charl Kinnear has uncovered the unlawful use of location-based data from Vodacom and MTN to track his movement.
Kinnear, who was a section commander in an anti-gang unit, was assassinated in front of his home in Bishop Lavis, Cape Town on Friday 18 September.
On 23 September, Daily Maverick reported that the criminals who plotted the shooting of Kinnear used a location-based service to track his cellphone.
According to the report, Kinnear’s phone was tracked from 08:00 to 15:25 on the day of his murder. He was assassinated at 15:00.
This case uncovered the widespread abuse of location-based data from mobile operators to track the movement of South Africans without their knowledge or consent.
News24 reported that the illegal use of location services had gone unnoticed until Kinnear’s assassination.
Up to now this highly sensitive data was available to a wide range of companies, including vehicle tracking firms, security companies, and even credit bureaus.
These companies signed agreements with Vodacom and MTN to only use this data when a user provided consent. This did not happen.
According to News24, this information was sold to individuals and private investigators who would pay to track people without their knowledge.
Wireless application service providers (WASPs) were therefore given full access to subscribers’ sensitive location data, with the understanding that they will not abuse this data.
If this sound familiar, you are not mistaken. For over a decade rogue WASPs have been stealing airtime from Vodacom, MTN, and Cell C subscribers without any real consequences.
When this fraud was uncovered – again and again – Vodacom and MTN simply promised to tighten security. Despite billions in airtime theft, they refused to block these services by default.
The same problem is now playing itself out in the location-based services (LBS) market, where rogue WASPs were given the tools by Vodacom and MTN to abuse their subscribers.
In this case, however, the two mobile operators moved quickly to suspend the services of many of their LBS partners.
How many companies have access to location based data
With the abuse of sensitive location-based data of Vodacom and MTN subscribers, it raises the question how many companies have access to this data.
MTN SA’s executive for corporate affairs, Jacqui O’Sullivan told MyBroadband they have contracts with nine companies that provide location-based services.
“These are specific WASPs that contract with MTN and cater to the general public,” O’Sullivan said.
Some examples of such WASPs are vehicle tracking companies, security services (where people sign-up to be notified of issues or crimes in their areas), and dispatch management tracking for delivery services.
A Vodacom spokesperson told MyBroadband they “do not disclose this information [how many companies have access to LBS] separately”.
Vodacom did, however, say that they limit access to location-based services to companies they have entered into a contractual partnership agreement with that they meet criteria set by Vodacom.
He added that these partners are subsequently subjected to audits in the normal course of business.
“So, it is not a service that is offered widely or to individuals,” he said.
The system failed
The South African Police Service (SAPS) brought the abuse of location-based services to the attention of Vodacom after Kinnear’s assassination.
O’Sullivan said WASPs that provide location-based services have to sign a contract with MTN that stipulates that only individuals who have consented can be tracked.
This therefore requires the WASP to have its own individual consent in the form of a signed contract with each one of its customers, prior to any tracking being undertaken.
O’Sullivan said their contracted partners should retain audit logs for all access that it granted to location-based services.
“Our forensic team are currently reviewing the scope and potential scale of the abuse perpetrated by the WASPs,” she said.
MTN could not explain why its WASP partners abused their system to track users without their consent.
“MTN is currently investigating how any such breaches were undertaken by the WASPs,” MTN said.
Vodacom also said in terms of contractual partnership agreements, users must give consent to be tracked.
In this instance, however, a partner allowed its service providers to bypass the controls.
Vodacom said while it is technically possible for WASPs to bypass Vodacom’s controls, it “would be irresponsible to suggest widespread abuse of the system”.
What is of concern is that Vodacom and MTN did not have any idea that this extremely serious abuse was taking place on their networks.
The systems which they have in place should provide their subscribers with the comfort that their personal information is safe.
Just like giving rogue WASPs the tools to steal airtime from their subscribers for years, Vodacom and MTN may also have exposed personal data from their subscribers to crooked partners.
Vodacom and MTN’s reaction to this scandal
O’Sullivan said MTN has, with immediate effect, shut down all access to the nine WASPs that have contracts with the operator to offer location-based services.
After the SAPS alerted MTN to the LBS abuse, the company asked the contracted WASPs for immediate corroboration of their location-based searches, against contracts that show the WASPs have permission to track those searched numbers.
“As the information was not forthcoming, MTN immediately shut down all access to the location-based services for these WASPs due to their not having submitted the requested evidence,” MTN said.
MTN admitted that the required strict adherence to contractual requirements and individual permissions appears to have been ignored, resulting in the system being abused by the WASPs.
“We are appalled by this abuse and will support any formal police investigation that will root out the perpetrators,” O’Sullivan said.
Vodacom said it has suspended the services of a company using its location-based services pending further investigation.
“We treat transgressions in a serious light and will take appropriate action once the investigation runs its course,” a Vodacom spokesperson said.
“Vodacom values and respects the data security and privacy of all its clients and has a zero tolerance for non-compliance.”