The murder of Lieutenant-Colonel Charl Kinnear has lifted the veil on the unlawful use of location-based data provided to companies by Vodacom and MTN.
Criminals used this location-based information to track Kinnear’s movements and plan his assassination.
This case revealed the widespread abuse of location-based data to track the movement of South Africans without their knowledge or consent.
This highly sensitive and personal data was available to a wide range of companies, including vehicle tracking firms, security companies, and even credit bureaus.
What is of particular concern is that MTN was not aware that the data they provided to these third parties was abused.
It was only after the South African Police Service (SAPS) brought the abuse of location-based services to its attention that it started to investigate the issue.
The reason for this is simple – MTN provided companies access to their subscribers’ location information in good faith.
The contracts between MTN and third parties required them to get consent before they can track a person. This did not happen.
According to News24, this information was sold to individuals and private investigators who would pay to track people without their knowledge.
MTN said it is of grave concern to them that service providers appear to have flagrantly defied the requirements of their contracts.
It should, however, not come as a surprise to MTN that WASPs will break the rules to make more money.
For over a decade, third-party WASPs have stolen airtime from MTN subscribers despite their contracts prohibiting them from doing it.
Just like with location-based services, WASPs are required to get consent from an MTN subscriber to subscribe them to a service and take their airtime.
Many rogue WASPs bypassed this requirement, which resulted in large amounts of money stolen from MTN subscribers over the years.
MTN is therefore well aware that third-party contracts based on “good faith” with WASPs can lead to serious problems.
What information MTN shares with third parties
Kinnear’s murder and the revelation that the criminals used data provided by the mobile operators to plan his assassination raises the question – What access is MTN proving to third parties?
Based on the previous information and feedback from MTN, third parties have, or had, access to the following information about MTN subscribers.
- Last activity information
- The location of a subscriber
- The ability to bill a subscriber for content and related services
MTN spokesperson Jacqui O’Sullivan highlighted that “last activity” information is shared where required, but with no detail on the type of activity that was last undertaken.
Last activity data is also provided without a specific timestamp and using a masked IMSI number.
“These safeguards protect all details related to the customer while still allowing for a critical step in helping detect and prevent SIM-swap fraud,” O’Sullivan said.
Over the years, the WASP subscription process has also changed to provide MTN’s subscribers with more protection.
“The design is that no content partner can bill customers directly for WASP subscriptions,” O’Sullivan said.
MTN also sends weekly reminders to customers being billed, with the service name, price of the service, frequency of billing, and numbers to dial to manage digital services.
Despite the recent abuse of location-based services, O’Sullivan said MTN will continue to provide customer location data to the SAPS.
SAPS requests are managed and controlled by the Crime Intelligence Head Office (CIHO).
The CIHO vets every application before submitting it to MTN’s law enforcement liaison division for assistance.
“MTN does not engage directly with members of SAPS, as all requests have to come to the company via the CIHO,” MTN said.