Vodacom and MTN have launched investigations into the potential abuse of their location-based services by third-party Wireless Application Service Providers (WASPs).
This follows reports that cellular location-based services were used to plot the assassination of Lieutenant-Colonel Charl Kinnear, who was murdered outside his home on 18 September.
WASPs were given full access to subscribers’ sensitive location data in “good faith”, with the understanding that they will not abuse this data.
The WASPs signed contracts which required them to get consent before they can track a person, but according to a News24 report they sold this information to individuals and private investigators who would pay to track people without their knowledge.
This abuse went unnoticed until Kinnear’s assassination and the murder investigation that followed.
Vodacom and MTN have responded to questions regarding their cooperation with South Africa’s Information Regulator. Previously the Information Regulator told MyBroadband that it had not yet received a notification from the two network operators regarding the breach of subscribers’ private location data.
“MTN’s focus to date has been shutting down access to the location-based services, securing feedback from the preliminary investigation and following that, the initiation of the full forensic investigation into the allegations related to third party abuse of location-based services,” MTN stated.
It said that it had a discussion with the Information Regulator last week.
“MTN is committed to adherence to all regulatory requirements and shall follow all due process, as is required in such matters.”
Vodacom explained that it will provide the Information Regulator with a full report as soon as it has finished its investigation into the matter.
It said that when the South African Police Service informed it of the possible illegal tracing, Vodacom established that there appeared to be excessive tracing of a specific phone number.
“We subsequently suspended the Service Provider Location Based Service and we commissioned an independent audit report on whether the location information of the MSISDN [phone number] was provided illegally to a third party,” Vodacom stated.
“Once Vodacom has received the independent auditors report, we will decide on any further course of action to take, including issuing notifications in accordance with the law.”
The Information Regulator explained to MyBroadband that Vodacom and MTN have a lot of leeway to decide when to notify it of the potential data breach.
“Before a responsible party like Vodacom or MTN can notify the Information Regulator about an alleged security compromise, cognisance should be taken of legitimate needs of law enforcement and any measures necessary to determine the scope of the compromise,” the regulator stated.
MTN and Vodacom take action against WASPs using location-based data
After MTN and Vodacom were informed about the abuse of the cellphone location data on their networks, they said they have cut off WASPs while they look into the matter.
MTN shut down all access to the nine WASPs with which it has contracts to offer location-based services. This was after none of the nine WASPs could produce the audit logs requested by MTN.
Vodacom said it has suspended the services of a company using its location-based services pending further investigation.
MTN has also threatened civil and criminal action against WASPs, or any other service provider, which puts the privacy of its customers at risk.
MTN recently concluded its initial investigation into the abuse of location-based services, with concerning results.
“There is sufficient cause for the suspension of all current location-based service providers pending a full forensic investigation that will determine the scope and scale of any abuse,” said MTN SA’s executive for corporate affairs, Jacqui O’Sullivan.
“Should abuse be identified, through our end-to-end forensic investigation, MTN will not hesitate to pursue both criminal and civil charges against the perpetrators of the abuse.”