The truth about Internet providers spying in South Africa
South Africans using the Internet should be aware that their Internet service providers (ISPs) do not proactively monitor their traffic.
The idea that ISPs actively monitor user traffic and provide this information to law enforcement agencies is often perpetuated by virtual private network (VPN) providers.
This is most relevant in countries where government surveillance of the Internet is common.
Nevertheless, an ISP can technically monitor your Internet traffic unless you use a VPN.
However, keeping tabs on all the online activity of an ISP’s users would require a tremendous amount of time and resources, including staff and money.
As it stands, South African ISPs have to operate on very slim margins and must dedicate employees and capital to high-quality customer service, which lets them compete with rivals.
Monitoring user traffic would not only amount to wasteful expenditure but can create serious legal problems for ISPs in South Africa.
The Internet Service Providers Association of South Africa (ISPA) — which represents hundreds of ISPs in the country — explained that several laws govern how ISPs may run their businesses.
Communication interception and monitoring legislation in South Africa prohibits ISPs from monitoring and intercepting subscriber communications without a lawful justification.
ISPs are also bound by the Protection of Personal Information Act, ISPA said.
“They are required to ensure that any collection and processing of personal information is lawfully done in accordance with POPIA’s provisions,” ISPA stated.
“ISPs are required by law to collect and store customer information — through the RICA customer registration process — and to make this available to law enforcement agencies, where lawfully requested to do so.
“This is very different from collecting and storing customer communications, which is not done.”
In practice, ISPs are generally not required to assist law enforcement with monitoring and intercepting client communications.
The Cybercrimes Act and other legislation does not require them to monitor the data they transmit or store or actively seek facts or circumstances indicating an unlawful activity.
“In other words, ISPs are not required by law to police their networks and services,” ISPA said.
When ISPs assist police
Nonetheless, with people increasingly living their lives online and ISPs providing a gateway to the Internet, they are becoming more important in combating and prosecuting illegal and unlawful conduct in the real world.
“An example is the role played by ISPs in addressing gender-based violence in South Africa,” ISPA explained.
“Recent amendments to the Domestic Violence Act require ISPs to take down online material forming part of the domestic violence and to provide information about alleged perpetrators.”
“Similarly, ISPs are obliged to provide information to the courts about people alleged to be guilty of harassment or defaulting on maintenance payments.”
Where there is interaction between ISPs and law enforcement, it is heavily regulated.
“ISPA members receive training and support to ensure subscriber personal information is not released to a law enforcement agency other than where a lawful request has been made,” ISPA said.