At 07:00 on an ordinary autumn day in 2012, Irene Johnson* (not her real name) gets a nasty wake-up call from the bank. She’d fallen victim to a phishing scam; while she was asleep, someone purchased R28,500 worth of Telkom prepaid cellphone vouchers on her credit card account. As a final insult, R99.75 was transferred to a bank account in Boulogne, France.
She reported the case to the police, but decided to do some private investigation. She knew that the law obliges one to register a sim card upon purchase by providing proof of identity and residence. Cellphone service providers commonly refer to the address and name thus registered as “Rica information” – Rica being short for the Regulation of Interception of Communications and Provision of Communication?related Information Act 70 of 2002. If a sim card is not thus registered, it cannot connect to the mobile network. With your identity and address linked to your sim card, law enforcement can easily trace you – in theory.
So Johnson phoned Telkom. Rica forbids the service provider from from disclosing Rica information to the public, but the kindly official accessed the Telkom’s Rica database and told her this much: the cyber thief was an 86-year-old man with an English name and surname from Hillbrow. Says Johnson: “The Telkom guy said, ‘I guarantee you, there’s no one like that in that street.’” The policeman on the case was in agreement. “He said, ‘I can tell you now, it’s a false name, and a false address.’”
Johnson traced the physical location of the IP address of the computer from which the phishing e-mail was sent: the 86-year-old had travelled to Midrand to do the dirty work. Johnson eventually regained her money after battling the bank, but the culprit vanished. Telkom’s spokeswoman Jacqui O’Sullivan told Daily Maverick that although Telkom does the utmost to verify customer information, it relies on customers to provide accurate information. “Discussions are being held between Telkom and other mobile operators to improve the accuracy of Rica information,” O’Sullivan said.
A look at the prepaid sim card distribution chain explains why fraudulent registration is so simple: Rica is flawed.
Because of the sheer scale of sim card distribution, network operators outsource this function to distributors. A large distributor can receive as many as three million sim cards from a major mobile service provider each month. The distributor appoints Rica agents on behalf of the service provider to sell the sim cards, and agents electronically capture a customer’s Rica information and register the sim card on the service provider’s designated Rica database.
It’s here that the law falls short: The customer must produce an ID, temporary ID, a passport, and proof of residence, like a bank statement, a municipal or retail account, an affidavit or a letter from a local church or school. However, the vendor cannot authenticate the documents. “You can have a letter from your minister saying, ‘this is Frank and this is where he lives’. There’s no way to vet that letter,” says a communications expert with close to 10 years’ experience in working with law enforcement and Rica. To boot, vendors do not keep electronic or hard copies of any such documents – Rica doesn’t require it.
But, ultimately, mobile service providers, distributors, and Rica agents, are losing battle to ensure accurate Rica information. Ideally, service providers’ Rica databases should be linked to the Department of Home Affairs’ National Population Register (NPR), allowing Rica agents to electronically authenticate an ID against the NPR records. But, as yet, there is no integration of databases. And although certain financial institutions may access the NPR for verification purposes, Mayihlome Tshwete, spokesman for the Department of Home Affairs, says doing this requires the service provider to follow stringent regulations for such access, in order to “ensure the integrity of personal information recorded in the National Population Register”. Simply put, Rica agents cannot verify subscriber identities electronically against the NPR. They must rely on the training they receive from distributors to identify false IDs.
But there’s another problem. Rica doesn’t demand that agents be vetted. No police clearance certificate needs accompany the job application. Like a subscriber, the Rica agent applicants must provide proof of identity and residence, and those documents are not usually stringently authenticated. Citizens and foreigners can apply. Applicants are asked if they have a criminal record, and if they admit that they do, chances are they won’t be hired. “But, if they say ‘no’,” says an industry source from a distribution company, “we take them at their word.” In fact, said the source, the person would still be hired even if his company had knowledge of it – as long as no one says it out loud. And proof of residence? “They can just give an address, even if it’s a shop or a doctor’s office. They don’t need an affidavit saying where they live.”
Rica agents can also register other Rica agents, says the industry source. Agents can work from home, in a shopping centre or on a street corner, and register between 50 and 100 new subscribers a month through their personal cellphones that connect to a Rica registration site. Rica details are thus captured and sent directly to the service provider Rica database. Agents earn commission from the service providers when they register new subscribers.
Thus, accurate sim card registration relies on the honesty of the subscriber and the agent. But accurately registering a sim card isn’t necessarily in the agent’s interest.
A mobile security specialist with expert knowledge of fraudulent sim card registration explains: “An ‘unRica’d’ sim card sells for R2, and a ‘preRica’d’ sim can sell for as much as R50. Now if a vendor has a 1,000 Rica’d sim cards on his name, he could collect R50,000.” It doesn’t help that Rica doesn’t limit the number of sim cards that individuals can register in their names. The mobile security specialist says that, although networks are moving to limit that number to 10 sim cards per person, it’s no solution: “Let’s say a street vendor gets 100 Rica’d numbers. Now he just gets 10 of his friends to Rica 10 of those, or he just makes up 10 IDs.”
The next obvious steps? Tightening up Rica, stricter registration requirements, integrated databases, and thorough vetting?
Ironically, registering your sim card like a good citizen can increase crime rates, and easy fraudulent registration could be an enormous blessing in disguise for South Africa’s economy, the poor, and for the protection of Joe Public’s privacy.
First up: Identity theft. In 2010 the Institute for Security Studies noted that a key concern for mobile users was that sim card registration could expose them to identity theft. (At that time, service providers were scrambling to meet the June 30, 2011 deadline of ensuring all sim cards active on the network are registered.) The concern is not unfounded.
On the one hand, service providers do go to great lengths and expense to secure and protect Rica information. According to the mobile security specialist, access to the Rica information database is strictly controlled. Service providers do not have unrestricted access to the database – not even for their own internal use or marketing purposes. That would be illegal. The information can only be accessed through a court order, strictly for law enforcement purposes, and only service provider personnel vetted by the State Security Agency are allowed access to it.
However, before the Rica information reaches the secure database, there is potential for leakage. Since Rica doesn’t require Rica agents to be vetted, you don’t know who is handling your information. The documents you submit to register your sim card, like your ID, a bank statement or a retail account, are an identity thief’s dream, and would save a potential fraudster the trouble of sending you a phishing e-mail or rummaging through your rubbish for your accounts. With enough personal information, criminals can apply for loans, credit cards, or retail accounts in your name, for instance. You may also be impersonated by a terrorist or member of organised crime. Another bonus: if a criminal perhaps uses your details to register a sim card fraudulently, then he or she can commit crimes using a cellphone registered to your name.
And the threat of identity theft is very real. Southern African Fraud Prevention Service (SAFPS) assists over 40 member organisations (such as ABSA, FNB, Truworths and MTN) to root out fraud, and identity fraud is a major focus. Last year, the SAFPS received 2,470 reports of victim impersonation (when another pretends to be you by using your ID, for instance). But, says SAFPS operations manager Roy Retief, these numbers are merely indicative of a larger issue as they only include reports from member organisations:
“We are of the view that a significantly higher number of consumers become victims of identity theft. However, these instances often go unreported.”
Although the true impact of identity theft on the economy is difficult to establish, big figures are involved:
“Our member organisations reported that they prevented losses relating to identity fraud in excess of R1.5-billion during 2015, as a result of sharing fraud-related data via SAFPS. This is a very conservative estimate, as not all member organisations shared their prevention data with us,” says Retief.
Another concern is that governments could utilise sim card registration information to target political protesters. The GSMA (an international association representing about 800 mobile network operators) highlights this threat in its 2013 white paper on mandatory sim card registration. In South Africa, there is cause for concern. It is part of the State Security Agency’s mandate to predict and prevent public violence by monitoring service delivery protests or industrial strike actions. However, you won’t know if you’ve been targeted: Rica does not allow a citizen to enquire whether they’ve been monitored.
In addition, the agency responsible for this sort of surveillance, the Domestic Branch of the State Security Agency, operates from the clandestine National Communications Centre just outside Pretoria. In 2005 the NCC illegally monitored communications of various individuals, including businessman Saki Macozoma. The Matthews Commission of Inquiry was subsequently set up to inspect the legality of NCC operations. The commissions found that the NCC “fail (ed) to comply with the requirements of the Rica which prohibits the interception of communication without judicial authorisation”. It was never made public whether steps were taken to rectify the illegalities.
The State Security Agency did not respond to questions.
But there is another problem with forced sim card registration that threatens the most vulnerable in our society. According to Bill Hearmon, Chairman of the 4G African Broadband Forum, a small minority use cellphones to commit crimes. Disconnecting innocent citizens from the networks because their sim cards are not registered – all in the name of crime prevention – is not worth the loss in socio-economic benefits that accompany mobile inclusion in developing nations.
Research has shown repeatedly that GDP increases with an increase in mobile users. This is possible, says Hearmon, because cellphones allow fast access to information previously out of reach. For instance, small-scale farmers in rural Africa can become more competitive: “A farmer can sell his tomatoes on the other side of the village to someone who’s not going to rip him off. Remember, those aren’t Woolworths tomatoes. His tomatoes only last for two days. He doesn’t have time to travel around finding and comparing prices,” says Hearmon. Product improvement is another benefit, says Hearmon: “He can now find out how to grow bigger and better tomatoes.”
Other ways in which increased mobile inclusion promotes economic growth include assisting the unemployed to find work, cutting travel time and costs, and boosting entrepreneurship. It has also brought mobile banking to millions who previously had no access to banking services. Examples include M-Pesa in Kenya, and FNB eWallet in South Africa.
The GSMA published a report in 2012 about the economic impact of mobile inclusion. It revealed that, among a study sample of 74 countries, a 10% long term increase in 2G mobile usage (SMS and voice calls), increased a country’s Total Factor Productivity (TFP) by an average of 4.2 percentage point. (TFP is a measure of economic growth associated with increased in GDP.) The study also found that, in a sample of 96 developed and developing nations, a 10% substitution from 2G to 3G mobile penetration yielded a 0.15 percentage point increase in annual GDP per capita growth. Simple 2G mobile telephony has been the mainstay of cellular communications in Africa, but access to internet data via 3G and 4G mobile networks is on the rise. According to a 2015 GSMA report on the mobile economy of sub-Saharan Africa, 3G networks were established in 41 Sub-Saharan African countries by June 2015, and 23 countries had seen the launch of 4G networks.
However, stricter sim card registration legislation threatens mobile penetration, and it’s the poor who will be at the greatest disadvantage. Prepaid mobile subscriptions allow network access for those with no fixed income or credit record who subsequently don’t qualify for a mobile contract. However, it is this section of the population who are likely to experience problems delivering the documents needed to register their sim cards. South Africa has millions of prepaid subscribers. By the first quarter of 2015, MTN had 22.6-million prepaid subscriptions, Vodacom 26.5-million, and Cell C 17.7-million. Prepaid customers far outnumber contract holders. Between the three major operators, there were 12.5-million contract subscriptions for the same period. Apart from the obvious financial losses to the industry, overall economic growth can be muted.
A lack of formal identification appears to be less of an issue for South Africans. According to the Department of Home Affairs, as of May 2013, there were 38-million people with valid IDs registered in the National Population Register. This accounts for the majority of South Africans eligible for IDs: Statistics South Africa’s 2016 mid-year population estimates show that citizens aged 15 years and older total around 39-million. Department of Home Affairs’ Tshwete says that its campaign to register children within 30 days of birth has minimised the number of South Africans whose identities are not captured in the National Population Register and without IDs. It takes 30 days to issue a new Smart ID Card, but Tshwete says most people receive it in seven days.
However, proof of residence is an entirely different matter. If people were no longer allowed to provide affidavits or letters from a local church as proof of address, they would be at a loss even if they have an ID. Says the mobile security specialist: “The fact is that the majority of prepaid customers don’t have a formal address.” According to the communications expert, low-income groups will lose the most: “Cellphones are usually an important part of life in townships, but the most vulnerable people cannot easily register. Where do you get a water bill when there isn’t even water?”
Yet, South Africa continues to persist with mandatory sim card registration in the name of crime prevention.
Sifting through court archives reveal that Rica information, when accurate, is indeed helpful in addressing crime. However, there are no statistics publicly available about the number of convictions in which Rica information aided prosecution, and Rica information is yet to demonstrate its effectiveness as a crime-fighting tool.
Cellphone records have proved far more useful in tracking criminals, given the inaccuracy of Rica information. Call records are also referred to as metadata, or communications-related information. This includes the time of a call, the number to which it was made, the call duration, and the approximate location of the phone (based on data from the cellphone towers to which it connected). Says the mobile security specialist:
“For every one case where the Rica information is successfully used, there are 10 other stories where the Rica information was false, but it was the call data that really got the person caught.”
He provides an example of where the Rica information of a suspect was false:
“In one case, an investigator was trying to apprehend someone who had committed subscription upgrade fraud. The investigator lived in his car in Vereeniging for five days. He found that the suspect was calling a specific pizzeria in the area regularly. Then he went with the police to the pizza place and showed them the number. The staff there could provide a name and a description of the suspect.” The man was arrested. “So Rica information was useless. They waited at the pizza place because every second day he bought a pizza.”
According to the communications expert, Rica information is unnecessary for crime prevention purposes:
“They (the service providers) have everything that’s needed, like where and when a phone is switched on. You can find out where the person lives. You very quickly can build up a very comprehensive amount of data. Rica information can be years out of date. Rica does nothing from a law enforcement perspective. It’s an added frustration, and doesn’t provide more information than they have anyway.”
The 2013 GSMA White Paper on mandatory sim card registration states that there is currently no empirical evidence of crime reduction directly resulting from sim card registration. The US, the UK, Canada, New Zealand, Romania and the Czech Republic have selected not to implement sim card registration. In Mexico, mandatory registration was implemented in 2009, but was found to be ineffective in crime reduction, and scrapped three years later. In the UK, following the 2005 London terrorist attack, a task team of experts from law enforcement, intelligence structures, security agencies and service providers found that “the compulsory registration of ownership of mobile telephones would not deliver any significant new benefits to the investigatory process…”
The European Commission considered evidence from member states enforcing registration, and announced in 2012 that “there is no evidence, in terms of benefits for criminal investigation or the smooth functioning of the internal market, of any need for a common EU approach in this area”.
However, pressure on SA service providers to ensure the accuracy of Rica information is mounting, following the $5.2-billion fine laid on MTN Nigeria for failing to enforce sim card registration. (Ultimately, MTN paid a $1.05-billion settlement, and was allowed to continue operations.) But a Rica expert with close industry ties says the MTN debacle has made local service providers anxious:
“Although most major companies are 100% Rica’d within the law, they all (service providers) told their boards that quality is a problem.”
The discomfort in the industry is not unfounded. Service providers can be fined as much as R100,000 per day for each sim card that remains incorrectly registered. They can also have their operating licences revoked.
But, when all is said and done, criminals can still circumvent sim card registration, no matter how strict the law or its implementation. One could revert to international roaming, satellite communications, or pay a stranger on the street to register a sim card for you.
One obvious question remains: despite all the drawbacks and obstacles to implementation, why does South Africa not abolish sim card registration? We asked the Department of Justice and Constitutional Development for their take on the situation, but despite numerous requests, a response was not forthcoming.
In the meantime, one can only speculate: upholding mandatory sim registration may be part of the government’s push for a security state, as could be seen in the case of the much contested Secrecy Bill which was voted through Parliament in November 2013, but is yet to be signed by President Zuma. On the other hand, it may just be a law that was not thought through: Governments in 49 of the 55 African countries have introduced mandatory sim card registration in the name of battling crime and terrorism. This is according to a research report published in the peer-reviewed journal about the internet, First Monday. The governments’ justification: crime and terrorism prevention. But, says the report, privacy is viewed as a technical issue to be dealt with “as an afterthought, rather than a complex political problem”.
Whatever the case may be, stricter sim card registration laws hold potentially devastating consequences for the lives of many ordinary South Africans, and our economy. This is perhaps the one law we should pray is never implemented properly. DM
This story was commissioned by the Media Policy and Democracy Project, an initiative of the University of Johannesburg’s department of journalism, film and TV and Unisa’s department of communication science.
Photo: US President Barack Obama (L) jokes with South African President Jacob Zuma, who was talking on the phone, during a luncheon during the 70th session of the United Nations General Assembly at United Nations headquarters in New York, New York, USA, 28 September 2015. The General Debate runs through 03 October 2015. EPA/CHIP SOMODEVILLA
Sheep wool never sheds.