Tracking suspects’ mobile phones is a fundamental surveillance tool for law enforcement worldwide. We’re not just talking about tracking that occurs with smartphones through apps, GPS and Wi-Fi hotspot connections. Back in 2001, if you had a Nokia 3310, police would’ve had to track you through your phone’s connections to cell towers.

This method is still invaluable, and can be used in emergencies and long-term suspect surveillance when investigating organised crime. That’s especially crucial when GPS falters and Wi-Fi signals are out of range.

Sources say that, until recently, private security companies and the South African Police Service (SAPS) used special software to do cell tower phone tracking quickly and in real time — all at the push of a button. It was highly illegal, but extremely valuable in emergencies like kidnappings.  

It also helped SAPS’s Crime Intelligence division (CI) if they weren’t sure if a suspect was involved in criminal activities; they could do preliminary tracking to either rule that suspect out, or build enough of a case to get a court order for formal surveillance.

But our sources — all of whom spoke to Daily Maverick on condition of anonymity because they occupy sensitive positions in the security and mobile sector — describe a tragic irony. Because the illegal use of this tracking technology is no longer available to SAPS and private security companies,  criminals now have a major advantage.

The loss of the facility has everything to do with how such tracking was abused; something that came to light after the shooting of Lt-Col Charl Kinnear two years ago. In the wrong hands, the tech became deadly.

Trial of alleged gangster Nafiz Modack and others postponed to September, fresh murder charges expected

The Anti-Gang Unit officer was gunned down outside his home after allegedly being tracked by private investigator Zane Killian (who is currently on trial for the murder). Killian had allegedly been tracking Kinnear’s phone using software called LAD, a product from 3DT Group of Companies.

Lieutenant-Colonel Charl Kinnear. (Photo: Noor Slamdien)

Following the murder and the subsequent exposure of LAD’s role in Kinnear’s death, it became apparent that there was little control over who used such technology, and for what purposes. LAD, and other tracking services like it, were shut down almost overnight. The result? Instant access to a suspect’s cellphone location became almost impossible for police and private security actors. That was a massive blow to legitimate crime-fighting efforts, sources say. 

Used for emergencies

A source close to SAPS CI explained that software tools like LAD are built with public safety in mind, and especially for emergencies where there was a serious risk of harm to a victim (either because of an accident or a crime). 

The source said that LAD was useful for security companies looking for stolen vehicles or kidnapped clients, or parents who wanted to know where their children were.

Private providers of emergency medical and security services could, through platforms like LAD, offer clients a service that they could willingly opt into, explains the source. This was, and is, perfectly legal since a client gives permission for their phone or car to be tracked.

But the strengths of LAD — its ease of use and relatively low cost — were also its downfall.

LAD doesn’t involve hacking, phone tapping or location tracking through GPS or Wi-Fi connections. It never even connects to the surveillance target’s phone. Rather, LAD harnessed data already present in the mobile network. That means the surveillance targets were none the wiser.

If you wanted to secretly and remotely track a suspect, but had no way of getting your hands on their phone to install spyware, you had just one other option besides services like LAD: exclusive spyware like the infamous Pegasus — costing upward of $50-million.  

Read more in Daily Maverick: “Pegasus and the NSO Group: The dark world of cyber mercenaries” 

Services like LAD are known as location-based services. Roughly speaking, they work like this: A network must at all times keep track of the cellphones connecting to it via the various cellphone towers. A cellphone is in constant communication with towers within its range. Every time a tower registers the presence of a phone nearby, it’s known colloquially as a “ping”.

Essentially, one ping consists of two data points: which tower registered the phone’s presence, and when it did so. This information is known as location-based data, and its generation is part of the necessary functioning of the network.

Millions of pings occur daily as networks make automated calculations while we drive, walk or ride around with our cellphones. If the network doesn’t “know” where our phones are, it can’t connect to them, and we wouldn’t be able to communicate with one another. Pinging continues even if you turn off your mobile data and Wi-Fi, or if you have an old-style phone. 

To use a location-based service like LAD, you have to subscribe to the service. You then receive a username and password and log in on your laptop (or smartphone, if there’s an app available).

Tracked by pinging. (Photo: iStock)

Now you can access the mobile network’s “knowledge” of the location of someone’s phone by “asking” the network directly. To do this, you simply type the surveillance target’s cellphone number into the system. LAD would then communicate with the mobile network and generate a map of the target’s approximate movements, based on “pings”.

At no point would you have to speak to a staff member at Vodacom or MTN before searching for someone. All you needed was LAD. 

The source close to SAPS CI explains that, unlike GPS technology that can narrow down a phone’s location to within a few metres, software tools like LAD can only give an approximate location:

“It’s a few 100m to a few kilometres. It depends on how dense the network is.” The more cellphone towers there are in an area, the more accurate the location. 

An approximate location is still useful, since it narrows down the search area. At the very least, you could identify the cell (a reception area around a cellphone tower) where a phone last connected to the network. 

However, according to a mobile network technician who was involved in testing network performance, pinging could be extremely accurate depending on where you were: 

“We tested it. I drove from the office to my home in the city. You could see exactly where I was driving. It was incredibly accurate.”

‘The bastards don’t even bother’

Several sources in the private security industry described how the police and private actors were using LAD and similar services, allowing them to obtain location data without applying to a court for a warrant.

This was highly illegal: the Regulation of Interception of Communications and Provision of Communication-related Information Act (Rica) is clear: only law enforcement is allowed to track a phone’s location or listen in on calls. Unless, of course, the owner of the phone gives permission to be tracked and surveilled. But, if not, police need to apply to the courts for a special warrant. 

Alternatively, they need a warrant for location data in terms of section 205 of the Criminal Procedures Act. The warrant is then served on the mobile provider, which is legally compelled to assist in tracking.

According to the source close to SAPS CI, CI was able to pay its LAD subscription from its secret slush fund as if it were paying an informant. (Daily Maverick could not verify this claim, and SAPS said it doesn’t comment on crime intelligence matters.)  

Now, with LAD shut down, explains a source with detailed knowledge of police investigative procedures, SAPS and crime intelligence are back to using the cumbersome, slow legal route for investigations and emergencies.

But, explains the source close to SAPS CI, it’s a problem for police when they need to determine locations quickly.

“If I’m a policeman investigating a drug smuggler or human trafficker or a terrorist, I want current information… It’s severely hamstrung crime fighting. 

“A normal police detective — not someone in intelligence — has to go to the magistrate and apply for the section 205 warrant. It takes days or even weeks before a court order reaches a service provider.”

The source explains that there’s been a major increase in kidnappings following the termination of LAD and similar services.

“Before, you could find a suspect’s approximate location within an hour. Now police are playing catch-up all the time.”

Explains the source with knowledge of police investigations: “You don’t want the information in two days. You need it now. They’ve got the victim now. A criminal’s not going to wait for you.”

Investigators are now facing kidnappers who know they won’t be caught and no longer bother concealing their phone numbers or locations, says the source:

Visit Daily Maverick’s home page for more news, analysis and investigations

“The bastards don’t even bother calling from encrypted platforms like WhatsApp. They know it is going to take you three days to track a plain 2G call. While you wait for the 205, they just get a new number. It’s a boost to kidnapping, drug dealing, smuggling, human trafficking, poaching…”

A third source in the private security field, with in-depth knowledge of the now terminated pinging business, said that a valuable tool has been lost to police and crime intelligence:

“It was a real force multiplier. Pinging is dead now, and it’s hamstrung the security industry and the police. They now have to get a 205 order — that could take a week, a month…” 

A fourth source with knowledge of police intelligence collection processes also said that all pinging services were off limits to police, and waiting for the court process was the only way to get a suspect’s location data.

It’s caused a major headache for SAPS: “Pinging is done. Some guys still try to bypass the courts by sneaking a number into a section 205 court application in a completely different case. But even that doesn’t work any more.”

So, where did it all go wrong?

‘Don’t poke the bear’

While some security providers and the police were using LAD to genuinely fight crime, sources say, it was also used by others to track debtors, unfaithful spouses and anyone else — as long as a client could pay.

Says the source with knowledge of police intelligence collection processes: “Everyone in the security business knew someone who could ping a number for you. There were people who did nothing else for a living but offer pinging as a service.”

The source said that while it originally cost a couple of thousand rands per number to have a private investigator track someone through pinging, it became cheaper over time.

“There were so many guys doing it, you could track someone for a couple of hundred rands a number.”

To understand the mechanics of how it became so cheap and easy, Daily Maverick spoke to a private security operator familiar with LAD and similar products:

“It was basically a pyramid scheme,” explains the source, adding that there were checks and balances. A company like LAD would contract formally with one person. That person would undergo a criminal background check and get police clearance. If cleared, that person would contract with LAD. Contractors then purchased a set number of pings (ie bundles) from LAD per month.

“It was ping-as-you-go,” explains the source.

But then things went south. Original contractors began subcontracting — essentially reselling their pings. They could do this through onboarding a subcontractor online, simply adding another account to their domain. Those subcontractors would further subcontract, and so on. And those sub-subcontractors would sell pings to anyone, the source explains.  

As subcontractors were added, the police clearance checks fell by the wayside, since it slowed down business. The source estimates that, for any one legitimate contractor, there could have been as many as a hundred illicit subcontractors. As competition grew, pinging prices for the consumer — who at this stage could be anyone from a jealous spouse to a Zane Killian — took a dip.

The source estimates that, between the handful of companies providing pinging services, there were as many as 150,000 pings a month. For companies like LAD, selling the original bundle, that could translate into millions annually.

“Let’s say it comes to R50 a ping — go work it out.”

The source close to SAPS CI explained that it was fully within a service providers’ capability to see the vast number of queries being made through the platform.

LAD, and other companies that offered similar location-based services, paid mobile providers for access to caller location data. Since that data was generated in the normal course of the network’s operation, it didn’t take extra money or effort from the side of the mobile provider: it was there for the taking.

Whether mobile providers ever made any significant profit from LAD and other tracking services isn’t clear. Says the source close to SAPS CI: “It’s anecdotal, but  before the Kinnear murder, someone at Vodacom raised the alarm.”

But, says the source, those higher up the ranks quickly quashed any inquiries.

“Someone higher up said, ‘If clients do 100,000 queries, we make X rand per query. It’s passive income.  Don’t poke the bear’.”  Daily Maverick could not verify the allegation.

Vodacom told us the claim was “false and baseless”, adding: “Not only were profits from this type of business negligible, Vodacom values and respects the data security and privacy of all its clients and has zero tolerance for non-compliance.”

The company further denies that abuse of location-based tracking was widespread, stating that the service was never offered widely to individuals. 

“While it was technically possible at the time for WASPs to bypass Vodacom’s controls, we strongly reject the claim that there was widespread abuse of the system.

“Vodacom has always limited access to location-based services to companies it has entered into contractual partnership agreements with, that meet criteria set by Vodacom and are subsequently subjected to audits in the normal course of business. Vodacom can confirm that it suspended the services of a company whose Value Added Services’ (VAS) partner acted illegally. The company’s status as a WASP provider remains suspended.” (WASP is short for Wireless Application Service Provider, the technical term for services like LAD. Vodacom did not provide the name of the suspended company.) 

Asked about widespread illegal pinging, MTN said that prior to the Kinnear shooting, it had contracts with nine companies offering location-based services. MTN acted quickly upon police claims of illegal tracking, said spokesperson Jaqui O’Sullivan: 

“On receiving information from the SAPS that claimed abuse of the location-based services being offered by those companies contracted to MTN, all access to those contracted companies was immediately shut down. 

“The nine LBS operator contracts with MTN were intended to offer mostly security tracking or alert services, to their customers. MTN’s contracts with those companies strictly note that tracking may only be undertaken where signed permission has been received from that company’s customer. 

“All contracts had to be maintained and be available for inspection against the logs that are kept of every number that is tracked. MTN’s investigations revealed the contractual obligations were not followed in certain respects, which lead to the immediate suspension of the service.” 

The future

With much of SAPS and CI’s interception technology outdated, pinging was one of the few readily available tracking resources left to the police and private investigators dealing with crimes. Without it, the future looks uncertain.

We approached the Department of Justice and Constitutional Development to find out if there were any plans to amend the law so as to speed up application processes to get location data. (Rica is currently undergoing a rewrite following a recent Constitutional Court finding that the act had various shortcomings.) The department did not answer our questions. 

We asked Vodacom if there was a chance that SAPS and CI would be re-enrolled to use location-based services like LAD once more. The company responded:

“It would be incorrect to say that Vodacom has actively embarked on a process to re-enrol certain users. Authorities such as SAPS can only access location-based information if they provide Vodacom with a court order or a directive in terms of any law or regulation. This has not changed and remains in place.”

Vodacom does still allow certain private emergency and security services to do location-based tracking.

“Vodacom has and continues to provide limited access to location-based services to companies it has entered into contractual partnership agreements with that meet criteria set by Vodacom… the VAS service used by family members to track each other — done on an opt-in basis — remains in place.”

The company said there will not “have been repercussions for emergency medical and private security services that operate within the ambit of the law”.

We asked MTN if SAPS would ever be able to use services like LAD to extract MTN customers’ data. O’Sullivan replied:

“MTN does not intend to reopen the service. Law enforcement agencies make use of the standard section 205 process (and in terms of section 8 of the Rica Act) that is facilitated through MTN’s law enforcement agency liaison team. This MTN team is available 24/7 to support any such requests.

“Our relationships with the various law enforcement agencies are very good and any such requests are treated with the utmost urgency.” 

In the meantime, as crime skyrockets, anyone wanting to keep track of their loved ones had best download one of many tracking apps available to smartphone users today. That, and pray for SAPS to get its house in order.  

SAPS did not offer comment for this report. DM

3DT Group of Companies’ response was still pending at the time of publication.  

Vodacom’s full response is here:

 MTN’s full response is here:

Heidi Swart is a journalist who reports on surveillance and data privacy. This report was commissioned by the Media Policy and Democracy Project, an initiative of the University of Johannesburg’s Department of Journalism, Film and TV and Unisa’s Department of Communication Science.