My brother has been involved in a dispute with MTN about some anomalous data charges for some time now and an MTN representative recently sent him a spreadsheet detailing every Web address he visited with his mobile phone over the period of a month. He has an iPhone. The spreadsheet has over 19 000 entries and includes Google mail accounts, Facebook links and many more. Many of these Google mail links are links to specific mail items although you would still need to be logged into his account to view the mail items. I had two thoughts when he told me about this list and when I actually took a look at it for the purposes of this post. The first thought is that there was a fair amount of controversy over Google’s Web history feature in Google Search a while back. If all the mobile networks are collecting this data, it is arguably as bad, or more of a threat to personal privacy than Google’s Web history. Consider the sites you visit on your mobile phone and ask yourself whether you want that information collected? A related question is what else MTN knows about you? If it is collecting a detailed browsing history, is MTN also caching the pages you visit?
1.1. This website, which is accessible at http://www.mtn.co.za, is made available by Mobile Telephone Networks (Pty) Limited (“MTN”).
On the subject of personal information it says the following:
2. What is personal information?
In order to provide you with the services offered on this website, you may be required to provide MTN with personal information. Personal information is information which identifies you as an individual, including but not limited to, your race, age, contact details, any identifying number assigned to you and any information relating to transactions in which you have been involved.
3. What we collect
3.1. On some web pages of this website, you may be requested to provide certain personal information. The types of personal information collected at these pages may include your name, handset details, contact and billing information, and transaction information.
3.2. In order to tailor our subsequent communications to you and continuously improve our products and services, we may also ask you to provide us with information regarding your personal or professional interests, demographics, experience with our products and this website, and more detailed contact preferences.
The only real mention of tracking your browsing habits is in the section dealing with cookies in your Web browser:
What is interesting about this section is that MTN says it specifically does not track your browsing habits. Granted this is in the context of cookies placed in your browser and the browsing history my brother shared with me appears to have more to do with the access point his iPhone is configured to use. At the same time it suggests MTN does not track the sites you visit and yet this is exactly what is going on behind the scenes.
If you register on this website, we will not make your personal information available to anyone unless permitted or required to do so by law. We will therefore not sell, rent or provide your personal information to unauthorised entities or third parties for their independent use without your consent. We may, however, share your personal information with our affiliates within the MTN Group of companies.
So why all the fuss? Well, despite not having binding privacy legislation in South Africa, there is a body of privacy law at a common law level, reinforced by the right to privacy in the Bill of Rights, which protects your privacy and personal information. Personal information should not be taken lightly. It goes to our identity in an increasingly connected and digital world and is connected to our right to dignity which is one of the primary rights in the Bill of Rights (to the extent there is a hierarchy). I wrote about the right to privacy a while ago in some detail but the following section is just as relevant here:
The right to privacy is a general right to privacy first. The individual rights are subsets of the more general right itself. There is a two step test used to determine whether conduct constitutes a violation of the right to privacy in the Bill of Rights:
- Has a law or a party’s conduct infringed the right, taking into account the right’s scope; and
- If there is an infringment, is it justified under the Limitations clause in the Bill of Rights?
The Limitations clause is article 36:
36 Limitation of rights
(1) The rights in the Bill of Rights may be limited only in terms of law of general application to the extent that the limitation is reasonable and justifiable in an open and democratic society based on human dignity, equality and freedom, taking into account all relevant factors, including-
(a) the nature of the right;
(b) the importance of the purpose of the limitation;
(c) the nature and extent of the limitation;
(d) the relation between the limitation and its purpose; and
(e) less restrictive means to achieve the purpose.
(2) Except as provided in subsection (1) or in any other provision of the Constitution, no law may limit any right entrenched in the Bill of Rights.
So what does this all mean so far? It means there is a general right to privacy which can be limited by a law that applies generally.
The general right to privacy should protect another important interest called “informational self-determination“. This interest includes the ability to control what information is collected, how and and when it is used. It also includes the ability to access information which is held by another party and be able to determine what personal information has been collected and correct it if it is inaccurate (the Promotion of Access to Information Act was passed to protect and give effect to this aspect of informational self-determination).
So what does all this mean? It means that not only would your consent be required to enable someone to collect your personal information where it isn’t otherwise permissible but you have a say over what that information can be used for, not to mention the ability to find out what personal information authorised parties have collected and correct it if need be.
To add salt to the wound, so to speak, what about the integrity of this personal information database? Is it accurate? Is it secure? Who has access to that information? Is your personal information leaking (or being leaked) to other providers? Have you found yourself receiving an unusual amount of spam on your mobile phone? Where are those spammers getting your details?
World Wide Worx recently reported the following trend:
The number of people banking from their cellphones has exceeded that of people banking from their PCs in South Africa, with more than a quarter of bank customers turning to their cellphones for services ranging from informational transaction types such as balance enquiries to financial transaction types which include account payments.
This is frightening news if your personal information associated with your mobile banking use is being collected by your network (and other providers) without your knowledge, let alone consent. Besides the increased risk of identity theft, this sort of information could enable some pretty detailed profiling and perhaps even breaches of security when it comes to banking services, email services and other sensitive services you access with your mobile phone.
Bottom line: We just don’t know what is going on every time we open our phone’s mobile browser. It could be bad, very bad.