Does your mobile network respect your privacy?

With all the concern about how much of your personal information providers like Google and Facebook collect and what they do with it, its easy to lose sight of a potentially bigger threat to privacy much closer to home. While there are roughly 5.2 million unique Internet users in South Africa, there are in excess of 50 million mobile phone connections in South Africa (figures sourced from World Wide Worx). Given the number of South Africans using mobile phones, it is important to ask how much of our personal information the networks have collected and what they are doing with that personal information.

My brother has been involved in a dispute with MTN about some anomalous data charges for some time now and an MTN representative recently sent him a spreadsheet detailing every Web address he visited with his mobile phone over the period of a month. He has an iPhone. The spreadsheet has over 19 000 entries and includes Google mail accounts, Facebook links and many more. Many of these Google mail links are links to specific mail items although you would still need to be logged into his account to view the mail items. I had two thoughts when he told me about this list and when I actually took a look at it for the purposes of this post. The first thought is that there was a fair amount of controversy over Google’s Web history feature in Google Search a while back. If all the mobile networks are collecting this data, it is arguably as bad, or more of a threat to personal privacy than Google’s Web history. Consider the sites you visit on your mobile phone and ask yourself whether you want that information collected? A related question is what else MTN knows about you? If it is collecting a detailed browsing history, is MTN also caching the pages you visit?

The second thought I had was more of a question really. Does MTN’s privacy policy cater for this degree of personal information collection? In other words, does MTN have permission to collect this personal information?

MTN’s privacy policy published to its website includes the following introduction:

1. Introduction

1.1. This website, which is accessible at http://www.mtn.co.za, is made available by Mobile Telephone Networks (Pty) Limited (“MTN”).

1.2. MTN respects the privacy of your personal information. We have prepared this privacy policy to let you know how we will treat any personal information that may be provided to us. We will take all reasonable measures to protect your personal information and keep it confidential.

On the subject of personal information it says the following:

2. What is personal information?

In order to provide you with the services offered on this website, you may be required to provide MTN with personal information. Personal information is information which identifies you as an individual, including but not limited to, your race, age, contact details, any identifying number assigned to you and any information relating to transactions in which you have been involved.

3. What we collect

3.1. On some web pages of this website, you may be requested to provide certain personal information. The types of personal information collected at these pages may include your name, handset details, contact and billing information, and transaction information.

3.2. In order to tailor our subsequent communications to you and continuously improve our products and services, we may also ask you to provide us with information regarding your personal or professional interests, demographics, experience with our products and this website, and more detailed contact preferences.

So far the categories of personal information MTN collects is more or less what you would expect as a mobile phone user. It is the personal information you give your service provider when you sign up for a contract or buy a pre-paid SIM card. Bear in mind that despite the emphasis on personal information collected through the site, this privacy policy is also intended to govern personal information to enable MTN to “provide you with the services offered on this website”. This seems to include your mobile phone service itself.

The only real mention of tracking your browsing habits is in the section dealing with cookies in your Web browser:

MTN uses cookies. When you visit a MTN website, we place a text file called a “cookie” in the browser directory of your computer’s hard drive. A cookie is a small piece of information that a website can store on your web browser and later retrieve. The cookie cannot be read by any website other than the one that set up the cookie. Cookies enable this website to recognise the information you have consented to give to this website, such as the Lightboxes you have created, and help us determine what portions of this website are most appropriate for your professional needs. As a result, cookies will allow you to retrieve previous image search results, access Lightboxes with ease, and view your previous invoices. We do NOT use cookies to examine your surfing behaviour before or after leaving a MTN website. Cookies do not damage your system and do not collect your personal information. (emphasis added)

What is interesting about this section is that MTN says it specifically does not track your browsing habits. Granted this is in the context of cookies placed in your browser and the browsing history my brother shared with me appears to have more to do with the access point his iPhone is configured to use. At the same time it suggests MTN does not track the sites you visit and yet this is exactly what is going on behind the scenes.

The only real comfort in the privacy policy is MTN’s limited assurance that it doesn’t share or otherwise disclose your personal information (although the assurance seems to be confined to personal information disclosed when registering on the MTN website):

If you register on this website, we will not make your personal information available to anyone unless permitted or required to do so by law. We will therefore not sell, rent or provide your personal information to unauthorised entities or third parties for their independent use without your consent. We may, however, share your personal information with our affiliates within the MTN Group of companies.

Vodacom’s privacy policy is a little more upfront about the fact that it tracks sites you visit although it anonymizes this information in contrast to MTN which retains not just the mobile number the browsing history is associated with but the date and time those addresses were visited. It is worth taking a look at Cell C’s and Virgin Mobile’s policies too if you use their services.

So why all the fuss? Well, despite not having binding privacy legislation in South Africa, there is a body of privacy law at a common law level, reinforced by the right to privacy in the Bill of Rights, which protects your privacy and personal information. Personal information should not be taken lightly. It goes to our identity in an increasingly connected and digital world and is connected to our right to dignity which is one of the primary rights in the Bill of Rights (to the extent there is a hierarchy). I wrote about the right to privacy a while ago in some detail but the following section is just as relevant here:

The right to privacy is a general right to privacy first. The individual rights are subsets of the more general right itself. There is a two step test used to determine whether conduct constitutes a violation of the right to privacy in the Bill of Rights:

  • Has a law or a party’s conduct infringed the right, taking into account the right’s scope; and
  • If there is an infringment, is it justified under the Limitations clause in the Bill of Rights?

The Limitations clause is article 36:

36 Limitation of rights

(1) The rights in the Bill of Rights may be limited only in terms of law of general application to the extent that the limitation is reasonable and justifiable in an open and democratic society based on human dignity, equality and freedom, taking into account all relevant factors, including-

(a) the nature of the right;

(b) the importance of the purpose of the limitation;

(c) the nature and extent of the limitation;

(d) the relation between the limitation and its purpose; and

(e) less restrictive means to achieve the purpose.

(2) Except as provided in subsection (1) or in any other provision of the Constitution, no law may limit any right entrenched in the Bill of Rights.

So what does this all mean so far? It means there is a general right to privacy which can be limited by a law that applies generally.

The general right to privacy should protect another important interest called “informational self-determination“. This interest includes the ability to control what information is collected, how and and when it is used. It also includes the ability to access information which is held by another party and be able to determine what personal information has been collected and correct it if it is inaccurate (the Promotion of Access to Information Act was passed to protect and give effect to this aspect of informational self-determination).

So what does all this mean? It means that not only would your consent be required to enable someone to collect your personal information where it isn’t otherwise permissible but you have a say over what that information can be used for, not to mention the ability to find out what personal information authorised parties have collected and correct it if need be.

Perhaps the primary issue here is that MTN is arguably not informing its users exactly what personal information it is collecting about them. Its own privacy policy is either incomplete or it is misleading and this undermines what should be informed consent to collect and process personal information. Going further, users have no real idea what becomes of this personal information and whether it is disseminated to anyone.

To add salt to the wound, so to speak, what about the integrity of this personal information database? Is it accurate? Is it secure? Who has access to that information? Is your personal information leaking (or being leaked) to other providers? Have you found yourself receiving an unusual amount of spam on your mobile phone? Where are those spammers getting your details?

World Wide Worx recently reported the following trend:

The number of people banking from their cellphones has exceeded that of people banking from their PCs in South Africa, with more than a quarter of bank customers turning to their cellphones for services ranging from informational transaction types such as balance enquiries to financial transaction types which include account payments.

This is frightening news if your personal information associated with your mobile banking use is being collected by your network (and other providers) without your knowledge, let alone consent. Besides the increased risk of identity theft, this sort of information could enable some pretty detailed profiling and perhaps even breaches of security when it comes to banking services, email services and other sensitive services you access with your mobile phone.

Bottom line: We just don’t know what is going on every time we open our phone’s mobile browser. It could be bad, very bad.


Image credit: privacy by Alan Cleaver published under a Creative Commons Attribution 2.0 license

Comments are closed.

Powered by WordPress.com.

Up ↑

%d bloggers like this: