Vodacom called out
Cellphone giant Vodacom has allegedly been secretly providing the numbers of local and international subscribers to third parties, including businesses and marketing companies.
Vodacom confirmed yesterday that some of the personal details of its 32.5 million South African customers and 27 million international subscribers was being supplied to other businesses.
The company has launched an "urgent" internal investigation into the matter, but declined to elaborate.
Spokesman Richard Boorman confirmed that it used "header enrichment" for select third-party services, but said it was not its "default operation".
Header enrichment is when additional information such as personal data is transferred to a website when a user browses the site via a cellphone.
"We use it for a select number of Vodacom and trusted third-party services, such as charge-to-bill," Boorman said.
"We reassure our customers that their information is not being routinely shared with all websites.
"We will provide an update once our investigation is complete."
Boorman declined to answer questions on whether the company was being paid for supplying customers' details to third parties; why the details were provided to third parties; whether permission was obtained from customers to provide their details; or to name the third parties the information was supplied to.
"We became aware of the issue late yesterday. I will be in a better position to comment once the investigation has been completed," he said, adding that he didn't know when that would be.
MyBroadband website yesterday reported that Vodacom had been providing information that uniquely identifies a person as a subscriber to every website visited while on the Vodacom network.
According to MyBroadband, among the data Vodacom subscribers are inadvertently providing to web servers is their phone number and a unique identifier for their device called the International Mobile Station Equipment Identity, or IMEI.
IMEI is used by a network to identify valid devices and can be used to blacklist and stop a stolen phone from accessing a network, rendering the phone useless.
MyBroadband said Vodacom was injecting an additional hypertext transfer protocol (HTTP) header into the messages that subscribers send to servers when requesting items such as web pages.
HTTP is the foundation of data communication for the web.
There are strict regulations governing the dissemination of people's personal details to third parties and the country is waiting for the Protection of Personal Information Bill to come into effect.
The law will regulate the processing of personal information including e-mail and other addresses, telephone numbers and demographic information such as age, sex, race, birth date and ethnicity.
The cellphone giant could possibly be in breach of the code of conduct of the Wireless Application Service Providers' Association, of which it is a member.
Duncan McLeod, editor of TechCentral, an online technology news site, said: "It is strange. Vodacom shouldn't be communicating this type of information in this way.
"It could be a programming mistake but it doesn't sound right."
McLeod said it appeared that when Vodacom customers visited websites information about them, including their cellphone number, was shared with these websites.
"When you type in a web address, your browser sends the request to the server. It appears that embedded in this request is the additional information."
Consumer protection lawyer Janusz Luterek said, though this was a serious issue, the Protection of Personal Information law was not yet in effect.
Though President Jacob Zuma had signed it in November last year, a regulator had yet to be appointed, "which means the rest of the law cannot be enforced".
Luterek said the bill stipulated how personal data must be dealt with and that consumers must be kept informed.
"You cannot repurpose data - for example, a company has my data for a contract but . gives it to third parties for marketing.
"In the case of accounts data, there is an even higher duty to preserve the secrecy of that data, with severe liabilities for failing to do so.
"The bad news is [the law] is not enforceable yet. If it was it would be very bad news for Vodacom."