VODACOM
31 July 2006
Re: The Regulation of Interception and Provision of
Communications-related Information Act Amendment Bill [B9-2006] draft 06 IMB 27
Vodacom appreciates the opportunity afforded to us to submit comments on
the draft Bill presented to the Portfolio Committee on Justice and
Constitutional Development (“the Committee") on 23 June 2006. This
submission supplements previous submissions made jointly by the mobile
operators.
We have followed the deliberations closely and as a result have an improved
understanding of the concerns of the Committee with respect to the setting of
RICA requirements. Vodacom has therefore framed this submission in response to
the latest version of the Bill (06 IMB 27) which was circulated on 23 June
2006.
Vodacom has also responded to concerns that have been expressed by Committee
members in the course of the deliberations. We trust that this submission will
assist the Committee In its deliberations when Parliament resumes in August.
1. Definitions
"Family member"
We have considered the proposals with respect to the definition of ''family
member" and are of the view that the second option for (c) is the clearest
and most appropriate in the South African environment. It states:
"means a person who is not related to another person as contemplated in
paragraph (a), but who has a relationship of responsibility towards such other
person."
A "relationship of responsibility" caters for relationships In terms
of which a person is responsible for another person who may not be directly
related to them, either by law or biologically, but still has a financial or
social relationship with the person.
2. Data Capture Requirements
2.1 MSISDN
We appreciate that all of the Committee's options for the redrafting of section
40(2}(a) as set out in the latest version of the Bill, recognise that the
MSISDN is the crucial identifier allocated by a mobile telecommunication
service provider to a customer. The MSISDN enables a customer to make and
receive calls given, as indicated previously, that without an MSISDN a customer
cannot access the network.
We appreciate the fact that the above-mentioned principle has been accepted by
the Committee and the LEAs. In light of the fact that It is the MSISDN and not
the SIM card number that is now accepted as the key attribute, we have
considered the options presented in the draft Bill, and are of the view that
the MSISDN "of the person who requests the provision of a
telecommunications service" should be captured.
The option which refers to the "MSISDN associated with a SIM card"
would be difficult to Implement since a MSISDN may be associated with more than
one SIM (although only one SIM may be used at a time). A subscriber may have
dual SIM cards, using the same number and a SIM card may also be
"swapped" or replaced and yet the MSISDN would remain the same. On a
practical level, Option 1 (which refers to the MSISDN associated with a
Sim-card) would be cumbersome, as re-registration would be required each time a
subscriber lost or replaced a SIM card.
(a) The MSISDN of the person who requests that a SIM card be activated on
the telecommunications system of a telecommunication service provider
2.2 IMEI
Vodacom reiterates its view, as expressed in previous individual and joint
submissions, that operators currently capture the IMEI in their systems when
the MSISDN of an active SIM card is captured. and therefore have the
information available to assist the LEAs in terms of RICA. As stated in
previous submissions, any proposal requiring the capture of the IMEI prior to
the use of a phone, and to prevent access to the network by any cell phones
until such time that they are registered, is unworkable and incapable of
fulfilment in practice. Vodacom therefore proposes the amendment of section
40(2)(b) to reflect the capturing of IMEI numbers that are actually used on the
mobile operators' networks, as follows:.
(b) the International mobile equipment identity number (lMEI number) of the
cellular phone that is to be used.
2.3 Names
Natural Persons
Vodacom is of the ,view that the initials and surname of a person are
sufficient. when coupled with an ID number, to identify the subscriber.
Should this be acceptable to the LEAs and the Committee, the mobile operators
support the proposal to include drivers' licenses as a valid form of
identification given that it is a government issued document that is carried by
many South Africans. The acceptance of a drivers' licence will increase the
scope of documentation considered acceptable as proof of identification and
will thus facilitate speedy registration.
It must be noted that should the Committee choose to use full names or first
name, further initials and surname, drivers' licences would then not be an
acceptable means of identification. Drivers' licences reflect only initials and
not full names.
As a second option, should the Committee feel that the initials and surname do
not provide sufficient information to identify the subscriber, especially when
coupled with the identification number, the mobile operators propose that the
first name, further initials and surname be adopted.
2.4 Addresses
The mobile operators support the provision by customers of at least one
address. whether it is a business or residential address. We further
support the efforts by the Committee to provide clarity to the mobile operators
with respect to acceptable addresses by providing a non-exhaustive list of
documents that can reasonably be expected to allow for verification. In our
view, this is an improvement on the previous draft of section 40(3) which was
vague in that it required proof "to the satisfaction of' the mobile
operators. In line with our submission above that a process must be put in
place for the registration of juristic persons, we propose that acceptable
documents for the registration of companies should include company letterheads,
and registration papers. These are considered acceptable forms of
identification In terms of the existing legislation.
It is furthermore critical to Vovdacom that the requirement with respect to the
provision of address details Is verification and not submission. The submission
of proof of address introduces a "paper-based" element to the
electronic solution that the Committee, the LEAs and the mobile operators seek
to achieve. The retention of documentary proof is not in line with one of the
stated objectives of the Amendment Bill, which is to allow for the introduction
of an electronic subscriber registration solution.
In that regard, the mobile operators support Option 3 of the latest draft of
the Bill which reads:
(3) For the purposes of subsection 2(c), a telecommunication service
provider must -
(a) verify the [ full names/ initials and surname/ first name.
further Initials and surname] and identity number of a person by comparing
these particulars with an identification document of that person; and
(b) verify the address referred to In subsection 2(c) by comparing these
particulars with information that can reasonably be expected to achieve such
verification, which may Include-
3. Security of Information
Vodacom recognises the importance of the safe retention of the information
collected in terms of sections 40 and 62, but also the need to balance this
with the requirement for only certain identified staff members to access the
Information in the course of their duties. We have a clear understanding of the
persons within our businesses who would need to access the information
collected in terms of section 40 and believe that secure, internal business
processes can be designed to deal sufficiently with this Issue.
In terms of section 30(7)(a), read with section 30(2), of the Regulation of
Interception of Communications and Provision of Communication-related
Information Act, the Minister of Communications issued Directives setting out
the technical and other requirements for interception by telecommunications service
providers. It should be noted that the security requirements with respect to
the interception of communication related information are set out in clause 6
of the Directives.
The directives make provision for a specified category of persons to have access
to the facilities and devices used for interception, and state that specified
information shall not be made available to unauthorized persons. The Directives
further require that the mobile operators shall take reasonable steps to ensure
that the records relating to targets and target identities are secure and only
accessible to specific nominated staff.
Further to the above, Vodacom's licence require that customer information,
which would include RICA information, is kept confidential. Vodacom is not permitted,
in terms of its licence, to use any information regarding their past, current
or potential customers for purposes other than those for which the information
was obtained, unless the customer gives prior written consent to such other
use. Vodcaom will accordingly develop systems and criteria which maintain the
security of the Information, in line with the stipulations of Ministerial
Directives already issued in this regard.
Vodacom therefore believes that there is no need to amend section 40 of the
RICA Amendment Bill to address additional security measures. We believe this is
sufficiently dealt with In RICA. the Mobile Directives and our mobile cellular
telecommunications service licenses.
4. Transfer of SIM Cards to Non-Family Members
Vodacom restate its view that section 40 should only address the transfer of
SIM cards. The transfer of cellular phones should not be dealt with in
section 40 given that it is dealt with In section 41, and that the use of a
cellular phone can be established with reference to the Fraud Management
Databases of the mobile operators which can match an MSISDN with an IMEI
(cellular phone).
Vodacom supports the text contained in the proposed section 40(5) save for the
removal of the reference to cell phone. A customer should notify the mobile
operator if s/he sells or In any other manner disposes of a 81M card to a
person other than a family member.
Vodacom, however. believe that the manner in which an operator deals with
the notification should not be legislated. but should be a business process of
the specific operator. In some instances de-activation may be used, in
others a dual notification could be required. As such. Vodacom proposes the
amendment of section 40(6) as follows:
(6) A telecommunications service provider must, on receipt of notice
contemplated in subsection (5), record the details of the transferee and remove
the details of the transferor accordingly for the purposes of subsections (2)
and (3).
Section 40(7) deals with the information that mobile operators must provide to
the LEAs. The mobile operators believe that the proposed changes are beneficial
in that they remove the conflict that would otherwise have existed between the
previous paper-based registration process and the improved electronic process.
The proposed amendment makes it clear that a certified copy of the ID will no
longer be provided by the mobile operators to the LEAs. We therefore support
any of the options presented, and feel that the second option that has been put
forward is well drafted and best reflects the position.
4. Identification & Reporting of False & Suspicious Documents
The latest draft of the Bill introduces a new requirement for 'agents' to
report the suspicion or knowledge of false documentation to the police. Section
51 (3), has further been amended to make the failure to report such suspicion
an offence punishable by a fine or imprisonment of up to 3 months. The
introduction of these two provisions in the latest version of the Bill is of
extreme concern to the mobile operators.
The problem of false Identification documents in South Africa is well known.
Although Vodacom will train its agents with respect to the forms of
identification, Vodacom and more particularly, its agents, cannot be held
responsible for authenticating identification documents, and will only
be able to report false documentation if there is obvious irregularity or
absurdity. It should be noted that even the banks, in the case of FICA, are not
held responsible for determining the authenticity of identity documents.
Furthermore, the agents that we employ cannot be held individually responsible
for authentication. Doing so may negate the intent of reporting suspected
criminal activity; it may further put the agents in an invidious position and
may expose them to physical harm. Finally, it may also imperil their ability to
fulfil their statutory obligations in terms of RICA. To this end we propose
that a process be put in place once a government system is in place such as the
HANIS database, to verify the authenticity of information.
The increase in liability for appointed agents will have a significant Impact
on the model that the mobile operators have selected to rollout RICA
registration. Our electronic registration model relies on the contractual appointment
of 'registration agents.' Should the agents be responsible for determining the
authenticity of identification documents, and should they, as individuals be
liable to fines or imprisonment, this will negatively impact on the mobile
operators' ability to recruit suitable persons to perform the task. Vodacom
committed to training its registration agents to perform 'face-to-face'
validation, and In doing so to confirm that:
·
They are aware of the features of genuine South African identification
documents;
·
They attend to ensuring that the person presenting the ID bears a
resemblance to the person in the ID photo; and
·
That the gender of the person presenting the ID is the same as that
reflected in the ID.
Vodacom therefore respectfully propose the deletion of the proposed
section 40(8) and subsection 3C.
Finally. Vodacom wishes the Committee to note that this submission
relates only to the options presented to the Committee by the Department of
Justice. It does not relate to the perlod of twelve 12 months that is
required for the registration of a subscriber. With regard to the registration
period, Vodacom refers the Committee to our previous submission. Vodacom will
be making an additional submission on the registration period as required by the
Committee.
Conclusion
We trust that this supplementary submission will be of assistance to the
Committee and will contribute towards the speedy finalisation of the RICA
Amendment Bill.
We would like to thank the Committee for affording us an opportunity to provide
further written comments and we are available for further discussion with the
Committee, Department of Justice and Constitutional Development and LEAs' on
any concerns relating to the finalisation and implementation of RICA.
Yours sincerely,
Shameel Jeosub: Managing Director:Vodacom (Pty) Limited