Your information is safe with us: mobile services operators
BEGINNING next week on 24 June 2022, everyone who subscribes to the country’s two mobile communications services will be required to register their SIM cards. This in line with the requirements of the Communications (Subscriber Identity Module Registration) Regulations gazette by Communications, Science and Technology Minister, Sam Rapapa, on 24 December 2021.
This week, the Lesotho Times (LT) Editor, Herbert Moyo, and Reporter, Tokelo Khausela, sat down with Vodacom Lesotho’s Head of Legal, Regulatory and External Affairs, Tšepo Ntaopane, and Econet Telecom Lesotho’s General Manager for Legal and Regulatory Affairs, Karabo Tlhoeli, to explain what the registration process entails. In the wide-ranging below, the two also assured subscribers that their personal information was safe and would not be shared with anyone except as prescribed by the laws of the land.
LT: What does the process of SIM Card registration entail? What details or documents do you expect from subscribers who intend to register?
Ntaopane: I suppose we are all aware that on 24 December 2021, the government of Lesotho promulgated regulations requiring everyone to register their SIM cards. We are on the verge of beginning the registration process on 24 June 2022. The law applies to us as mobile services providers and our subscribers. Each and every user of our services is obliged to have their SIM registered.
One needs to come with their identity document (ID) so that we can confirm that they are actually the owner of the SIM card being registered. It has to be understood that the regulations do not limit the number of SIM cards that each individual can own and register. So you can register a million SIM cards if you want. Foreign nationals can produce their passports for registration purposes.
Tlhoeli: Let me add that it (registration) is meant to enable us to link a SIM card to the owner. There is nothing new about this as people are already doing this when they open bank accounts. One is required to produce an ID to open a bank account and that bank account is linked to your name and your identity.
It is also just like having your vehicle registered. Your vehicle is linked to your name. So there’s nothing new about this.
LT: One would think that people who hold mobile money accounts with you have already submitted their information to be able to open such accounts. Is there any need for them to register again?
Thloeli: Yes, there is still a need for them to register. We need to understand that these regulations apply to us as mobile network operators not as money services providers. Mobile network providers and money services providers are actually separate entities.
Mobile network providers are regulated by the Lesotho Communications Authority (LCA) while money services providers are regulated by the Central Bank of Lesotho (CBL). Both M-pesa and Ecocash are owned by Vodacom and Econet respectively but in law they are separate entities. These regulations that we are talking about apply to mobile operators and subscribers not the money services providers.
LT: Where and how will all the subscribers’ information be stored? Before the regulations were amended, there was a provision for the creation of a central database by the LCA. Is that still the case?
Thloeli: Not at all. In terms of the published regulations, there’s no longer any need for the central database to be kept by the regulator.
We already have information in our data bases for prepaid, and post-paid subscribers. These data bases are safe and secure. There is no need to duplicate by creating another central database at the LCA since we already have our own secure databases to store subscribers’ information.
LT: We are aware that the security agencies can request subscribers’ information as part of their investigations of crimes. Many fear that the regulations are just a ruse to enable the government to conduct a digital surveillance, in other words to be able to spy on citizens. What sort of information can you give to them?
Ntaopane: We were quizzed about this same issue a few days ago. However, it is important for our subscribers and the nation to understand that both Vodacom and Econet treat subscribers’ privacy issues seriously. We cannot, for the life of us, operate without protecting our customers. In fact, the very reason why we were granted the operating licences is that we have demonstrated our ability to protect subscribers’ information. We continue to respect customers’ information and we would only release it for purposes that are authorised by the law. We only use such information for the purposes that the information was entrusted to us in the first place. Lesotho’s data protection laws are very clear in terms of who can access data and personal information of subscribers and how that information and data can be accessed. The law enforcement agencies are also aware of the circumstances under which they can obtain subscribers’ information. They also know what they have to do in order for them to access that information. We don’t just give them such information.
Tlhoeli: Whenever I answer this question, I always say we only give out information that is sought by the security agencies as contained in a court order. We don’t grant anything except to comply with what will be stated in a court order. We don’t care who you and we won’t grant any information except for situations as stated in court orders or any other legislation.
LT: The regulations clearly state that the security agencies can only be granted access to subscribers’ information only after they have obtained court orders to that effect. However, we have heard that the director general of the Directorate on Corruption and Economic Offences (DCEO) is an exception to this requirement. He doesn’t need a court order. He can be granted access to subscribers’ information simply by requesting it. Is this true that he can request information without first obtaining a court order? And if so, has it been a problem for you?
Thloeli: Yes, there is such an exception for the DCEO in terms of Prevention of Economic Offences Act of 1999. They empower the director general of the DCEO to request information from anyone who holds such information in the public sector, various institutions and private entities. As long as the information relates to investigations that his office is conducting, then we are duty bound to release the information. The wording of the law is such that instead of first approaching the courts for an order like everyone else, the director general of the DCEO is empowered to simply write a letter to any institution explaining why he needs such information. This is in the state books and it carries the same weight as a court order.
Ntaopane: There is a good reason why that specific institution (DCEO Director General) is allowed to simply request information in writing. Its mandate is to investigate corruption. There’s no need to beat around the bush when you’re fighting corruption. What we should be concerned about is ensuring that nobody, except those who are allowed by law, should have access to subscribers’ information. And that information must be released only when there’s an investigation. We don’t give it out any other way. Even the Director General cannot ask for that information if there’s no investigation.
So, there has to be an investigation in order to trigger that process. So, to our customers, we can tell you that your data and personal information is safe. I must also inform our subscribers that we don’t record their mobile phone conversations and messages. We don’t keep any recordings and transcripts of their conversations. I know now that as we are heading towards elections many people are scared but I want to assure everyone that we don’t record your conversations. We do not keep transcripts of conversations.
The only information that we have is subscriber name of the person who is registered as the owner of a particular SIM card.
LT: Can you assure Basotho that their information will not be sold to private companies and other entities who use it to bombard them with targeted advertising?
Ntaopane: It is true that there are third parties who make money out of people’s data. They may come to us saying they offer certain services and ask us to give them certain data about our subscribers but we never give them. Ours is to keep customer information safe and not to share it with third parties unless the owner of that information has consented to the sharing of that information. Third parties may find their own means of harvesting the information but as operators, we don’t share any information. We only use the information for the purposes which it is intended for, which is to enable us to give you the services that we offer.
Thloeli: Indeed the subscribers are the only ones who can authorise the sharing of their information with third parties. We are not allowed to share subscribers’ information with third parties without the subscribers’ consent. The regulations are also clear about the need for the protection of the privacy or confidentiality of subscribers. They are clear that we should maintain confidentiality at all material times, starting with the registration process. Even the people who are carrying out the exercise of registering subscribers are sworn to confidentiality. They sign a statement of confidentiality. So Basotho should be assured that their data is safe.
Yes, we receive requests for subscribers’ information from people talking about the targeted advertising of products but we always turn them down. If we don’t do that, we would be breaking our licence terms concerning what we should do and what we shouldn’t do. Even government institutions have approached us for such information. One government department asked for certain information saying it will assist in the fight against Covid-19. We told them that while we understood that the fight against the pandemic was an important national undertaking, we still had obligations not to release any information without the express consent of the subscriber.