Friday, February 7, 2025

FIRST WITH SECURITY NEWS

Strengthening RICA: A necessary overhaul for privacy and security

Published on

President Cyril Ramaphosa has sent the Regulation of Interception of Communications and Provision of Communication-Related Information (RICA) Bill back to parliament to fix certain aspects of the surveillance provisions in the law that breaches people’s right to privacy, unhappy with the legislative fixes that had been put in place by parliament. Parliament should use this impetus to enact further improvements to the increasingly deficient RICA.

In 2021, the Constitutional Court ordered parliament to make changes to the law so that it balances the right of authorities to intercept suspected criminal communication with the right to privacy. The Constitutional Court confirmed an earlier declaration by the high court that RICA is unconstitutional, to the extent that it fails to provide adequate safeguards to protect the rights as envisaged in the Bill of Rights, such as the right to privacy, as buttressed by the rights of access to courts, freedom of expression and the media, and legal privilege.

For example, in most cases subjects of surveillance must learn that they were under surveillance when the operation is complete.

The sixth parliament proposed amendments to protect citizens, but the president is concerned they are not robust enough to pass constitutional muster and has asked the seventh parliament to further remedy these deficiencies.

But RICA, a complex piece of legislation which covers criminal law, SIM card regulation, communications law and privacy rights, requires an entire overhaul above and beyond just the surveillance aspects, in order to bring it up to date.

The Department of Justice received multiple submissions on updating the bill in 2023.

SIM cards registration is currently governed by RICA and the act requires consumers to register their SIM cards, used in mobile phones and for financial transactions, by linking them to their name and identity number.

But in reality, many SIM cards are sold pre RICA’ed by the distributors, who use a loophole in the current law to bypass the legal requirements with ease. This makes transferring money with a phone and communication possibly anonymously,

A key challenge in this context is Section 40 of RICA, which allows registered SIM holders, who are designated customers, to transfer their SIM cards to other people. While this provision lets, for instance, a spouse or parent register a SIM card on behalf of their partner or child, it also enables large SIM distributors—technically telecom customers themselves—to buy SIM cards in bulk, register them, and resell them to end-users, thus devaluing the RICA provisions.

Often, third-party distributors, use their designation as customers to register SIM cards but misregister these SIM cards with generic company names or incorrect ID numbers, while doing so in bulk.

Legally, the responsibility to update the information lies with the consumer, yet this step is often overlooked by end-users, resulting in tens of millions of SIM cards being incorrectly registered. This leaves telecoms firms, government agencies and departments struggling to identify who actually holds each SIM card.

Estimates suggest that of the 100 million prepaid SIM cards distributed annually, the majority are incorrectly registered, complicating efforts to trace individuals responsible for specific financial transactions or suspect communications.

Several potential reforms could strengthen SIM security. One approach is to introduce tamper-proof packaging, which would make it harder for third-party distributors to pre-register SIM cards under false IDs or generic corporate names. This packaging could protect each SIM card’s unique identifying numbers, helping prevent bulk registrations and possible cloning of cards.

Another possible reform would hold distributors and telecom providers more accountable for ensuring consumer information accuracy, rather than placing the burden solely on end-users.

Finally, linking SIM card registrations to Home Affairs’ ID verification system could greatly improve security. While bank cards are connected to verified ID numbers, many SIM cards are currently registered to number strings that mimic the 13-digit length of ID numbers, made up random numbers but aren’t verified as authentic. Integrating Home Affairs’ database could help ensure that SIM cards are registered to legitimate, verified users, significantly reducing the risk of misuse.

The validation process could be performed over time, with a grace period allowed for customer details to be synced with a home affairs database.

As mobile phones and SIMs are increasingly used in financial services to apply for loans, buy airtime, purchase insurance, and transfer money to bank accounts or across borders, there needs to be better security around SIM cards.

Just as banks adhere to strict know-your-customer (KYC) legislation, mobile firms should implement stricter regulations to ensure proper identification of SIM card users who access financial services.

Written by Farhad Khan, Telecommunications Consultant.

MOST READ

SITE SPONSORS

More like this

Nearly 3 000 new constables join the SAPS; 5 000 more coming

In December last year, 2 699 newly trained constables joined the ranks of the...

Former State Security Minister granted R5 000 bail in corruption case

Former State Security Minister Bongani Bongo has been granted R5 000 bail, following his arrest...

Police arrest quarter of a million suspects over festive season

The South African Police Service (SAPS) arrested almost a quarter of a million suspects...