SIM Card Registration & Verification – A Threat to Hyper-Surveillance

  • 27 Aug 2021
  • 4 Mins Read
  • 〜 by Francis Monyango

The deadline for all Mobile Network Operators (MNOs) to ensure all SIM cards are linked to a legal registration identity document is fast approaching- 09th September, 2021. This follows a directive issued by the Communications Authority of Kenya (CA) earlier in August, 2021 which also requires that the holder of the document has confirmed knowledge of the SIM Card.

This is in furtherance of the Kenya Information and Communications (Registration of SlM cards) Regulations of 2015 whose objective was to provide a process for the registration of existing and new subscribers of telecommunication services provided by telecommunication licensees in Kenya.

Kenya is playing catch up. 

A recent global study by the GSMA found that as of January 2020, 155 countries have mandatory SIM registration laws for a prepaid (Pay-As-You-Go) SIM. This is the case in 50 countries in Africa. 

The main justification offered by most governments has been to safeguard digital and physical security (with mobile phones remaining the easiest and deadliest way for terrorists to detonate explosives remotely). In addition to this, SIM card registration and verification has the additional benefits of increased access to e-Government services, easy identification of an individual’s mobile number and number portability when switching networks, combating cybercrime including terrorism by limiting covert communication and promotes good relations between consumers and service providers by simplifying identification of consumers and their use of SIM services-CIPESA.

However, there has been no evidence that SIM card registration provides additional safeguards. In fact, Mexico in 2013 repealed its policies on SIM card registration “after a policy assessment showed that it had not helped with the prevention, investigation and/or prosecution of associated crimes.” 

Further, and more importantly is the level of exposure that SIM card users would experience in view of existing legislative gaps in as far as data protection is concerned. According to a report published by GSMA, approximately 61% of countries mandating SIM card registration have a privacy and/or data protection framework in place. This is also true for 54 per cent of all African countries. In view of the existing gaps, SIM users’ information can be shared and matched with other private and public databases, enabling the state to create comprehensive profiles of individual citizens, and enabling companies and third parties to access a vast amount of data. As part of SIM registration, in some countries, biometric data collection has been incorporated with countries such as Uganda and Nigeria requiring fingerprint use for registration and authentication. 

COUNTRIES IN THE WORLD WITH MANDATED SIM REGISTRATION USING BIOMETRICS

COUNTRY IMPLEMENTATION METHOD PRIVACY FRAMEWORK
1 Nigeria Capture &Share Present
2 Tanzania Capture & Validate Considering
3 Uganda Capture & Validate Present
4 Zambia Capture & Validate Considering
5 Bahrain Capture & Validate Present
6 Bangladesh Capture & Validate None
7 China Capture & Validate Present* Coming into force Sept 2021
8 Pakistan Capture & Validate Considering
9 Saudi Arabia Capture & Validate None
10 Thailand Capture & Share Present
11 UAE Capture & Share Present
12 Peru Capture & Validate Present

Whereas Kenya has in place the Data Protection Act, (2019) and is in the process of finalizing the operationalizing mechanisms via the proposed regulations, of concern is how the data collected will be used and the security measures taken by the Government to protection this information. 

Fact is there is demonstrable risk of the data collected being used to track or target individuals and having their private/ personal data being misused especially where vulnerable groups are concerned or human rights defenders. SIM registration will also disallow/ take away individuals’ rights to communication anonymously. Collection and collation of the data to be processed will arm the Government with the capacity to profile persons, which could be dangerous especially in politically charged countries such as Kenya where ethnic tensions are known to flare during electioneering periods. This would potentially be achieved by pairing data with political activity or match the same to voting preferences. 

Further, in as far as how the data will be protected to prevent breach, more investment is needed to develop infrastructure to support the same including the Office of the Data Protection Commissioner (ODPC). Allocation to the ODPC in the FY 2021/2022 Budget was a paltry Kshs. 50 Million which was not even enough to staff and equip the office. Whereas the amount was recently reviewed, fact remains that the Office will be struggling for some time to set up and establish itself before it can even begin to think of infrastructural and systems’ development. 

While the intended purpose for SIM registration is reasonably sound (enhance national security), the nexus drawn between hyper- surveillance and the mounting evidence of the adverse impact that this would have cannot be ignored.

Additionally, there have been growing concerns arising from the recent onslaught of internet freedom owing to the fact that Governments in Africa especially have begun to result in internet shutdowns to exert political hegemony and control especially during electioneering. In fact, there are direct linkages that can be drawn between Government’s access and use of digital technologies to surveil, censor and suppress fundamental and basic freedoms of their populace such as access to information via censorship, filtering, blocking, throttling and/ or internet shutdowns. The curtailment and regression has been primarily characterised by the proliferation of retrogressive and repressive policies and laws that criminalise online communication and dissent, such as in Tanzania, Rwanda, and Malawi.

Whereas one would hope that Kenya’s democratic space has matured over the years and such would not happen, one can only be judged on the basis of their past deeds. 

The CA is currently reviewing the second round of comments and is yet to respond to stakeholders or publish them for implementation. Albeit, this addresses the issue of legislative gap(s), there are still other issues that need to be factored in in determining whether this is necessary; and if so how to address the concerns raised prior to the enforcement of the proposed regulations.