From anonymity to accountability: does mandatory SIM card registration actually work?
At the end of this month, Namibia will introduce mandatory SIM card registration, joining hundreds of other countries in tying users’ SIM cards with their personal data. What’s the reasoning behind this rule, and should customers keep their (SIM) cards close to their chests instead?
If you’re reading this article in the UK or United States, you might not realise it, but for the overwhelming majority of the world, buying a new SIM card entails the need to register it under your real name.
How much of the world? As of March, 157 countries will have mandated that customers register their true identities upon purchasing a new SIM card:
Why do most governments insist on SIM card registration? Some see it as a tool in the fight against organised crime and terrorism, or for addressing fraud and handset theft. It’s believed that tying personal information to a SIM card will cut down on instances of all the above, or at least aid in their investigation and prosecution when required.
Namibia is the latest country to implement mandatory SIM registration. The Communications Regulatory Authority of Namibia launched the registration scheme in June 2022, but as of December last year, only 62.5% of Namibia’s almost 2.4 million active SIM cards were registered. The slow uptake has been attributed to “resistance from local authorities” and “power outages in remote areas.”
Set to end at the start of 2024, the registration period was recently extended until 31st March, after which all unregistered SIM cards in the country will be disabled. Furthermore, new SIMs will be deactivated by default and only activated through registration.
If cutting hundreds of thousands of customers off sounds like an absurd bluff, consider that Nigeria did just that after it introduced mandatory SIM card registration, when 73 million customers found themselves unable to make calls after the registration deadline in April 2022.
Namibian citizens must supply their name, date of birth and address, along with a passport or other government-issued identification to authenticate themselves. As per the Communications Act 2009, operators must collect only basic customer information; despite this, MTC Namibia, the state-owned telco, has been collecting fingerprints and face photos from its customers too.
Currently, only 17 countries officially require biometric data when registering a SIM card, these include China, Saudi Arabia, the United Arab Emirates and Venezuela.
It’s argued that mandatory SIM card registration will give Namibian citizens access to vital digital services, such as mobile money platforms, while preventing fraud and identity theft including SIM swap scams.
MICT executive director Mbeuta Ua-Ndjarakana put it more bluntly: “SIM card registration… aids in legal surveillance and interception. It also assists in finding criminals who utilise telecommunications to commit offences.”
Critics have derided the lack of transparency in the acquisition and storage of biometric data, arguing that, without any meaningful checks and balances being in place, it will “undermine the constitutional right to privacy.” Moreover, for marginalised groups in society who struggle to obtain proof of ID, SIM card registration can see many citizens struggling to access digital services in countries with high levels of disenfranchisement.
The Philippines ratified its own SIM Card Registration Act in October 2022. The bill was previously vetoed, as it would’ve required citizens to also use their real name and phone number when creating social media accounts, but this rule was subsequently removed from the new bill. Activists argued that SIM registration would “put the security, privacy, and welfare of citizens at risk.”
However, there is little to no evidence that mandatory SIM card registration lowers or prevents crime of any kind, and in fact, has opened up new avenues for cyber criminals and fraudsters instead. In April 2023, two people in the Philippines were arrested for selling SIM cards registered under fake identities, with 100 improperly registered SIM cards confiscated. This has also been the case in Pakistan; rather than clamping down on criminal activities, mandatory SIM registration has opened up a new black market, with criminals obtaining SIM cards with forged fingerprints.
Meanwhile, Indonesia’s biometric database was hacked in 2022, with 1.3 billion SIM card details listed for sale on the dark web. On their now-suspended Twitter account, the perpetrator said: “I just wanted to point out how easy it is for me to get into various doors due to a terrible data protection policy.”
When it isn’t criminals abusing the system though, it’s often the authorities; in Lesotho, allegations of a “pervasive illegal culture of phone tapping and hacking targeting lawyers” has followed mandatory SIM registration.
None of this came as a surprise in Mexico, which repealed SIM card registration rules three years after implementing them in an effort to cut down on crime. During this period, the rate of extortions [in Spanish] in fact increased by 40%.
Mexico is the only country so far to repeal SIM registration laws after it was found that they did not guarantee the legitimacy of registered data, or that crime was actually prevented. Criminals were reported to be using up to 18 SIM cards [in Spanish] as part of extortion schemes.
The GSMA agrees, finding in 2016 that “there has been no empirical evidence that mandatory SIM registration directly leads to a reduction in crime.” It has also been branded as “costly, intrusive and not the solution to the problem most countries are trying to solve” by Privacy International.
So, if SIM card registration doesn’t stop fraud or crime, and in some cases, even puts citizens at risk, the question is – what good is it really?
Telcos and governments must ensure there are appropriate safeguards to protect the personal data of consumers and prevent its misuse by criminals or bad actors, and ensure that excessive registration requirements do not place customers’ private data at risk or exclude the most vulnerable members of society. There is potential for mandatory SIM registration to unlock an ecosystem of digital identity services, such as e-government and KYC requirements for mobile banking, however this can only work if it is paired with the highest levels of data protection.
Update [05/04/2024]: Telecom Namibia has deactivated nearly 200,000 unregistered SIM cards following the passing of the registration deadline.