Malicious Life Podcast: SIM Registration: Security, or Surveillance?

Right now, hundreds of thousands of people in the southern African country of Namibia are faced with a choice. At the end of next month, their phone service is going to be shut off permanently: to prevent that from happening, they’ll have to give up their data privacy. As a result, nearly two million Namibian citizens are facing a data privacy problem which may haunt them for years to come - and hundreds of thousands more are set to join them, or else they’ll lose their phone service for good. All of which raises the question: was making everybody register their SIM cards a good idea in the first place?

 

Powered by RedCircle

federico-links
About the Guest

Frederico Links

Security Researcher and Journalist

Frederico Links has been an IPPR Research Associate since 2009. He has focused on governance issues, anti-corruption strategies, democracy and elections, party political finance, empowerment policy, and public procurement. He is the Editor of the IPPR’s Namibia Fact Check project and the lead researcher for Procurement Tracker Namibia. As of June 2021 he coordinates the IPPR’s Democracy Report project. He has previously worked as a journalist for a range of Namibian publications.

paul-rowney-hs

Paul Rowney

Digital Transformation Strategist

As an ardent proponent of digital inclusion, I am deeply committed to leveraging technology and innovation as powerful tools to bridge the digital divide. With a wealth of experience collaborating with governments, NGOs, and IGOs, I have been actively involved in promoting connectivity for development and creating inclusive digital solutions.

ran-levi-headshot
About the Host

Ran Levi

Born in Israel in 1975, Malicious Life Podcast host Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.

In 2007, created the popular Israeli podcast Making History. He is author of three books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

About The Malicious Life Podcast

Malicious Life by Cybereason exposes the human and financial powers operating under the surface that make cybercrime what it is today. Malicious Life explores the people and the stories behind the cybersecurity industry and its evolution. Host Ran Levi interviews hackers and industry experts, discussing the hacking culture of the 1970s and 80s, the subsequent rise of viruses in the 1990s and today’s advanced cyber threats.

Malicious Life theme music: ‘Circuits’ by TKMusic, licensed under Creative Commons License. Malicious Life podcast is sponsored and produced by Cybereason. Subscribe and listen on your favorite platform:

All Posts by Malicious Life Podcast

Transcript

Right now, as we publish this podcast, hundreds of thousands of people in the southern African country of Namibia are faced with a choice. At the end of next month, their phone service is going to be shut off permanently. To prevent that from happening, they’ll have to give up their data privacy.

SIM Security Intro

Take all the cybercrimes out there: denial of service against websites, using smart devices in a botnet, stealing someone’s bank account password, and 100 others. Of them all, you’d have to say that SIM-related crimes are some of the worst.

The Subscriber Identity Module card that identifies and authenticates your phone to a cellular network can be weaponized to carry out some really nasty identity theft. We’ve probably never done a scarier episode on this show than number 204, about SIM Swaps, the attacks that happen without you realizing it, and can lead to impersonation, emptying your bank accounts, and even greater traumas than that.

For as powerful as they are in the hands of an attacker, you’d figure, SIMs are also a useful tool for law enforcement. Imagine investigating crimes where you could directly tie perpetrators to the phones they use to purchase illicit goods, and coordinate their misdeeds; the phones they carry on them at crime scenes, and when they’re trying to hide. It’s no wonder, then, that so many countries make their citizens register their SIM cards.

A lot more than many of you out there might realize. Neither the U.S. nor U.K. require citizens to register their personal information when obtaining access to cellular service, nor do some other northeast and southeast European countries, and a few others scattered here and there. But the overwhelming majority of the globe — more than 150 nations and counting — do have such laws in place, including the entirety of South America and Asia.

Nearly every country in Africa as well, save for a few, tiny outliers: Cape Verde, Comoros, Djibouti, and, until recently, Namibia.

In June of 2022 the largely peaceful, largely desert country kickstarted a nationwide project to align itself with the rest of the world, by registering every one of its citizens’ SIM cards before the end of 2023.

It did not quite go according to plan. As a result, nearly two million Namibian citizens are facing a data privacy problem which may haunt them for years to come. And hundreds of thousands more are set to join them, or else they’ll lose their phone service for good.

All of which raises the question: was making everybody register their SIM cards a good idea in the first place?

Foundation: Early 2000s

“[Frederico] This sim card registration process that we are currently in in Namibia is something that has its origins in the global war on terror. That of course started with the September 11 2001 attacks on the World Trade Center in the US.”

Frederico Links is a journalist, and research associate with the The Institute for Public Policy Research in Namibia.

“[Frederico] Over the years, global bodies such as the UN’s International Telecommunications Union, through third parties such as these national security related issues and anti terror related issues have been introduced on a global scale.”

With leadership from bodies such as the UN’s ITU, SIM registration has become standard security protocol worldwide. Namibia — a relatively new democracy, its independence dating back only to 1990 — has followed behind the pack, despite passing a national Communications Act back in 2009.

“[Rowney] That was an act that took about 10 years to actually bring to the process of being gazetted.”

Paul Rowney is the chairperson of the Payment Association of Namibia’s e-Money Forum. He also happens to be Frederico’s neighbor, in Namibia’s capital city of Windhoek.

The Communications Act he’s talking about was a sweeping piece of legislation, aimed at regulating the country’s entire telecommunications sector.

“[Rowney] part of that, you know, was to establish the communications regulatory authority of Namibia.”

CRAN, for short.

“[Rowney] It then started regulating the operators issuing licenses. Part of his mandate was to register SIMs.”

Catalyst: 2015 Ansar al-Sunna

That last part stalled for many years. But then came a catalyst.

Around 2015, a group of followers of Aboud Rogo, an Islamic extremist cleric from Kenya, began to gather in the north of another southern African country — Mozambique — under the name Ansar al-Sunna. By 2017 the small but heavily armed Ansar al-Sunna began carrying out attacks against local security forces, and civilians came under their fire soon after. (Their exploits would later earn them a spot in ISIS.)

“[Frederico] And since then, all governments in southern Africa have been engaged in assisting the Mozambican government in fighting this insurgency.”

As part of the effort, that year, Namibian authorities convened two terrorism-related workshops.

“[Frederico] one of the recommendations of that early 2017 workshop, security related workshop, that was endorsed at the second workshop, was that the code registration has to be introduced as a matter of urgency as a means to, to curb or to fight growing youth radicalization. And not just in Namibia, but across southern Africa.”

Curbing potential terrorist activity was just one reason to get the process started. In various official documentation, the government has cited a number of other reasons for implementing the policy, including its usefulness in criminal investigations, preventing mobile fraud, and making it easier to roll out e-services for citizens, such as digital identity-enabled banking.

Low Initial Turnout

Which is all nice in theory and, in mid-2022, the government finally triggered its plan. But then came the hard part: actually getting people to comply. So they set a deadline of December 31st, 2023.

After that year and a half, by the time December rolled around, the results of this national project were clear. Of the approximately 2.4 million active SIM cards in the country, only just over 1 million had been registered. About 43%, in all.

Despite this, a representative of the Namibian Ministry of Information and Communication Technology (MICT) stood firm, telling the national news media that there would be no extension. In other words, if they didn’t sign up by the end of the month, 1.3 million people were going to be cut off from the grid.

Registration Difficulties

Have you ever tried to get your entire family into the car, or a group of friends to agree on a restaurant to go to?

Now imagine trying to get an entire country to get out of bed, go outside and, instead of doing whatever else they might have done with their day, go voluntarily register their SIM card with their provider, all for some reason they probably don’t understand and may or may not agree with if they did. And the only prize for doing this is that nothing will change in their lives.

If it were really easy and quick to do, maybe, that’d be one thing. But listen to Paul describe his experience registering his own chip.

“[Rowney] So the first thing I had to do was go to the police station and get a police declaration to say that I was the owner of that SIM card. So that meant that you know, I spent half a day trying to get to the police decoration. Then I needed to get proof of residence. And you know, I’m fortunate that I actually have proof of residence. A lot of Namibians don’t have proof of residence because they live in some of the informal areas.”

“Informal” in that unlike city dwellers Paul and Frederico, many Namibians live in rural, tribal villages, with no formal addresses. To account for them, the government allowed them to register any address at which they can receive mail, such as a school, church, or store.

“[Rowney] Then I needed to get a copy of my ID. So you know, again, I’m fortunate because I have a printer and a copier. Some people don’t have access to that. So they got to go to a coffee shop and get a copy of the ID. I took that you know I stood in the queue and you could spend quite a long time in the queue. I’ve heard people spending most of the day just queuing at the operator just to register.”

As frustrating as this was for Paul, imagine how much more difficult it would’ve been for poorer citizens to take so much time off from working. And how much more time it would’ve taken them to do all of this if they lived out in distant villages, and had to travel hours into the city just to wait in one of those long lines. That’s to say nothing of the elderly, the disabled, and so on.

“[Rowney] Then there’s a form. this particular one so then I had to complete another form. That asked for a whole bunch of information that was well outside of the scope of the requirements of the act.”

This point is crucial. But to fully understand what Paul’s referring to, and why it matters so much, we first need a picture of the telecoms companies carrying out these registrations.

Map of Namibia’s Telco Industry

In a country with fewer citizens than the city of Chicago, you wouldn’t necessarily expect a large number of telecommunications providers. But even so, Namibia’s market is a bit of a problem.

First you have Telecom Namibia, a state-founded company.

A decade ago, Telecom Namibia acquired the only fully private mobile operator, called Powercom/Leo. The deal cost it just two Namibian dollars, as Powercom was then drowning in 240 million dollars worth of debt.

That left, as the only other major provider, a company called Mobile Telecommunications Company Namibia, or MTC for short. (It, too, is largely government-owned).

Some wondered whether having just two phone service providers for an entire country — small as it may be — would create an anti-competitive atmosphere, and by 2022 the concerns turned out to be well-founded. But it wasn’t Telecom Namibia causing the trouble.

MTC currently services more than 90% of Namibia’s mobile phone users — more than 2 million people in a country of 2.5 million (where, of course, not every single person owns a phone to begin with).

“[Frederico] It’s very much the market leader and a monopoly on its own on the Namibian telecommunications landscape.”

You can imagine the kind of power this affords them during, say, a government initiative, to deal with it however they wish.

Biometrics

“[Frederico] MTC Namibia, from the beginning, started collecting biometric data. So they were fingerprinting people and taking photos of their faces.”

To be clear, the data that citizens have to disclose in registering their SIMs is clearly defined in Part 6 of Chapter 5 of the 2009 Communications Act. It includes: your name, address, and some form of ID. That’s it. 

“[Frederico] Now I’ve watched the process. I stood at one of these registration points and watched what was happening. [. . .] They weren’t seeking consent, want to say – explaining and then asking: “Do you consent to us doing this?””

MTC says that customers can refuse to have their biometric data recorded. However, the company doesn’t actually inform customers that they have this option in the first place.

So many Namibians gave their biometric data to MTC that, by the time the government stepped in and told the media that it was not actually a required measure, some media outlets reported that they were canceling the requirement. In fact, it never existed to begin with.

“[Frederico] I’m a policy researcher, and I’ve had sort of people emailing me privately and saying, you know, I’m very uncomfortable with this process, but I don’t want to give up my MTC number.”

After a while, the government issued a directive that telcos should not collect biometric data, though MTC continued to do so anyway. And for what reason they’re doing this, one can only guess.

“[Rowney] The CEO of MTC announced in his Christmas message that they’re launching a new digital platform in the coming year. And what is certain is that biometric data would be of tremendous benefit to them for the big success of their commercial application. So we’re not saying that they will use it for that- but the opportunity would exist for them to utilize the information that they’ve collected for commercial purposes.”

Privacy Concerns

For Paul and Frederico, the issue isn’t simply that a government-owned telco is collecting the entire country’s biometric data for who knows what purpose. It goes deeper than that.

“[Rowney] their data is being taken with no understanding of how it’s going to be used, who owns the data, how the data is being stored.”

We at Malicious Life reached out to MTC for more information about how it’s storing and protecting the sensitive biometric information it’s collecting from millions of people, but didn’t receive a reply back.

“[Rowney] what became apparent is that the two operators, the two main operators, are collecting this information. They have different databases, they have different data requirements. And it’s not clear how that information will be merged at some point.”

There’s one, overarching reason why the process is so scattershot.

“[Frederico] This is happening in the absence of us having actually produced or implemented or enacted a data privacy protection law, which actually has been in the pipeline since 2013. We’ve had drafts floating around, and we’ve never really gotten to the point where a substantive draft has been able to be tabled in parliament and enacted into law.”

This is actually quite common. According to the UK organization GSMA, as of 2021, 37% of the more than 150 countries with mandatory SIM registration — and 57% of those in Africa — lacked privacy legislation to regulate the use of that data, leaving open the possibility that states and private companies could use it as they wished. As a result, Privacy International has pointed out, quote:

“An individual’s phone number could potentially be matched with their voting preferences or health data, enabling governments to identify and target political opponents, for example, or people living with HIV/AIDs. In countries with political and ethnic tensions, pairing data with political activity might result in physical risks for the people involved.”

It goes without saying that, in some of the countries with mandatory registration but no privacy laws, these kinds of abuses of power and questionable human rights practices are common.

Namibia, to its credit, is not such a country. Freedom House, a D.C.-based nonprofit which scores countries based on civil and political liberties enjoyed by its citizens, has assigned Namibia a “Free” 77 out of 100 rating in its system. For comparison: my country, Israel, is also a 77, and the so-called “land of the free, home of the brave” only gets an 83.

Further, the country does have certain laws in place which would apply to SIM-related data collection. Together, the Criminal Procedure Act of 1977 and the Namibia Central Intelligence Service Act of 1997 define the terms under which the government can perform lawful interception of telephone communications. The latter, in particular, states that interception can only occur after a crime has been reported to law enforcement, and a judge has issued a warrant.

But such laws don’t restrict companies like MTC. And as Frederico points out, doing the data collection part before the privacy protection part creates a sort of horse-before-the-cart situation, preventing effective regulation from being applied to such companies down the line.

“[Frederico] Whatever comes out of our data protection, law drafting at this process, has to be crafted to take into account what’s already in play and what’s already in place. And basically, it has to be written around this. So what we’re really seeing is a sort of watered down data protection proposal in terms of a framework, and this is problematic and already, you know, there are criticisms of this. Whatever is put into place in terms of safeguards will not be adequate and appropriate.”

Updated Registration #s

On December 29th, 2023 — two days before the MICT promised that all unregistered SIMs would be suspended — the head Minister released a statement. Of the 2,383,920 active SIMs nationwide, 1,491,349 had thus far been registered. Around 62.5%. As a result, the government would be extending the deadline three months, until March 31st.

Just before recording this episode — on January 26th — we reached out to the regulator, CRAN, for a more updated figure. In an email, their CEO, Ms. Emilia Nghikembua, informed us that by that date 1,694,744 SIM cards had been registered — about 71% of the total, with 693,033 yet to go. “This data indicates positive trends in the registration across various operators,” Ms. Nghikembua wrote, “highlighting encouraging progress within the review timeframe.”

It’s likely that by March 31, thousands of more people will have signed on. But, inevitably, hundreds of thousands will still have not. And if you think they’ll get off easy, don’t be so sure. 

Nigeria’s Example

Other countries have stuck to their word on this before, like Nigeria, which makes Namibia look like small potatoes in comparison.

On April 4th, 2022, with more than a third of its population as yet unregistered in its national digital identity database, the federal government of Africa’s most populous nation ordered that all those non-compliant be barred from making outgoing calls from their mobile phones. Many telcos complied with the order, leaving more than 72 million people without the ability to call friends and loved ones.

The ban has persisted through legal challenges and protests from advocacy groups to date. And in just a few weeks — on February 28th — all those not fully registered with the government will be totally taken off the grid.

It Doesn’t Actually Stop Crime

Perhaps all of these dramatic blackouts are worthwhile if, as a result of these policies, law enforcement is able to stamp out SIM swaps, catch criminals via their phone connections, and prevent the spread of terrorism.

Except according to a 2016 report from GSMA, there is no actual empirical evidence to suggest that these policies have those effects. According to Privacy International, quote, “The practice has been exposed as ineffective and inefficient in some countries that have adopted its use.” End quote. At least a few countries — Canada, Ireland, the Netherlands, the Czech Republic — have all rejected SIM registration on these grounds.

Just look at, for example, Pakistan, which goes further than Namibia in requiring SIMs be registered with biometrics. Instead of dissuading SIM crimes, it only served to foster a black market with criminals forging fingerprints (turns out it’s easier than you’d think).

Or consider Mexico, which passed a SIM registration law in 2009. It repealed it just a few years later. An official senate gazette from the time was scathing. Quote:

“The truth is that the creation of the National Registry of Users of Mobile Telephony has not borne fruit in the prevention, investigation and prosecution of crimes such as kidnapping and extortion. Various studies show that these criminal phenomena continue to increase and that the use of mobile phones to commit them remains common. [. . .]

To a large extent, [its] inability has been the product of the idea that registering cell phone users in a large national database would guarantee the location of those responsible for a crime. A misconception founded on the argument that criminals would use mobile communication devices registered in their name or in the name of their accomplices. Reality is another.”

The draft decree, signed by three senators, lays out just a few reasons why having people register IDs with SIM cards didn’t actually accomplish anything. We’ll read off just some of their findings. Quote:

“[T]he registration of a telephone by name and Single Population Registration Key does not guarantee the veracity of the data, and even less so that in the event of a crime the culprit is caught; on the contrary, a person who is not can be blamed. Likewise, the obligation of the concessionaires to verify the veracity of the information provided is ineffective since the companies operate through thousands of distributors and agents who cannot be held responsible to do it.

Furthermore, there are no incentives to ensure that people who hire a cell phone communication service and who register maintain the same data at a later period. In such a way that the [system], in addition to containing false records, also contains outdated records.

Likewise, some specialists affirm that the obligation to register mobile phones has generated incentives for the theft of equipment. As already mentioned, it is estimated that about 40% of assaults on passers-by are aimed at stealing cellular equipment.

There are other data that speak for themselves of the ineffectiveness of [it]. It should not be lost sight of that any offender can make use of a phone purchased abroad with the service of “roaming”, […] or buy a chip for less than 70 pesos in the informal market, either stolen or fraudulently registered, to extort, kidnap or commit any other crime.

An additional problem is the possibility that the information provided by users may be removed from the database and misused.”

 In Namibia today, 1.5 million people’s biometric data is sitting in a likely insecure database belonging to a telephone company, and in two months, half a million people who aren’t yet in that database will probably join, once they’re forced to, after losing access to their phone service.

This situation isn’t at all unique to Namibia, though, as stories from Nigeria, Pakistan, Mexico, and any number of other nations have shown.

And sadly, at the end of the day — despite, in most cases, only the best of intentions — all of these big, national security experiments were probably just not worth the trouble.