Over the last five years there has been a steady trend for African governments to implement mandatory SIM card registration policies. This means that you can’t buy a SIM card for a mobile phone without producing an ID document and proof of address. South Africa was one of the first African countries to do this but many have followed including Kenya, Ghana, Nigeria and many others. At last count, no less than 35 African countries (see list below) have implemented obligatory SIM card registration.
The implementation of mandatory SIM card registration has been justified as necessary in order to assist law enforcement agencies in tracking down criminals. Images are conjured up of thieves executing elaborate plots with the aid of disposable mobile phones. In the post 9/11 zeitgeist, this is an argument that most find easy to digest. Indeed, so much so that I am unaware of these policies being buttressed by any research evidence linking SIM card registration to a drop in crime or an increase in solved criminal cases. Most news articles seem to provide as rationale the fact that other countries in the region are implementing such policies. A search through Google Scholar reveals very little research on this. And indeed the only research I could find on mandatory SIM registration in Africa focused primarily on its economic impact on subscriber growth.
So what’s to worry about? The classic rebuttal to objections to this kind of data collection is that if you haven’t done anything wrong, you have nothing to fear. And indeed, the “intent” of most legislation around SIM card registration is to clearly define and control when and how this information might be accessed by law enforcement agencies. But what is worrying is not so much lawful interception but rather when those rules get bent or broken. We have seen countless examples now around the world of sensitive data being unlawfully accessed from email accounts to credit cards.
The very act of collecting data carries the responsibility to provide adequate methods and oversight for securing that data. When organisations propose to collect potentially sensitive data, the burden of proof should be on them to justify the need for such data collection as well as their ability to keep that information secure. I don’t believe the case has been clearly made for SIM card registration. Certainly I don’t think the benefits outweigh the dangers. Here is an example of why.
There is a paradigm shift going on in the world of electronic surveillance. It has gone from complex, expensive, and sometimes unreliable to simple, inexpensive, and highly accurate. Increasingly surveillance technology has become commoditised. The device advertised at the left is a great example of this. It is an IMSI catcher, a device that listens passively to mobile phone traffic and picks up the identity of all of the phones in a given area. It can be purchased for a few thousand dollars. About the size of a suitcase, it can be installed on the bottom of a helicopter or on top of an apartment building. In many countries, the passive nature of the IMSI catcher often means that using one does not legally constitute interception and thus they can be used with oversight by law enforcement agencies.
Now imagine that the government of the beautiful democracy that you live in does the unthinkable and implements some legislation that you object to. You decide to exercise your free speech by participating in a public rally objecting to this legislation. A helicopter hovers in the distance with an IMSI catcher attached to it. Now your phone is in a database that has been collected of everyone who participated in the rally. Without mandatory SIM registration, that database is just a list of phone numbers. With it, it is potentially a list of names and addresses of people who the government has now identified as troublemakers. Perhaps that sounds a little paranoid? For a healthy democracy it probably is but there is plenty of evidence of authoritarian regimes using these tools and others. And maybe your country is a democracy now but will it always be?
Naturally such violations of privacy couldn’t happen if the rules for accessing the SIM registration database were observed but that is precisely my point. I don’t think it is reasonable to assume that the rules won’t ever be broken in the name of “security”.
Time To Ask Questions
The point of this post is to suggest that the time is now for civil society organisations in countries where mandatory SIM card registration has been implemented to starting asking questions, such as:
- Does adequate technological and policy oversight exist to prevent SIM card registries from being misused?
- What evidence is that that SIM card registries are actually contributing to crime reduction?
- Are law enforcement agencies already using passive surveillance technologies like IMSI catchers?
- Are passive surveillance technologies covered under existing legislation concerning the interception of communication?
And of course this is just the tip of the iceberg as we begin to understand the many ways in which in which the ever smarter mobile technologies create new possibilities for the invasion of personal privacy. In the rich world, organisations like Privacy International and the Electronic Frontier Foundation are working hard to ensure that rapidly evolving communication technologies do not end up compromising our right to privacy. Every country in Africa needs a civil society voice to ensure that individual right to privacy is not eroded with a phone call.
A List of African Countries with Mandatory SIM Card Registration
|Central African Republic||Yes|
|Republic of the Congo||Yes|