Compulsory SIM card registration, mandatory data retention and biometrics harvesting will degrade human rights and democracy
In a few days communications privacy comes to an end in Namibia.
This is because on 1 January 2024 perpetual mass surveillance will become the norm in the country as mandatory SIM card registration and data retention are fully operationalised under regulations of the Communications Act of 2009.
With this Namibia becomes the latest country to experience the “identity crisis” that is sweeping the world.
This “identity crisis”, as designated by a consortium of human rights organisations, has arisen as a result of the global push by states to increase their surveillance powers and activities in the cyber era and forms part of the narrowing of civic spaces and decline in democracy both online and offline.
At the heart of the “identity crisis” is the mandatory requirement that people authenticate their identities in order to access services, such as telecommunications or public services.
This identity authentication takes the form of having to provide some sort of identification document, such as an ID card or passport, or biometric data, such as fingerprints or facial images, in order to access a particular service.
These identity authentication systems are touted by state and corporate authorities as solving “a huge range of complex problems”, as pointed out by international human rights organisation Privacy International (PI)
PI notes that the reasons most often given for the introduction of such systems include “identity fraud prevention, national security, crime prevention, financial industry facilitation and the prevention of human trafficking”.
However, PI and others have also pointed out that “it is now well-documented that ID systems are being used to facilitate targeting, profiling and surveillance” by both states and companies.
This “targeting, profiling and surveillance” is achieved through “the collection and processing of vast amounts of personally-identifiable data”, which ironically has exposed people around the world to new and increasing risks such as identity theft, as well as to immensely invasive and cruel systems of surveillance used to target individuals and monitor entire populations”.
Because of the implications and impacts on privacy and data security, human rights defenders have called for such systems to only be introduced where comprehensive privacy and data protections are in place.
However, in many countries, and especially on the African continent, such systems are rolled out without such protections in place or where they do exist they are not comprehensive enough.
Namibia has no communications privacy or data protection framework in place as it rolls out its own identity authentication systems for SIM card registration and data retention.
Biometrics problem
It is because of this glaring regulatory vacuum that the collection of biometric data has become a contentious and controversial aspect of the identity authentication process of the SIM card registration drive.
Namibia’s largest telecommunications service provider, MTC Namibia, has been collecting biometric data – fingerprints and facial images – of its service users and subscribers even though the law only requires the collection of basic information, such as an ID card or passport and an address.
State-controlled MTC Namibia’s unlawful biometrics harvesting attracted a limp-wristed slap from the Communications Regulatory Authority of Namibia (CRAN) early in 2023, but the company has defiantly continued collecting biometrics – in its latest move it offers online SIM registration that includes a facial scan that uses liveness detection software – and thereby effectively spotlighted CRAN’s regulatory weakness.
To be clear, as international digital rights organisation Access Now points out, “biometric data may include, for example, one’s facial features, fingerprints, or iris patterns, while behavioural biometric data may include attributes such as gait, signature, or voice patterns”.
Access Now notes that biometric data has become “the primary mechanism for verifying a person’s legal identity” in digital identity authentication systems.
This is problematic and “can be dangerous, as most often an individual cannot change their biometric data, making it extremely sensitive and difficult to remedy in the case of a data breach”.
The issue of a data breach reared disturbingly in mid-December 2023, days before the 31 December deadline for SIM card registration, when it emerged that there were attempts underway to steal the personal information of people trying MTC Namibia’s online SIM registration process.
Aside from the unlawfulness and questionable security of the MTC Namibia SIM registration database, the major critique of the practice is that it is done non-transparently and without proper informed consent of those whose data is collected.
This, unfortunately, is a feature of how such systems have been created and deployed in countries across the continent.
The Collaboration on ICT Policy for East and Southern Africa (CIPESA) notes in its September 2022 State of Internet Freedom in Africa report, aptly titled ‘The Rise of Biometric Surveillance’, that the roll out of such systems are not a consequence of democratic and public consultative processes, that take into account the views and rights of ordinary people, but are imposed on the people by the government “in the interest of national security”.
CIPESA found that enabling legal frameworks “lack clear checks against possible data privacy violations and tend to lean towards facilitating access by the state and its agencies as opposed to protecting the rights of data subjects. It is also commonplace in some of the countries studied to find that the laws are largely used to ease access to the personal data of individuals to identify and target them”.
These concerns now dog Namibia’s emerging identity authentication systems, which aside from not having strong data protections in place, especially regarding the collection and processing of biometric data, also lack appropriate and effective oversight and transparency mechanisms that would enable the public to hold state and corporate entities accountable for how they handle the personal data of ordinary Namibians.
It should also be noted that with regard to the issue of harvesting biometric data for SIM card registration that the African Union Convention on Cybersecurity and Personal Data Protection (the Malabo Convention), in article 10(4), calls for states to only engage in the collection and processing of sensitive personal data, such as biometric data, with authorisation from a competent data protection authority.
Namibia has ratified the Malabo Convention.
Compelled service provider assistance
The other concerning aspect of the emergent identity authentication system is how the state effectively forces or co-opts telecommunications service providers to facilitate mass state surveillance of the entire Namibian population.
Already Namibia’s telecommunications landscape is dominated by state-owned and controlled MTC Namibia and Telecom Namibia, with a sector regulator, CRAN, that lacks independence and regulatory robustness.
In compelling service provider assistance, Namibia once again follows a disturbing African trend, with CIPESA stating in a March 2023 report, titled ‘Compelled Service Provider Assistance for State Surveillance in Africa’, that “across Africa, countries have enacted legislation compelling telecommunications service providers to embed technical capability within their systems to facilitate the interception of communications by state security agencies”.
CIPESA notes that such compelled assistance “is a key contributor to undermining users’ privacy in Africa. The assistance rendered by intermediaries is used to facilitate internet disruptions, access to users’ data with ease, content removals, decryption of users’ encrypted data, and state surveillance”.
All of this is now in play in Namibia as well as a result of mandatory SIM card registration and data retention.
In the end, Namibians are right to be concerned about and distrustful of this emergent identity authentication system, for with the telecommunications sector dominated by state-owned and controlled entities, they can have no expectation that these entities will do what is in their best interest when it comes to the collection and processing of their data.
MTC Namibia and Telecom Namibia will ultimately do what is in the best interest of the state, with no questions asked, even if that means undermining the human rights of their customers and subscribers who entrust them with their personal information.
That said, Namibia’s unfolding ‘identity crisis’ will probably deepen over the coming years as more digital identity authentication systems are introduced through various ‘smart’ and e-government initiatives, while at the same time a watered-down data protection framework is introduced and implemented that already seems clear will not prioritise the rights of data subjects.
Frederico Links is a research associate with the Institute for Public Policy Research (IPPR) who has written about state surveillance since 2018 and the threats posed by SIM card registration since 2020.