Is your SIM registration data in the wrong hands?
Is your SIM registration data in the wrong hands?,
My first 9Mobile SIM was registered with a roadside agent. I submitted my fingerprints, a photo of my face, address, full name, date of birth, state of origin, and everything that can be used definitively to identify me.
A few weeks later and unable to purchase an internet bundle subscription, I visited a contact centre where I was informed my SIM card had not been registered. I proceeded a second time to disclose my details: fingerprints, face, name, address, date of birth, you get it.
Since 2011 when the National Communications Commission (NCC) launched its nationwide compulsory SIM card registration, the process has continued to unravel like a taut game of hide and seek between the commission, telcos and the millions of subscribers across the country.
From 2014 when the commission rejected the data of about 37.79 million subscribers citing inconsistencies in the collected data to 2019 when reports quoted the NCC as saying 63.2% of the total registered SIM card registrations in its database was invalid, a figure the commission denied.
For every time the commission countered, angry subscribers teemed to the contact centres of the telcos and lined up underneath umbrellas of open-air agents to have their data recaptured and their records updated.
A recent report by Comparitech, an organisation which compares tech services around the world, has placed Nigeria alongside countries where invasive biometric data is mandated for SIM card registration particularly for the reason that the length of time this data is held by the collating body is unknown or unclear. With fresh reports that National Identification Numbers may soon become necessary for SIM registrations, it is important to start asking how well the telcos and commission have structured their agent networks to ensure sensitive data does not fall into wrong hands.
Who collects SIM card users’ data?
In 2011 when the registration campaign began, the NCC published a list of accredited registration centres across the country on its website.
Temilade Alade, a Service Analyst at 9Mobile told TechCabal that while the registrations could not strictly be carried out at its contact centers, the telco interfaced with dealers who were equipped with 9Mobile facilities to register customers across the country.
“9Mobile staff then supervise these external staff,” she said.
This was the route a number of the telcos assumed to tackle the registration deadlines the NCC imposed. It was not long before non-accredited or questionable registration points began to spring up. A number of them asked for a payment for a service the commission had said was free for all.
Alade said it wasn’t unusual to have dealers, burdened by targets from their supervising staff, subcontract to random individuals to meet their targets hence the constant complaints from the NCC about the quality of the data collected at these registration points from incomplete fingerprints to unclear facial scans.
Ganiyu and Mustapha, two agents who rush to their feet to attend to me when I stop by at their umbrella stand at the Ojuelegba junction echo a similar dilemma. According to Ganiyu, agents tend to have weekly targets which increase as they are met. When they aren’t met, he says, they decrease but reach a threshold where the telco simply removes said agent from their network.
“Target can be like 50 [registrations] per week. If you meet that one, they’ll increase it,” he told TechCabal.
As someone who has worked as a SIM card registration agent for the last three years, he says it is not uncommon to have agents resorting to unscrupulous measures to meet their targets and stay employed. Seun and Kingsley, two agents along the Ojuelegba Road in Surulere told TechCabal they receive commissions per registered SIM card, “something substantial”. All four agents are directly in the employment of the networks they work for – 9Mobile, Globacom, Airtel and MTN. When I ask why they think the NCC keeps returning with large amounts of invalid registrations, Mustapha tells me sometimes, customers do not fill in the right information when they register
“You can see someone put their place of origin in the address column or the reverse,” he said.
Seun and Kingsley say improperly trained agents are to blame for invalid data capturing
“It’s not that the networks don’t do training but some agents don’t show up,” Seun said.
In 2016, the commission, to mitigate the number of rogue agents that had sprung up sometimes selling already registered SIM cards, stated that registrations must be carried out within controlled environments i.e a physical permanent building and must be traceable to a specific accredited registration agent. This is yet to be fully actualised.
Another young agent stationed under the Ojuelegba bridge told TechCabal he worked for a dealer who represented all the major networks. Whereas his registration equipment—a mini PC, a fingerprinting device and a portable camera—are fully functional, having to carry out facial data capturing in the open space of the bridge already disqualifies the facial data capturing at that outlet. He had never heard that the NCC considered millions of captured data invalid.
When asked if the NIN registration requirement had come into play, Seun and Kingsley answered affirmatively while Ganiyu said he was only aware Globacom had informed its customers of the new development.
Privacy and security concerns
Nigeria is not the only country where SIM card registration is mandatory. Save Namibia and Lesotho, every country on the continent requires that SIM card holders register their lines with the required body and offer some measure of their data for this purpose. In a lot of these places, not only is the government building a database of mobile phone users for governance purposes, the security agencies are better equipped with data to fight crime especially those committed with the aid of mobile phones and internet connectivity.
According to the Comparitech report, SIM card registrations that require detailed user information “allows authorities to easily track people’s locations and movements. All of their online activity—websites visited, search queries, purchases, and more—can be traced back to their device.
There are also concerns, the report raises, about the data getting into the hands of third party bodies including advertisers, or other government agencies. Already, the NCC feeds all its subscriber data to the National Identity Management Commission (NIMC), the overall governing body in charge of national identification. It is unclear if there are any other third parties who this data is shared with.
Tunde Okunoye who is Head of Research at the Paradigm Initiative Nigeria (PIN) says any country mandating the collection of biometric data, without data privacy/protection laws in place, is already in the wrong especially when this data is being collected on the scale at which the SIM card registration has been ongoing.
“In the absence of a data protection law, these things [mandatory SIM registration] should not be in place,” Okunoye said.
What currently exists in the country is the Nigeria Data Protection Regulation, a 2019 document fronted by the National Information Technology Development Agency (NITDA) which Okunoye insists is no replacement for a bill ratification to ensure data privacy and protection.
The first data privacy bill came up for discussion in the 7th National Assembly, Adeboye Adegoke, Program Manager, Digital Rights (Anglophone West Africa) told TechCabal.
“It didn’t really make progress in the 7th National Assembly. Then it came to the 8th National Assembly where it was harmonised with other related bills. It was passed and they sent it to the President but the President did not sign it,” Adegoke said
There is no documented reason why the bill was not signed into law as is customary. According to Adegoke, “inter-agency politics” stalled the process. The NITDA wanted to pass its 2019 document as the definitive document on data privacy and protection.
“The bill that was passed by the National Assembly was doomed,” Adegoke said.
The bill has been resurrected by two legislators who are sponsoring the bill on the floor of the Senate and House of Representatives as two seperate bills, Protection of Personal Information Bill and Data Protection Bill respectively. But there are conversations ongoing to push the harmonised bill that was not signed by the president and to present this again to the National Assembly.
“As part of our work this year, we are committed to follow through with the process,” Adegoke said.
That the SIM registrations have helped to fight insurgency and security breaches in the country is not news although its impact might be considered negligible still as there is very little data backing said impact. Sadly, there are very few regulatory frameworks that seek to protect subscriber data in the event of a privacy breach. Data privacy laws are present in only 43% of countries on the continent and yet, it seems, more biometric information requirements are being piled on top of already existing ones.
The NCC, over the course of the last eight years, has continuously embarked on awareness programmes urging Mobile Network Operators (MNOs) to sensitise their dealers/agents to desist from fraudulent SIM registration activities. But it must go a step further. Both the telcos and the NCC must do more to mitigate the chances of customers handing over their data to the wrong people.
According to Alade, contact centre registrations must be prioritised moving forward. Dealer networks must also not be pressurised with inordinate deadlines so as not to fall into the temptation of resorting to unscrupulous terms to meet them.
More also has to be done from the NCC to be more transparent with the bodies the commission shares user data with and for what amount of time they hold this information. More accurate data on instances where this information has directly contributed to crime-solving is also important if we must believe the notion that crime-fighting is at the core of the SIM registration exercise.
My first 9Mobile SIM was registered with a roadside agent. I submitted my fingerprints, a photo of my face, address, full name, date of birth, state of origin, and everything that can be used definitively to identify me. A few weeks later and unable to purchase an internet bundle subscription, I visited a contact centre […]
, , Kay Ugwuede