Why Cleaning Mobile Network Operators Subscribers Database is Necessary

Written by

SIM card registration by Mobile Network Operators is a requirement in most governments around the world. As this white paper by GSMA puts it, “an increasing number of governments have introduced mandatory registration of prepaid SIM card user, primarily as a tool to counter-terrorism and support law enforcement efforts”. In Kenya, the law regulating SIM card registration was passed in 2015 after which every Kenyan is required to register their SIM cards with their respective mobile operators.

The need for everyone to register their SIM cards seems to be clear, but not every Kenyan appreciates just how important these needs are. There are those who see SIM card registration as a violation of their privacy, and they do have valid concerns. But their concerns would be more apt if we lived in a world where it was impossible to use mobile communication to organise terror attacks, bank robberies, or kidnappings – if we lived in a world where those who transact their finances through mobile money could never have their money taken away from them from fraudsters. But we are not in such a world.

We are in a world where if people are allowed unrestricted freedom there a significant portion will abuse that freedom. We have people who are not organising criminal activities simply because to organise such crimes require access to sophisticated technologies thanks to simple requirements such as SIM card registration. I am not saying that with SIM card registration people are not using mobile communication to organise crime, but that those who organise such crimes have to put in an extra effort in order to stay anonymous.

SIM card registration indeed creates an extra hurdle for those who would like to partake in certain criminal activities, but this extra hurdle required for anonymity doesn’t seem to be an actual thing in the context of Kenya where some SIM card retailers (hawkers) have figured out how to enable a SIM card without actually registering it. According to the Communication Authority of Kenya, “some SIM card dealers have been selling and activating SIM cards without taking details of the subscribers. This has led to some subscribers being anonymous. The anonymous subscribers are some of those who have been conning others as they remain unknown in the system. In order to update the database, it is necessary for the authority to undertake the SIM registration exercise”.

The whole process has seen Safaricom receiving a lot of criticism especially for requiring people to go their shops and register. Well, I know that what I am about to say will not be popular with a lot of people who totally do not trust the Government even when the Government is trying to improve things.  I think Safaricom got it right when they told people to go to their shops and register. Hear me out first. When dealing with the database integrity issue, the best way to go about it is to apply what you call Zero Trust Principle.

The general definition of Zero Trust is a security framework requiring all users, whether in or outside the organization’s network, to be authenticated, authorized, and continuously validated for security configuration and posture before being granted or keeping access to applications and data. Remember at this stage the database which Safaricom and other network operators use are corrupted and hence the need to clean it up.  Criticism of Safaricom came in two fold, that they did not set up portal to allow people to register online and the fact that they were talking peopleā€™s pictures. The outrage forced the CA to backtrack on the need for the pictures and Safaricom was forced to set up a registration website.

Consider an individual who has in possession a National ID that is not his, an ID that he used to register a SIM card. When the requirement that every Kenyan must re-register their SIM cards was in place, and that such registration can only happen at the mobile operator’s premises for a human being to verify the indication details of this individual, then the Communication Authority would be able to fish out the individual who had falsified his identity. Without the requirement for all Kenyans to re-register and to physically present themselves at the mobile operators’ premises, there are a number of these individuals who have stolen people’s identities that will still be authenticated to continue using the SIM cards in their possession.

At the end what Safaricom was doing initially was biometric authentication.  Basically take your picture and the signature which was then connected to all the confirmed Safaricom mobile numbers. Despite its risks biometric authentication is widely considered by experts to be one of the most accurate and secure methods of authenticating user identity because of its high level of accuracy. In the case where people have to simply send their details through a portal, as it is now the hackers and the conmen from Kamiti will be very active either by tying to intercept new data being sent or simply participating by sending the details of the stolen identities that they already have.

ā€œBut how safe is our data and is the data protection act helping to protect us?ā€  People have the rights to question how their personal data are being handled, especially because of some nasty experiences in the past. Not so long ago many Kenyans found themselves registered as members of different political parties which they did not consented to. The Data Protection act is clear on some of these issues. I also know that the Office of the Data Protection Commissioner are currently putting in place the relevant policies to operationalize the Data Protection Act. On top of that, they are currently doing a survey targeting different organisations in Kenya on how they handle private data. 

I conclude by saying that the ability of some Kenyans to acquire SIM cards as anonymous users, and the ability of other Kenyans to register SIM cards with false identities, are two of the leading reasons why the Communication Authority found it necessary to require every Kenyan to re-register their SIM cards, and at the same time outlaw SIM card hawking. The mandate that every Kenyan must re-register their SIM cards was later rescinded where today only Kenyans who have not registered their SIM cards are required to register, and together with the introduction of self-registration portals, this leaves some of us wondering if the intended outcome of getting rid of anonymous and false identity users will be met.

Article Categories:
TECHNOLOGY

Comments are closed.

Shares