MANILA, Philippines — The mandatory registration of SIM cards may just put the security and privacy of citizens at risk, a cybersecurity initiative said on Friday, as it claimed there is no proof that compulsory enrollment of personal information with telecommunications firms will curb crimes.
This comes days after Congress ratified the proposed SIM card Registration Act which, if passed, will compel citizens to provide their personal information to public telecommunications entities (PTEs) before buying SIM cards in a move meant to curb terrorism, text scams, bank fraud and anonymous online defamation, among others.
Related Stories
But for cybersecurity policy analyst Mary Grace Mirandilla-Santos, the bill, if passed into the law, may do more harm than good.
"SIM registration has the potential to put the security, privacy, and welfare of citizens at risk. Experiences from other developing countries and the European Union show that SIM card registration may pose more risks than benefits to citizens," Mirandilla-Santos who spoke on behalf of Secure Connections, a cybersecurity initiative of The Asia Foundation, told Philstar.com over email on Friday.
"There is no evidence of the benefit of SIM card registration for crime prevention," she said.
Findings from global non-profit Privacy International show that mandatory SIM card registration policies adopted by several countries including Canada, Czech Republic, the Netherlands and Ireland were "ineffective and inefficient."
Mexico also had a compulsory SIM card registration policy in 2009, but repealed it three years later after it was discovered to be "ineffective."
Vague provision on social media registration
The bill also included a one-liner on social media registration which requires "all social media account providers to provide their real name and phone numbers upon account creation", a provision that Mirandilla-Santos said was inserted during the later stages of the Senate deliberations.
"[It was] not thoroughly deliberated upon and without consultation with relevant stakeholders," she said.
"Mandating operators of social media platforms that are accessible in the country, yet the social media providers do not have business operations in country could be quite a challenge. Compliance might be zero," she said.
Ivy Grace Villasoto, the officer-in-charge of the NPC's Privacy Policy Office, noted in an email on Friday that the provision on social media registration was not indicated in House Bill 5793 or Senate Bill 2395, the bills which Congress deliberated on before drafting the final version of the bill.
"This portion of the bill is vague and seems to be a rider," she said.
Bill may tread on right to privacy
Mandatory SIM card registration may also raise privacy concerns and increase the risk of data breaches, the NPC official said.
"The... mandatory registration requirements and the manner by which the same will be actually implemented may result in the intrusion on an individual’s fundamental right to privacy. Specifically, this may lead to a heightened risk of the occurrence of personal data breaches and unauthorized processing of personal data," Villasoto said.
She said the law may also digitally, socially and financially exclude subscribers if they cannot have their prepaid SIM cards registered because they do not have a valid ID or cannot shoulder the additional costs of registration.
"While we do not categorically object to the passage of the bill, the same still needs further study," Villasoto said.
Securing the database
If the measure is passed into law, consumers will first need to fill up an electronic registration form detailing their personal information, which may include their full names, birth dates, addresses and pictures of their valid government I.Ds, before purchasing and activating a SIM card.
Concerned public telecommunications entities (PTEs) will collect the registration forms which will be kept on file in a central database that will serve as a "SIM card register."
The register can only be used by PTEs to process, activate or deactivate subscriptions.
Mirandilla-Santos advised against having a central database to store all of the consumers' information, as this will become an attractive target for cyber attackers.
"It is good that the bill includes a provision requiring PTEs to comply with minimum information security standards to reduce the risks to its recordkeeping system. However, the security of a central database cannot be guaranteed at 100%," she said.
Identity theft, surveillance possible
Mirandilla-Santos also noted that the bill was not clear in explaining how SIM registration will prevent the fraudulent purchase of SIMs.
"Will the burden of verifying the authenticity of identifying documents fall on the telcos and retailers? The incidents of SIM swap-enabled crimes already show that telcos are unable — justifiably or not — to properly verify the authenticity of a person's claimed identity," she said.
If the law is not implemented properly, criminals could use stolen SIM cards or IDs to commit cyberattacks and incidents such as identity theft, online fraud and data breaches.
With the law in place, any SIM user can also be a subject of surveillance, as whereabouts can be easily traced, which does not bode well for informants blowing the whistle on sensitive information.
"Because of this, the ratified bill can put [a] whistleblower's protection at risk and may have a chilling effect on Constitutionally-protected free speech. Thus, the bill will penalize the majority for the perceived or anticipated transgression of a few," Mirandilla-Santos said.
Problems in Pakistan
While the goal of the SIM card registration policy is to address crime and terrorism, criminals may be still able to circumvent the law, drive up the prevalence of crimes and facilitate the emergence of black markets, according to global nonprofit Foundation for Media Alternatives (FMA) in a 2018 briefing paper on the proposal.
The group noted the case of Pakistan when authorities in 2014 recovered SIM cards allegedly used by militants involved in a terrorist attack. The cards were traced to unsuspecting citizens who were not connected to the incident.
"It has been reports like this that have affirmed the decision of some countries to refrain from adopting a similar system," it said.
As of 2020, Pakistan still has mandatory SIM card registration.
FMA explained that the rolling out of such a policy may also pose a logistical nightmare to mobile service providers and government agencies since there would be a need to build a "considerable information infrastructure" which can handle large amounts of data.
The group added that the bill also raises issues on the possible use of surveillance which can be used to track SIM card holders who are investigative journalists, whistle-blowers, witnesses, marginalized groups, and victims of discrimination and oppression.