Biometric data collection breaches privacy – Cran

The Communications Regulatory Authority of Namibia (Cran) says the Mobile Telecommunications Company (MTC) collecting biometric data from clients while registering their SIM cards is a “concerning trend and breaches privacy”.

Responding to a report published by The Namibian on 24 February, Cran spokesperson Mufaro Nesongano rubbished claims that suggested Cran’s involvement in the collection of biometric data from mobile telecommunication companies during the SIM card registration processes.

The report, written by Paul Rowney, suggested that Cran was the driving force behind the continuation of this privacy breach.

“The telecommunications landscape in Namibia is marred by a concerning trend of data privacy breaches, exacerbated by the regulatory inefficiency of Cran,” the report reads.

Nesongano this week said this information is false and contradicts the stance of the regulatory authority on the matter.
“During the registration process, it was noted that some customers were requested to provide biometric data to fulfil this requirement,” he said.

“However, as a responsible regulator, Cran promptly issued several directives in May 2023, clarifying that biometric data was not a mandatory requirement for SIM card registration, unless customers voluntarily choose to do so,” he said.

Nesongano said Cran conducted compliance-monitoring exercises throughout 2023 and established that no instances of operators mandating biometric data for SIM card registration were observed.

Nesongano said efforts to have a conversation with Rowney were to no avail.

“The regulator has on numerous occasions invited Mr Rowney to substantiate his assertions with evidence, which he did not provide. In the absence of such evidence, Cran views his comments as unfounded,” he said.

Additionally, Cran extends an invitation to members of the public to report any cases of mandatory collection of biometric data by mobile operators with the regulator.

“Cran reiterates to the public that the provision of biometric data is not obligatory for SIM card registration. Should any operator request such data, consumers are encouraged to inform the regulator of this practice for appropriate action,” he said.

Researcher Frederico Links echoes the regulator’s sentiments, highlighting that the practice would be of serious national concern and a potential security breach.

He says the situation remains worrying as long as there is no prior, formal communication on the collection of customers’ biometric data.

“People aren’t being given assurances that their biometrics will be safe, nor are they informed as to why it is being collected in the first place,” Links says.

He says MTC has not proven to have a secure data-handling system in place, referring to reports from last week that revealed some clients who registered their cards months ago were affected when MTC suspended unregistered SIM cards.

“There’s a serious security issue there,” Links says.

MTC spokesperson John Ekongo says the company is currently focusing on its unregistered clients.

“Currently, our efforts are focused on serving our customers who are using the grace period to have their suspended SIM cards restored,” he says.

Previous reports reveal that MTC’s decision to ignore the regulator’s directive stems from the absence of data-protection legislation, saying it has aligned this practice with the European Union’s General Data-Protection Regulation (EU GDPR).

“[…] to align ourselves with that, and that is why we are asking you, you are giving consent for us to store your personal data. So that is in terms of a law that doesn’t really exist,” MTC’s legal executive, Patience Kangueehi-Kanalelo says.

She says personal data information includes names, surnames, identification numbers and residential addresses.

“All of that is considered personal data. So our request for a one-time password is our preparation for when the law is implemented, which we assume will be based on these EU GDPR practices as is the draft that is currently with the parliament,” she says.

The GDPR is an important component of EU privacy and human rights law, Kangueehi-Kanalelo says.

Rowney counters Kangueehi-Kanalelo’s argument, saying the EU regulations would require the option to opt out of non-essential data and an explanation as to why certain data is being collected, how it is stored and the right to have it deleted.
MTC was unable to respond to questions around the safety of clients’ data, while confirming that there was a security breach from within the company.

Kangueehi-Kanalelo says the company has shared the link for online registration internally, which has been leaked.

She says the system was meant to handle entries by MTC employees as a test.