Namibia’s Biometric Verification Travesty

Society cannot exist without law. Law preserves society and holds it together. It is the essence of civil society.

Therefore, even though Namibia is looking to comply with the General Data Protection Regulation of the European Union (EU), considered the best practice example for data protection internationally, Namibian laws must reign supreme.

Biometric verification is any means by which a person can be uniquely identified by evaluating one or more distinguished biological traits.

These include fingerprints, facial recognition, hand and earlobe geometries, retina and vein patterns, voice prints and written signatures.

Cloud technology is often used to make biometric information more accessible and portable, regardless of location.

Cloud security has been improved over recent years, but vulnerabilities remain.

If a database containing identification records is compromised, the biometric system tied to the data will be vulnerable.

It can be extracted, deleted or manipulated, undermining the system’s reliability.

However, biometric data is stored as an encrypted numerical value as oppose to raw data, which is near impossible to reverse engineer.

Still, biometric authentication holds a number of risks, including false matches, false rejections, algorithmic bias and biometric spoofing. 

Hackers can target biometric databases too, putting people at risk for identity-based attacks. If this happens, they may not be able to do anything about it.

A person can always change their password, but not their biometric details, such as fingerprints and eyes.
If your biometric data is stolen or lost, it could be permanently compromised.
Hackers have also found ways to bypass biometric authentication, and are able to access your most sensitive and vulnerable information.

THE LAW

The Communications Act of 2009, as well as further conditions on telecommunications licensees, requires operators to collect basic information such as names, dates of birth, addresses and copies of identification documents to register a SIM card.

There’s no mention of biometric information being legally required for SIM card registration.

Thus, harvesting facial and fingerprints biometric data in the absence of legislated data protection safeguards is fundamentally flawed.

MTC Namibia has been scanning fingerprints and taking face photos of subscribers for SIM registration, while the legal framework only requires basic information.

Citizens were called on to voluntarily register their SIM cards with mandatory registration set to be implemented from 1 January through to 31 December 2023.

What was striking was that MTC collected fingerprints and facial biometric data at its SIM card registration points.

The Communications Regulatory Authority of Namibia (Cran) recently issued a directive that telecommunications operators should discontinue capturing clients’ biometric data in the absence of a data-protection legislative framework.

This means the biometric aspect is not legally sanctioned.

Surprisingly, MTC Namibia said it would continue offering its ‘Verifi’ as part of the biometric data-capturing process, and as a condition of service for customers which aims to offer additional security.

They said it would help tackle fraud and crime, and offer customers convenience when it comes to their MTC profiles.

This is a conundrum for law experts. To date, 1,2 million SIM cards have been registered.
 
WHAT NOW?

In summary, Namibia does not have an online privacy and data protection law.

Consultations around such a law have been ongoing since 2019.

So far, the draft law doesn’t deal in depth or appropriately with biometric data management systems.

By law, once a regulator, Cran in this case, has made a ruling, MTC must follow the directive or challenge it in court.

At present, there are no measures in place on customer rights if, for example, data information is leaked to criminals, or on how information is stored and for how long.

These are all matters that would otherwise be contained in a law.

Alternatively, MTC must be asked to delete the biometric database acquired during its SIM card registration drive or face the law.

• Major general JB Tjivikua served in the Namibian Police for 27 years