Myanmar: Dangerous Plans for Biometric SIM Card Registration Must be Scrapped
Photo: National Institute of Standards and Technology
The Government of Myanmar is pushing ahead with plans to require anyone buying a mobile SIM card to be fingerprinted and hand over their ID cards, according to procurement documents circulated to prospective bidders.
The plans are a serious threat to privacy in a country lacking any data protection laws and where minorities are systematically persecuted, and must be scrapped.
According to technical requirements developed by Myanmar’s Post and Telecommunications Department, the agency plans to require anyone buying a SIM to hand over their “name, left and right thumb prints, identity type, identity number and scan of identity card on both front and back sides”. Additionally, the specifications continue, they may require the “father's name, date of birth and street address”.
Prospective bidders are asked to ensure the centralised database is capable of holding up to 70 million biometric records.
If the plans go ahead, they risk further facilitating the persecution of minorities by security forces through discrimination and exclusion, in a country still reeling from a crisis described as a "text book example of ethnic cleansing" by the UN human rights chief.
The Government has so far not made public any economic or public policy case for taking this measure, according to the Myanmar Times.
Bidders are due to present their technical solutions to the agency on 16 December.
SIM Card Registration: Flawed & Dangerous
SIM card registration is widespread, with approximately 150 countries requiring people to show some form of identity in order to obtain a SIM. Requiring a person’s biometrics, however, goes a significant step further than simply having to show an identity. If finalised, Myanmar will join only 11 other countries with similar schemes, including Syria, Saudi Arabia, and Uganda, according to telecommunications industry body the GSMA.
Both such requirements simplify the surveillance of network users for government authorities and allow them to share and match data with other private and public databases, enabling the state to create comprehensive profiles of individual citizens.
Without sufficient legal safeguards, surveillance is used arbitrarily to target individuals and minorities, which is a matter of grave concern in Myanmar which lacks such safeguards and is systematically persecuting the Rohingya people.
The procurement document notes that the scheme is to be implemented “in line with applicable laws.” But it is unclear what "applicable laws" refers to, given the legal void in Myanmar when it comes to regulation of the activities of telecommunication operators, and generally data processing in Myanmar.
Myanmar does not have a data protection law in place.
This means that the data processing required for the creation of a biometric subscriber database would occur in a legal void, so that information collected as part of registration today could be kept for an indefinite amount of time and used for different purposes in the future, as technology, corporate incentives, or governments change.
Concerns are heightened as communications surveillance in Myanmar is not regulated. Myanmar has yet to draft laws that govern the interception of communications by law enforcement and the telecommunication law adopted in 2013 provides extensive powers to the government including to access any information and telecommunications as well as to access telecommunication services for the matters relating national defence and security or public interest.
The fact that such systems inherently facilitate surveillance, discrimination, and exclusion is of grave concern in Myanmar, where the military regime has committed serious human rights abuses against the Rohingya minority, possibly amounting to genocide, according to UN investigators. More than 730,000 Rohingya Muslims have fled Myanmar to Bangladesh since a 2017 military crackdown, according to Reuters.
Such laws are often defended on the flawed assumption that they help fight crime. However, they instead create a black market for SIM cards while subjecting the vast majority of people to easier surveillance, given that anyone intent on committing a crime will likely not do so on a phone linked to their identity.
In Pakistan, requiring SIM card registration resulted in the emergence of black markets for unregistered SIM cards, and a rise in identity fraud. Mexico’s card registration law was enacted in 2009 but was repealed just three years later after yielding no improvement in the prevention, investigation, and prosecution of associated crimes.
According to a 2012 review by Deutsches Institut für Wirtschaftsforschung, “there is no convincing empirical evidence that mandatory registration in fact systematically lowers crime rates,” and “no robust empirical studies that show that such measures make a difference in terms of crime detection.”
If implemented, minorities will face a choice of either not having a phone or being subjected to widescale surveillance and tracking by a government intent on their removal.
Given the lack of legal safeguards and the obvious risks associated with such a scheme in which minorities are being systematically persecuted, telecommunications companies, international donors, bodies and governments must urge the authorities to desist from the scheme.
Biometrics companies, who are due to present their bids on 16 December, should take these considerations into account as well as their international human rights obligations. They should also be reminded that there will be serious reputational and possibly legal consequences if they were to facilitate such a programme.
In response to the proposal, Privacy International have:
* Written to Myanmar’s Post and Telecommunications Department (PTD) to demand that they reveal the rationale behind the scheme and how they expect to mitigate the associated threats. They must abandon the plans if they are unable to guarantee the project's compliance with Myanmar's human rights obligations;
* Issued a letter to the major telecommunications operators outlining the concerns, their human rights obligations as well as the potential reputational impact.
UPDATE: In an email to Privacy International, Myanmar's PTD said,
"Please kindly note that we are preparing all the necessary Legal Framework for Biometric registration of SIM cards. We will take all the possible risks into account regarding that issue. Thank you for your cooperation in this matter."
We thank the PTD for their response. Nonetheless, while the government prepares the necessary legal framework, the procurement plans should be scrapped. We look forward to the government publishing the draft legal framework and allowing sufficient time for stakeholder consultation, especially with civil society experts. Once a legal framework is in place, which may take some time, the government has the opportunity to justify spending public money on the database, provide evidence that it is the solution to the problem they are trying to solve, undertake data protection and human rights risk assessments and address further technical concerns, as outlined in our letter.
Privacy International will contine to update this page with any further action and developments.