Myanmar: Dangerous Plans for Biometric SIM Card Registration Must be Scrapped

The Government of Myanmar proposes a biometric SIM registration system in absence of data protection laws and security safeguards.

Key points

The plans for a biometric SIM registration system are a serious threat to privacy in a country lacking any data protection laws and where minorities are systematically persecuted, and must be scrapped.

Privacy International has written to Myanmar's Post and Telecommunications Department (PTD) to demand that they reveal the rationale behind the scheme and how they expect to mitigate the associated threats.

We have also written to the four telecommunications operators outlining our concerns.

Privacy International has received a response from the PTD and Telenor Myanmar.

News & Analysis
biometric fingerprint reader and tablet

Photo: National Institute of Standards and Technology

The Government of Myanmar is pushing ahead with plans to require anyone buying a mobile SIM card to be fingerprinted and hand over their ID cards, according to procurement documents circulated to prospective bidders. 

The plans are a serious threat to privacy in a country lacking any data protection laws and where minorities are systematically persecuted, and must be scrapped.

According to technical requirements developed by Myanmar’s Post and Telecommunications Department, the agency plans to require anyone buying a SIM to hand over their “name, left and right thumb prints, identity type, identity number and scan of identity card on both front and back sides”. Additionally, the specifications continue, they may require the “father's name, date of birth and street address”.

Prospective bidders are asked to ensure the centralised database is capable of holding up to 70 million biometric records. 

If the plans go ahead, they risk further facilitating the persecution of minorities by security forces through discrimination and exclusion, in a country still reeling from a crisis described as a "text book example of ethnic cleansing" by the UN human rights chief. 

The Government has so far not made public any economic or public policy case for taking this measure, according to the Myanmar Times

Bidders are due to present their technical solutions to the agency on 16 December.

SIM Card Registration: Flawed & Dangerous 

SIM card registration is widespread, with approximately 150 countries requiring people to show some form of identity in order to obtain a SIM. Requiring a person’s biometrics, however, goes a significant step further than simply having to show an identity. If finalised, Myanmar will join only 11 other countries with similar schemes, including Syria, Saudi Arabia, and Uganda, according to telecommunications industry body the GSMA. 

Both such requirements simplify the surveillance of network users for government authorities and allow them to share and match data with other private and public databases, enabling the state to create comprehensive profiles of individual citizens.

Without sufficient legal safeguards, surveillance is used arbitrarily to target individuals and minorities, which is a matter of grave concern in Myanmar which lacks such safeguards and is systematically persecuting the Rohingya people.  

Legal Void

The procurement document notes that the scheme is to be implemented “in line with applicable laws.” But it is unclear what "applicable laws" refers to, given the legal void in Myanmar when it comes to regulation of the activities of telecommunication operators, and generally data processing in Myanmar. 

Myanmar does not have a data protection law in place. 

This means that the data processing required for the creation of a biometric subscriber database would occur in a legal void, so that information collected as part of registration today could be kept for an indefinite amount of time and used for different purposes in the future, as technology, corporate incentives, or governments change. 

Concerns are heightened as communications surveillance in Myanmar is not regulated. Myanmar has yet to draft laws that govern the interception of communications by law enforcement and the telecommunication law adopted in 2013 provides extensive powers to the government including to access any information and telecommunications as well as to access telecommunication services for the matters relating national defence and security or public interest. 

The fact that such systems inherently facilitate surveillance, discrimination, and exclusion is of grave concern in Myanmar, where the military regime has committed serious human rights abuses against the Rohingya minority, possibly amounting to genocide, according to UN investigators. More than 730,000 Rohingya Muslims have fled Myanmar to Bangladesh since a 2017 military crackdown, according to Reuters.

Fighting Crime?

Such laws are often defended on the flawed assumption that they help fight crime. However, they instead create a black market for SIM cards while subjecting the vast majority of people to easier surveillance, given that anyone intent on committing a crime will likely not do so on a phone linked to their identity. 

In Pakistan, requiring SIM card registration resulted in the emergence of black markets for unregistered SIM cards, and a rise in identity fraud. Mexico’s card registration law was enacted in 2009 but was repealed just three years later after yielding no improvement in the prevention, investigation, and prosecution of associated crimes.  

According to a 2012 review by Deutsches Institut für Wirtschaftsforschung, “there is no convincing empirical evidence that mandatory registration in fact systematically lowers crime rates,” and “no robust empirical studies that show that such measures make a difference in terms of crime detection.” 

Exclusionary

If implemented, minorities will face a choice of either not having a phone or being subjected to widescale surveillance and tracking by a government intent on their removal.

Given the lack of legal safeguards and the obvious risks associated with such a scheme in which minorities are being systematically persecuted, telecommunications companies, international donors, bodies and governments must urge the authorities to desist from the scheme. 

Biometrics companies, who are due to present their bids on 16 December, should take these considerations into account as well as their international human rights obligations. They should also be reminded that there will be serious reputational and possibly legal consequences if they were to facilitate such a programme.

In response to the proposal, Privacy International have:

* Written to Myanmar’s Post and Telecommunications Department (PTD) to demand that they reveal the rationale behind the scheme and how they expect to mitigate the associated threats. They must abandon the plans if they are unable to guarantee the project's compliance with Myanmar's human rights obligations;

* Issued a letter to the major telecommunications operators outlining the concerns, their human rights obligations as well as the potential reputational impact.

UPDATE:

3rd January 2020:

In an email to Privacy International, Myanmar's PTD said,

"Please kindly note that we are preparing all the necessary Legal Framework for Biometric registration of SIM cards. We will take all the possible risks into account regarding that issue. Thank you for your cooperation in this matter."

We thank the PTD for their response. Nonetheless, while the government prepares the necessary legal framework, the procurement plans should be scrapped. We look forward to the government publishing the draft legal framework and allowing sufficient time for stakeholder consultation, especially with civil society experts. Once a legal framework is in place, which may take some time, the government has the opportunity to justify spending public money on the database, provide evidence that it is the solution to the problem they are trying to solve, undertake data protection and human rights risk assessments and address further technical concerns, as outlined in our letter.

13th March 2020:

Telenor Myanmar provided a detailed response to Privacy International, outlining the company's concerns about the proposal, including the lack of a protective legal framework and the impacts on privacy. When asked how Telenor Myanmar will seek to minimise the potential impact on freedom of expression and privacy, the company responded:

"If collection of personal data from customers is not covered under the local law, [the] Myanmar government must follow international obligations. To minimise the potential impact, TML [Telenor Myanmar Limited] plans to take the following actions:

1. Legal basis: TML will advocate to PTD to review the relevant law, regulations and licensing conditions to ensure that appropriate legal, data protection and privacy safeguards are in place for collection and management of biometric information. TML will also align with other operators to ensure that PTD carries out nation-wide information campaigns that clearly lays out the objectives, legal ground and processes and the role of operators to the customers.


2. Communication and transparency: Communicate to customers with full transparency and be clear on how the biometric data will be collected and why TML is collecting it as per the license agreement with PTD. TML will also clearly explain the nature of the data that is being collected and stored by TML, as well as the data that will be stored in the common database which PTD has access to.

TML has already taken the following steps:


1. We have completed an internal legal assessment, including privacy and human rights impacts, of the biometric database. We have also collected best practices from GSMA as well as other business units within the Telenor Group.


2. During the most recent meeting with PTD on technical evaluation of the common database vendors, which was attended by all operators and shortlisted vendors on 16th December, TML advocated to PTD for proper security measures (including privacy and personal data protection) during the system development and operation phases. TML also highlighted the need for a reliable project governance and management team to monitor ongoing data security whereby third-party evaluations/audit are performed during the system development and operation phases."

We thank Telenor Myanmar for their response, the full letter is attached below. The company provided valuable background information on the proposal and the obligations of operators in Myanmar regarding mandatory SIM registration. In addition, the company clearly articulated their position and concerns with the PTD's proposal.

We hope the remaining three operators will consider Telenor Myanmar's approach as we continue to anticipate their responses.

Privacy International will contine to update this page with any further action and developments.