You are here

A tracker in your pocket: the Colombian cellphone registry is bad for human rights

Date: 
18 September 2017

This blog was written by Fundación Karisma, a member of the Privacy International Network. It does not necessarily reflect the views or position of Privacy International.

The Colombian General Prosecutor said recently that the blocking of IMEI is not working. He is talking about a registry created in 2011 that aims to reduce cellphone theft by blocking reportedly stolen phones of Colombian networks.

Fundación Karisma has been following this program and now, after six years of implementation, it is clear for us and for our institutions, that the registry is not working as intended. Even more, our recent research report shows that it affects our rights to privacy and freedom of expression.

Along with the report, Karisma has launched a series of multimedia pieces that explain the problems found with the registry. Here is a summary guide in English to the problems we found and what can we learn from them.

What is the registry?

In 2011, the death of a priest in Bogotá was attributed to cellphone theft. By that time, around 400 people were killed for related reasons, and more than 1.6 million devices were reported as stolen. Responding to pressure, the ICT Ministry issued a decree to establish a measure to reduce the incentives for thieves to go after cellphones and thus reduce theft and related crimes.

The decree was followed by a law and regulations established by the Telecommunications Regulator, which included a registry consisting of:

(1) lists of IMEI, or databases, as the legal documents call them, and

(2) a verification procedure

The core idea of the registry is that every legal device is allowed to work on mobile networks because it’s listed in a “positive database”. Whenever a cell phone is stolen or lost, its IMEI is recorded in the “negative database”. Mobile carriers should block any IMEI listed on this negative database to bar them from working on their networks. Also, a verification procedure was devised to keep both lists operational and effective. Based on communications metadata, the activity of each cellphone in Colombian networks is monitored to detect counterfeit or duplicated IMEI, along with devices that lack a certificate of conformity.

What is the problem?

The registry poses several problems from a human rights perspective.

First, each IMEI is tied to a person’s ID because the registry requires carriers to record IMEI, IMSI and telephone number along with the owner’s name, ID and address. These registry mechanisms have been rejected by the UN Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression because they eliminate the possibility to communicate anonymously. This allows the tracking of people and facilitates the surveillance of communications.

Second, the verification procedure uses communications metadata, bypassing the constitutional protection recognised for communications content. The list of requirements for data retention that mobile carriers must follow may fill voids in surveillance communications law, which effectively reduces privacy and data protection rights.

Finally, the system affects human rights and is not effective. The same results currently achieved can be reached without the registration of people’s ID and the use of metadata. Sharing the list of stolen cell phones may be as effective and less invasive than the current registry. Moreover, using only the negative list of IMEI is how it works generally in other countries and it is the way GSMA promotes the use of the system.

Want to learn more?

Fundación Karisma has launched a research report along with the website karisma.org.co/nomascelusvigilados to explain the cell phone registry in Colombia and its problems. Most of the material is in Spanish, but you will still be able to find two key pieces in English: an animated video called The war against phone theft in Colombia and the executive summary of Karisma’s research. Read and share!