The SIM registration thing has been on the edge of my consciousness for a while. Each time I read or hear some announcement about it the media or come across something on a telco’s website about it, the thought occurs to me that someone who understands the industry really should write about the potential economic impact of this new law. One of the things that has contributed to the growth of cell phone usage in Nigeria is the extremely low barrier to acquiring one. I actually think that one of the reasons fewer people have acquired postpaid lines is the relative complexity involved in getting one. I believed that the new rule would have some kind of chilling effect on the industry, but was hoping that someone more knowledgeable than I am would write about it.
Despite this, I hadn’t actually gone looking for any writing about it, Until Oluniyi David Ajao’s blog post popped up in my Twitter stream. Niyi’s post (which for some reason has disappeared from his blog page, but it is still cached on Bing) doesn’t look at it from a commercial impact perspective so much as it is an examination of the touted security “benefits”. He is harsh in his criticism. For the most part, I agree with him. I don’t think the reasons for the new rules are well thought out or are hard to circumvent. In particular, in a country where it is easy to get multiple driver’s licenses and passports (official ones) in multiple names, the idea of being able to tie a SIM to an individual who doesn’t want his identity divulged is laughable. At the very minimum, a kidnapper can use his victim’s cell phone to make his ransom demands, and can make those demands while on the move, thwarting any attempt to use triangulation or GPS to track them. It also assumes an investigative efficiency that the law enforcement agencies cannot be expected to demonstrate.
My concerns over the impact of this on commerce appear to be valid if MTN’s experience with such a law in South Africa is examined. There was a drop in line acquisition and thus business growth attributed to the law, and I fully expect the same to happen in Nigeria. However, these are not the biggest concerns. A larger issue is this: do we want any large organisation, a telco or a government agency to have unfettered access to our location data without our explicitly choosing to give them that information? Do we want to give telcos information that is not specifically required to enable them provide me a service and get paid for it? Am I expected to trust that they will implement adequate security protocols to make sure that my data is not mined and used in fraud, identity theft, impersonation and even by the selfsame kidnappers to track me down? My fingerprints in MTN’s database? All over the world governments are vehemently resisting the likes of Google capturing and storing personally identifiable data and our government is asking private organisations to capture and hold this information in trust? This is why we need a Federal CIO.
At least one writer finds the idea to be a good one. Though I should point out to “Jacob” that the countries he refers to capture this information for billing purposes because they mostly sell contracts (postpaid lines) not prepaid. Some might argue that if you are not engaged in or planning to engage in criminal activity, you should have no course for concern. Maybe. It is also true that it is the innocent that are worst hit when institutions mismanage or abuse the enormous powers they hold. The criminal usually escape unscathed. Simply put, I don’t trust the telcos or the government to do right by me with my data. I also do not trust them to take the necessary action if the scenario presented itself for them to apprehend criminals or save lives.
However, my protestations are a tad too late.The ship has sailed and we will have to deal with the effect down the road. The time to get involved in the debate is long past. For now, let me make some suggestions on governance to manage the situation.
- All systems that store any of this information should be subject to strict laws and controls about encryption and access. At a minimum the kinds of controls that govern financial records (on the scale of the US PCI and Sarbanes-Oxley IT systems rules) should be enforced. If these are not already in place, the process should be stopped until they do.
- No data should be provided to any law enforcement agent without a warrant from a court of law.
- Location data, if captured, should not be retained for more than an agreed upon timeframe? Perhaps 3 months at the most.
- No commercial use should be made of this data without an explicit opt-in by customers (Indeed, if you are going to use my data, not only should you get my permission, but you should pay me for the privilege).
- Any data breach should immediately be published to the public.
- Equip the police. Technology is only as good as the human infrastructure and people processes behind it.
If nothing else, this situation brings up the fact that we absolutely need to have a national dialogue about information and communication technology and the rights and privileges of the citizenry. We who understand the technology and have some insight into the social economic impact should keep a very keen eye on what our governments come up with and be vociferous in providing support when appropriate or criticism when needed