SIM-Card Registration Study

5.1 billion people worldwide have mobile phones, accounting for almost 70 percent of the entire global population, according to the GSM Association.

The majority of national governments (around 150) require mandatory SIM-card registration, which means you need your real name and personal details to sign up for phone service. Just how private is mobile phone usage in each country? And how are governments using the data collected?

Here at Comparitech, we looked at a number of factors to determine where in the world SIM-card registrations are the most invasive. This includes if biometrics are required in the registration process, whether the data is stored by providers or shared with government agencies, what is (or is not) required for law enforcement to gain access to this data, for how long the data is stored, and whether any data privacy legislation protects this information.

This map includes all of the countries we know of that have or do not have SIM-card registration laws. Some of these have been omitted from the overall study (with scorings and rankings) due to insufficient information on the laws and processes in place. Therefore, it wouldn’t be fair for us to include them as we cannot accurately score them for things like law enforcement access, penalties, and so on.

Top 15 countries with the worst SIM-card registration policies

  1. Tanzania (19 points) – Tanzania is at the top of our list with a score of 19/21. It manages to scrape back two points due to citizens being allowed a maximum of eight sim cards (one per provider) and law enforcement not having invasive interception tools (although they can access data without a warrant). Subscribers’ information is submitted to the relevant authority once a month and registration includes fingerprints. This data isn’t protected with storage limitations and with no data protection law in place, this leaves subscribers’ data open to various vulnerabilities. Furthermore, those who don’t comply with the law may find themselves being fined 7 million Tanzanian shillings (US$3,000) and/or spending more than two years in prison.
  2. Saudi Arabia (17 points) – Fingerprints are a requirement for anyone registering for a SIM card in Saudi Arabia and all of this data collected has to be validated by the provider before the SIM card is activated. Law enforcement has access to this data and may not need a warrant. No data storage limitations are mentioned and no data protection law is in place. Furthermore, residents are limited to 10 SIM cards.
  3. North Korea, Uganda (15 points) – Both North Korea and Uganda receive 15 points but for slightly differing reasons.
    • North Korea scores poorly due to mobiles and their networks being supplied by the government, thus restricting people’s access to multiple SIMs and their privacy when using their mobiles. For example, if a user accesses something that they shouldn’t, they are sent an alert warning them that the government has noted this action. Users who don’t follow the registration process can receive prison sentences for as long as three years and could also face hefty fines. North Korea fails to protect registration data with no telecommunication storage retention or data protection laws. The government has ensured tourists aren’t able to leave SIM cards with residents by deactivating the SIM card after their visit and charging tourists $250 per SIM card.
    • In contrast, Uganda doesn’t restrict the number of SIM cards used and enforces the requirement of a warrant to access customer data. However, Uganda’s poor score is due to its biometric checks for SIM-card registration, its capture and validate system, its lengthy storage retention laws (5 years after a contract is terminated or canceled), and its use of fines and/or imprisonment for those who fail to comply.
  4. Lebanon, Pakistan, Singapore, Sri Lanka (14 points) –
    • Lebanon’s poor score comes from its limit of three SIM cards per person and its lack of protection for data collected. Lebanon is discussing the possibility of biometric checks.
    • Pakistan’s score results from the use of fingerprints in the SIM-registration process, its capture and validate system, and its limit of five SIM cards per person.
    • Singapore scores poorly due to the use of facial recognition, the limit of three SIM cards per person, and severe penalties for more extreme cases (excessive use of unregistered SIM cards).
    • Finally, while Sri Lanka doesn’t use biometrics, it does fall short when it comes to SIM card limits (five per person), potential access to data without a warrant, and lack of data protection.
  5. Bahrain, Bangladesh, China, Myanmar, Nigeria, Tajikistan, United Arab Emirates (13 points) – Bahrain, Bangladesh, and China have very similar scores across the categories. All of them employ a capture and validate system, use fingerprints or facial scans in the registration process, allow law enforcement access without a warrant, and store data for lengthy periods of time.
    • Myanmar is the only one of this group not to use fingerprints in the data collection process but scores poorly due to its SIM card limit (two per person) and lack of data protection.
    • Both Nigeria and the United Arab Emirates have implemented severe penalties for those who don’t register their SIMs (imprisonment and/or fines).
    • Tajikistan limits users to four SIM cards.
    • Nigeria, the UAE, and Tajikistan score poorly due to their data retention periods either being lengthy or unclear.

SIM-Card Registration Laws by Country

Use the "Next" button at the bottom of the table to scroll through all of the countries studied.
ScoreCountryRegistration Required?Capture and Store?Data Privacy Framework?Biometric Check?# of SIM Cards Allowed per PersonLaw Enforcement Interception Access?Penalties?Data Stored For...
19TanzaniaYesCapture and ShareNoFingerprints1 per network (in progress) = 8Yes and can seize equipment (doesn't state if warrant required)Suppliers - 3 million Tanzanian shillings ($1.3k) and/or 12 months in prison (or if a network licensee - 15 million ($6.5k))
Individual - 7 million Tanzanian shillings ($3k) and/or 2 years in prison
Not stated
17Saudi ArabiaYesCapture and ValidateNoFingerprints10 (or 2 for foreigners)Yes (no warrant)SuspensionNot stated
15North KoreaYesCapture and StoreNoNoNot clear but likely to be limitedYes (phones and networks are supplied by the government and alerts are sent if you access something you shouldn't)3 years in prison and a heavy fine (or something far more severe)No stated
15UgandaYesCapture and ValidateYesFingerprintsNot statedYes (warrant)Fine or imprisonment for up to 12 months (customer or employee/agent)
Fine of R100,000 for each day they fail to comply
5 years (after cancellation or termination)
14LebanonYesCapture and StoreNoIn discussion3Yes (with a judge's grant)Not statedNot stated (ISPs for one year)
14PakistanYesCapture and ValidateNoFingerprints5WarrantSubscriber - deactivation1 year
14SingaporeYesCapture and StoreYesFacial recognition - with SingTel3Yes (no warrant)Jail if extensive (see notes)12 months (at least)
14Sri LankaYesCapture and StoreNoNo5Interception has been known without a warrantSubscriber - deactivationNo clear law
13BahrainYesCapture and ValidateYesFingerprints10YesProviders - possible fine
Subscribers - deactivation
1 year after contract terminated/expired
13BangladeshYesCapture and ValidateYesFingerprints15YesProviders - fines
Subscribers - deactivation
Not stated "unspecified"
13ChinaYesCapture and ValidateYesFacial recognitionNo limitYesProvider - 50,000 to 500,000 RMB ($7.1k to $71k)
Subscriber - as lines are heavily monitored and punishments for cybersecurity extreme, imprisonment or hefty fines are likely
Not stated
13Myanmar (Burma)YesCapture and StoreNoNo2Yes (warrant)Subscriber - deactivationNot stated
13NigeriaYesCapture and ShareYesFingerprints
Facial image
No limitYes (written request by an official not below Assistant Commissioner of Police)Provider - N200,000 ($550) for each subscription
Subscriber - imprisonment
3 years
13TajikistanYesCapture and StoreYesFingerprints2 per provider (4) = 8Yes (not clear if warrant required)Subscriber - deactivatedNot stated
13United Arab EmiratesYesCapture and StoreYesFingerprintsUnlimitedYes (telecoms providers must provide access)Fake registration is punishable by at least 1 year in prison and a fine of no less than 250,000 (but no more than 1 million) dirhams - $68k to 272k2 years
12CameroonYesCapture and StoreNoNo12YesProviders - fines (examples provided)
Subscriber - deactivation
Not stated
12CubaYesCapture and StoreNoNo3YesSubscriber - deactivation3 years
12JordanYesCapture and StoreNoIn progress10 per operator (3) = 30Yes (judicial order)Subscriber - deactivation
Provider - various sanctions possible
Not stated (cafe owners required to keep internet traffic of users for 6 months)
12KenyaYesCapture and ShareYesNo10Yes (files must be made accessible to the authority)Provider - A fine not exceeding three hundred thousand
shillings ($2.9k) or to imprisonment for a term not exceeding six months or to
both
Subscriber - 100,000 shillings ($1k) and/or imprisonment for 6 months (for false information)
Not stated
12MozambiqueYesCapture and StoreYesCan provide fingerprint instead of ID5 per operator (3) = 15YesProviders - fines (were issued fines of up to $115,000 if they failed to comply with the SIM registration requirements)
Subscribers - deactivation
5 years (after termination)
12OmanYesCapture and StoreYesFingerprints10 per operator (4) = 40YesSubscriber - deactivationNot stated
11BurundiYesCapture and StoreNoNoNo limitYesProvider - fine of up to $2967
Subscriber - deactivation
Not stated
11CambodiaYesCapture and StoreNoNoNo limitYesProviders - suspension and fines
Subscribers - deactivation
Not stated
11EcuadorYesCapture and ValidateNoNoNo limitYesSubscriber - deactivation5 years (at least)
11EritreaYesCapture and StoreNoNoNo limitYesProvider - fines and sanctions depending on severity
Subscriber - deactivation
Not stated
11GambiaYesCapture and StoreYesNo5YesProvider - GMD 50,000 = $974
Subscriber - deactivation
3 years
11HaitiYesCapture and StoreNoNoNo limitYesProvider - termination of license
Subscriber - deactivation
Not stated
11HondurasYesCapture and StoreNoNoNo limitYes (must provide criminal court with any requested information)Providers - HNL1.5 million ($80k) and imprisonment for 3-5 years
Subscriber - deactivation
Not stated
11ItalyYesCapture and ShareYesNoNo limitYesSubscriber - deactivationUp to 6 years
11SenegalYesCapture and ValidateYesNoNo limitYes (no warrant)Blocked
Fraudulent use - 1 to 5 years imprisonment and a fine of 1 to 3 million CFA Francs ($1.7k to $5k)
Not stated
11Sierra LeoneYesCapture and StoreNoNoNo limitYes (warrant)Provider - 100,000 Leones per subscriber
Subscriber - disconnection
10 days after a licensed operator ceases operating or has their license revoked - nothing else stipulated
11South AfricaYesCapture and StoreYesNo100Warrant (oral or written)Provider - fine of R 100,000 (for each day the failure to comply continues) = $6.8k
Consumer - fine or prison for up to 12 months
5 years (after cancellation or termination)
11ThailandYesCapture and ValidateYesFingerprints
OR Facial scan
5 per provider (3) = 15Not clear if a warrant is required but telecoms providers have to disclose personal information to government agencies/officials - and allow interception for legal purposes.Provider - fines/suspensions
Subscriber - deactivation
Fingerprints are not stored.
Data stored 3 months post service
New law for 5 years to help "drive the country's economy" but this wouldn't be identifiable - just Big Data for analysis.
11TurkmenistanYesCapture and StoreYesNo2YesSuspensionNot stated
11ZimbabweYesCapture and StoreNoNoNot statedYes (warrant)6 months in prison if false information provided and/or a level-5 fine5 years (after cancellation or the service has ended)
10ArgentinaYesCapture and StoreYesNoNo limitYes (data must always be available for a possible request by the Judiciary and/or from the Public Ministry)Prison for 6 months to 3 years (both subscribers and providers)Not stated
10BelizeYesCapture and StoreNoNoNo limitYes (court order)Provider - possible fine and/or imprisonment
Subscriber - deactivation
Not stated
10Eswatini (Swaziland)YesCapture and StoreNoNoNot statedYes (not stipulated if warrant required)Providers - fine for not implementing (one thousand Emalangeni = $68 per subscriber)
Subscribers - deactivation and responsibility for activities carried out on SIM card
5 years (after cancellation or termination)
10GuatemalaYesCapture and StoreNoNoNo limitYes (court order)Provider - sanction of 100-200,000 quetzals ($13-26k)
Subscriber - potential sanctions and/or imprisonment
3 years
10GuyanaYesCapture and StoreNoNoNo limitYes (warrant)Provider - selling for fraudulent use $500,000 to $2 million and prison for no more than 1 year
Subscriber - imprisonment if SIM is used by someone else for crimes or deactivation
Not stated
10HungaryYesCapture and ValidateYesNo10YesProvider - daily fines of 50,000-500,000 ($405-$4k)
Subscriber - deactivation
1 year
10IndonesiaYesCapture and ValidateYesNo4YesSubscriber - deactivation3 months
10IranYesCapture and StoreYesNo10YesSubscriber - deactivationNot stated
10SomaliaYesCapture and StoreNoNoNot statedWarrant (perhaps not in cases of national security)Subscriber - deactivationNot stated
10South KoreaYesCapture and StoreYesNo1WarrantSubscriber - deactivationTwo years (RRN)
10Timor-LesteYesCapture and StoreNoNoNo limitYes (court order)Subscriber - deactivatedNot stated
10TongaYesCapture and StoreNoNoNo limitYes (court order)Provider - possible fines and imprisonment
Subscriber - deactivation
Not stated
9AfghanistanYesCapture and StoreYesFingerprintsNo limitYesProvider - 2 years in prison
Subscriber - deactivation
Not stated
9AlgeriaYesCapture and ShareYesNoNo limitYes (state owned)Subscriber - deactivationNot stated
9AzerbaijanYesCapture and StoreYesNo5 per operator (3 operators) = 15Yes5,000 manats for officials ($2.9k), 25,000 manats for legal entities ($14.7k)Not stated
9BeninYesCapture and StoreYesFingerprintsNo limitYes (judicial order)Provider - 1% of annual turnover if not implemented
Subscriber - deactivation
1 year (from last communication)
9EgyptYesCapture and ValidateYesNoNo limitYesProvider - confinement to prison and a fine of no less than 10,000 pounds or no more than 100,000 pounds ($623 to $6.2k)
Subscriber - deactivation
Not stated
9KuwaitYesCapture and StoreYesNoNo limitYesProvider - fines and possible prison sentences
Subscriber - deactivation
5 years (only period mentioned by the authority)
9KyrgyzstanYesCapture and StoreYesNoNo limitYes (providers have to ensure their systems work with SORM equipment)Subscriber - disconnection
No other sanctions described in separate law
3 years
9LiberiaYesCapture and ValidateNoIn progressNo limitYes (court order)Provider - $50,000 first offense of not verifying a user, $150,000 for every offense thereafter
Subscriber - deactivation
At least 12 months
9MalawiYesCapture and StoreYesNoNo limitYes (court order)Provider - K1,000,000 ($1.3k) and imprisonment for two years
Subscriber - deactivation (could be held liable for k5,000,000 ($6.5k) and imprisonment for five years)
Not stated
9PeruYesCapture and ValidateYesFingerprintsNo limitYes (with a judicial mandate)None mentioned (fines have been given to providers not following the law)Until the contract ends
9RwandaYesCapture and StoreNoNo3 per operator (2) = 6Yes (no warrant)Provider - fine of 1.5 million Rwandan Francs for each SIM ($1.6k)
Subscriber - fine
6 months (at least) from deregistration
9VenezuelaYesCapture and StoreYesFingerprintsNo limitYesSubscriber - deactivationCustomers details 3 months after termination
Details of calls, geographic location of callers, time, date, duration of call = 12 months
8.5Costa RicaOptionalCapture and StoreYesNo5 (but voluntary)Yes (judicial order)Subscriber - deactivationNot stated
8BotswanaYesCapture and StoreYesNoNo limitYesProvider - fines
Subscriber - deactivation
Not stated
8BrazilYesCapture and StoreYesNoNo limitYes (judicial request)Provider - fine (R $ 100,000 = $2.46k) and contract termination
Subscriber - fine (R $ 50,000 = $1.23k) and deactivation
Not stated
8Côte D'IvoireYesCapture and StoreYesNoNo limitYes (written request)Provider - sanctions
Subscriber - deactivation (and liability for any crimes committed on a registered card)
3 years after the end of the subscription
8Democratic Republic of CongoYesCapture and StoreYesNoNo limitYesProvider - possible sanctions and fines between 10 million and 100 million Francs ($5.9k to $59k)
Subscriber - deactivation
Not stated
8Dominican RepublicYesCapture and ValidateYesNoNo limitYes (judicial order)Subscriber - deactivationNot stated
8EthiopiaYesCapture and StoreNoNoNo limitYesProvider - possible fines and imprisonment
Subscriber - deactivation
1 year
8IndiaYesCapture and StoreYesNo9YesProvider - Legal action
Subscriber - deactivation
6 months
8JapanYesCapture and StoreYesNoNo limitYesProvider - Varying fines and potentially imprisonment
Subscriber - deactivation
3 years (from termination of contract)
8MalaysiaYesCapture and ValidateYesNo5 per company (2) = 10Yes (court order sometimes required but rarely declined)Provider - fines tend to be issued
Subscriber - deactivation
Not stated "no longer than necessary"
8MaliYesCapture and StoreYesNoNo limitYesSubscriber - deactivationNot stated
8MauritaniaYesCapture and StoreYesNoA "reasonable" numberYes (warrant)Providers - fines (some large - see notes)
Subscribers - deactivation
Not stated
8MontenegroYesCapture and StoreYesNoNo limitYes (interception capabilities required)Provider - 1 to 10% of total revenue if it fails to retain data required for identification and registration of subscribers1 year (after termination)
8MoroccoYesCapture and StoreYesNoNo limitYesSubscriber - deactivationNot stated
8NepalYesCapture and StoreYesNoNo limitYes (nothing stipulated in the legislation)Subscriber - deactivationNot stated
8QatarYesCapture and StoreYesNoNo limitYesSubscriber - deactivationNot stated
7AlbaniaYesCapture and StoreYesNoNo limitYesProviders - fine
Subscriber - deactivated
At least a year from the last bill made
7AngolaYesCapture and StoreYesNoNo limitYesSubscriber - disconnectionAt least a year
7ArmeniaYesCapture and StoreYesNoNo limitYes (court order)Provider - different fines depending on the offence
Subscriber - deactivation
Not stated
7BarbadosYesCapture and StoreYesNoNo limitYes (warrant)Provider - fine
Subscriber - deactivation
Not stated
7BelarusYesCapture and StoreYesNoNo limitYesNot stated1 year
7DominicaYesCapture and StoreYesNoNo limitYes (court order)Provider - potential fines
Subscriber - deactivation
Not stated
7GermanyYesCapture and StoreYesNoNo limitYes (have to ensure the Regulatory Authority can retrieve customer data files at all times)Provider - €20,000 euro fine if they fail to enforce ($22.2k)
Subscriber - deactivation
When the contractual relationship ends, the data is to be erased upon expiry of the calendar year following the year in which the contract terminated.
7GeorgiaYesCapture and StoreYesNoNo limitYes (some interception capabilities)Subscriber - deactivation1 year (after termination of contract)
7GreeceYesCapture and StoreYesNoNo limitYes (government has access)Subscriber - deactivation1 year (after end of contract)
7MacauYesCapture and StoreYesNoNo limitYesProvider - fine MOP 50,000 to 150,000 ($6.2k to $18.7)
Subscriber - deactivation
1 year
7North MacedoniaYesCapture and StoreYesNoNo limitYesProvider - €20,000
Subscriber - deactivation
12 months
7PolandYesCapture and StoreYesNoNo limitYes (no warrant)None (deactivation)12 months
7RussiaYesCapture and StoreYesNoNo limit (but likely to be an issue if many are registered in one name)Yes (no warrant)Provider - 5,000 rubles fine ($80)
Subscriber - deactivation
6 months
7SlovakiaYesCapture and StoreYesNoNo limitYes (interception capabilities are required)Provider - failure to correct the right data = €1.5 million (but this covers a manner of things)
Subscriber - disconnection
6 months
7TunisiaYesCapture and StoreYesNoNot statedYes (warrant)Provider - sanctions
Subscriber - deactivation
Not stated
7UruguayYesCapture and StoreYesNoNo limitCourt orderSuspension for providersUp to 2 years (if necessary)
6AustraliaYesCapture and StoreYesNoNo limitYesSubscriber - deactivationLength of contract
6AustriaYesCapture and StoreYesNoNo limitYesProvider - fined up to 37,000
Subscriber - deactivation
Length of contract
6BelgiumYesCapture and StoreYesNoNo limitYes (strict conditions)Subscriber - deactivation1 year
6ChileYesCapture and StoreYesNoNo limitYesSubscriber - deactivationNot stated "when they are expired"
6FijiYesCapture and StoreNoNoNo limitYes (warrant)Provider - failure to suspend the service or follow procedure can result in a maximum fine of 200,000 dollars ($92k)
Subscriber - providing false information can result in a maximum fine of 10,000 dollars ($4.6k) and/or 1 year imprisonment
Throughout contract
6KazakhstanYesCapture and StoreYesNoNo limitYes (when sanctioned by a prosecutor)Subscriber - deactivation2 years
6KosovoYesCapture and StoreYesNoNo limitYes (warrant)Provider - fines (up to 7% of annual income)
Subscriber - disconnection
1 year
2 years (after a user is changed)
6LaosYesCapture and StoreYesNoNo limitYes (with approval)Both - Educated, fined or penalized depending on the degree of violationWhen using purpose is terminated
6TurkeyYesCapture and StoreYesNoNot stated (but can only import one mobile phone every three years)Yes (warrant)Provider - sanctions and possible fines (up to 10 million Turkish Liras - $1.68 million - for connecting illegal equipment)
Subscriber - deactivated
Until no longer required (reviewed every six months)
6UzbekistanYesCapture and StoreYesNoNo limitNot clear if warrant required but Data Protection Act suggests that consent isn't required for LE to carry out their duties.Subscriber - deactivationNo longer than is necessary
6ZambiaYesCapture and StoreYesNoNot statedYes (warrant)Sellers - 2.5k penalty units
Providers - 2.5k penalty units and/or imprisonment for up to 2 years
Subscribers - deactivation
1 year
5BhutanYesCapture and StoreYesNoNo limitYes (warrant)Provider - penalties
Subscriber - deactivation
"When obsolete"
5BulgariaYesCapture and StoreYesNoNo limitYes (some protections but immediate access to be provided in some cases, i.e. imminent danger or national security)Provider - fine
Subscriber - deactivation
6 months
5FranceYesCapture and StoreYesNoNo limitYes (warrant usually required but some intercept capabilities allowed for intelligence agencies)Subscriber - deactivation3 months (limit - data protection law)
5GhanaYesCapture and StoreYesNoNo limitYes (court order)Provider - 2,000 penalty units and 1,000 penalty units for each day the offence continues
Subscriber - deactivation
"No longer than necessary"
5LuxembourgYesCapture and StoreYesNoNo limitYes (written request)Provider - penalty
Subscriber - deactivation
6 months
5MadagascarYesCapture and StoreYesNoNo limitYes (public order)Subscriber - deactivationNot stated (electronic communications' traffic data can only be stored for the "time necessary")
5MauritiusYesCapture and StoreYesNoNo limitYes (with approval of judge)None included in SIM card regulationNot stated ("as long as necessary for the purposes for which such data has been collected and processed")
5NorwayYesCapture and StoreYesNoNo limitYes (warrant)Subscriber - deactivation6 months
5Papua New GuineaYesCapture and StoreYesNoNo limitYes (warrant or written request from security agency)Provider - K50,000 per card ($14.7k)
Subscriber - deactivation
6 months (from deactivation)
5SpainYesCapture and StoreYesNoNo limitWarrantSubscriber - deactivationAs long as is "necessary"
5SwitzerlandYesCapture and StoreYesNoNot statedYes (with approval from the Post and Telecommunication Surveillance Service (PTSS))Subscriber - deactivated6 months
0AndorraNo
0BahamasNo
0Bosnia & HerzegovinaNoNo limit
0Cabo VerdeNo
0CanadaNo
0ColombiaNo
0ComorosNo
0CroatiaNo
0CyprusNo
0Czech RepublicNo
0DenmarkNo
0EstoniaNo
0Finland0
0Hong KongNo
0IcelandNo
0IrelandNo
0IsraelNo
0KiribatiNo
0LatviaNo
0LiechtensteinNo
0LithuaniaNo
0MaldivesNo
0MaltaNo
0Marshall IslandsNo
0MexicoNo
0MicronesiaNo
0MoldovaNo
0NamibiaNo
0NetherlandsNo
0New ZealandNo
0NicaraguaNo
0ParaguayNo
0PhilippinesNo
0PortugalNo
0RomaniaNo
0SerbiaNo
0SloveniaNo
0Solomon IslandsNo
0SwedenNo
0UkraineNo
0United KingdomNo
0United StatesNo
0VanuatuNo
0VietnamNo
0YemenNo

Type of ID required by country

The countries that currently have biometric registration laws are Afghanistan, Bahrain, Bangladesh, Benin, China, Nigeria, Oman, Pakistan, Peru, Saudi Arabia, Singapore, Tajikistan, Tanzania, Thailand, Uganda, United Arab Emirates, and Venezuela. Those who are in the planning stages of implementing biometrics are Jordan, Lebanon, and Liberia. In Mozambique, subscribers can provide their fingerprints if they don’t have adequate ID.

In China, anyone registering a new phone number now needs to submit a facial scan. This is also happening in Singapore. Singtel, which has a market share of 50 percent, introduced facial scanning to its ID-verification process. All of this can be done from an app on the user’s phone. Nigeria also requires both fingerprints and a facial image.

In all of the remaining countries (that we conducted our in-depth study on) where biometrics aren’t yet implemented, photo ID is a requirement in order to register. If someone doesn’t have ID, authorities often implement rules stipulating they register through another person or seek a sponsor who will vouch for them.

In many countries, other requirements are stipulated alongside the ID, including a permanent address, date of birth, nationality, and gender (many personally identifying factors that may also be included on the ID). However, certain countries also have other unique stipulations. For example, in Chile and Sudan, your mother’s name is required on the registration form. Kosovo, Liberia, and Mali also want to know your profession, while Cameroon requires you to submit a localization map to confirm your country of residence.

Countries without mandatory SIM-card registration laws

Those without any SIM-card registration requirements are Andorra, the Bahamas, Bosnia and Herzegovina, Cabo Verde, Canada, Colombia, Comoros, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Hong Kong, Iceland, Ireland, Israel, Kiribati, Latvia, Liechtenstein, Lithuania, Maldives, Malta, Marshall Islands, Mexico, Micronesia, Moldova, Namibia, the Netherlands, New Zealand, Nicaragua, Paraguay, the Philippines, Portugal, Romania, Serbia, Slovenia, Solomon Islands, Sweden, Ukraine, United Kingdom, United States, Vanuatu, Vietnam, and Yemen.

There are certain countries where SIM card registration is under discussion, e.g. Cyprus, Malta, Namibia, and Vietnam. Equally, in some countries, bills and even laws have been introduced but retracted. This includes Lithuania, Paraguay, the Philippines, Romania, and Ukraine.

How does SIM-card registration threaten privacy?

Creating a database of citizens and their mobile numbers restricts private communications, increases the potential of them being tracked and monitored, enables governments to build in-depth profiles of their citizens, and risks private data falling into the wrong hands.

A SIM card is more than a phone number. It allows authorities to easily track people’s locations and movements. All of their online activity—websites visited, search queries, purchases, and more—can be traced back to their device. Authorities could selectively throttle, censor, or block internet connections of specific people or groups of people, giving way for harassment and persecution.

Without laws to protect registration data, personal details could be shared with third parties. These could include advertisers, other governments, or tax collection agencies, for example. This puts data at a higher risk of theft and abuse.

In China, SIM-card registration is combined with real-name registration for online accounts and services. When you sign up for a social media account or chat app, for example, you’re required to provide your real name and phone number. In combination with SIM-card registration, the policy prevents anyone from making anonymous accounts online or communicating in secret.

Furthermore, Spain recently conducted a large study of its citizens’ phone tracking data in a bid to improve its public services. Even though this data was “anonymized,” it still demonstrates the intrusive ways governments may choose to use mobile data that’s made available to them. There were also some suggestions that the data was used against privacy laws as people hadn’t given their consent for the data to be used by the government.

Some experts also suggest that having mandatory registrations in place for SIM cards only seeks to fuel their illicit use. It creates the need for a black market as people want to communicate anonymously and it also encourages identity fraud as people try to evade the system.

Identity theft is also a threat to this system. Criminals might have little trouble finding someone else’s photo and other information required to sign up for a new SIM. This could cause a lot of trouble for the impersonated with little consequence to the impersonator.

Methodology

To conduct this study we have used various sources (listed below) to find out whether or not SIM-card registration is mandatory or not. We then followed this up by taking an in-depth look at each country’s laws to find out how this data was used, stored, accessed, and so on.

Where we were unable to find this information, we have omitted the country from the study.

Scoring

Registration required = No (0 points), Yes (1 point), Optional (0.5 points)

Capture and Store = 1 point

Capture and Share = 2 points

Capture and Validate = 2 points

Data Privacy Framework = Yes (0 points), No (1 point)

Biometric Check = Fingerprints used for limited groups (i.e. those without ID (2 points), Fingerprints and/or Facial Scans (3 points), In progress (1)

Sim Card Limit = No limit (0 points), over 10 or other restrictions (1 point), 6 to 10 (2 points), 5 or less (3 points)

Law Enforcement Access = With warrant (1 point), without warrant (2 points), severe interception capabilities (3 points)

Penalties = Subscriber deactivation (1 point), subscriber penalties (2 points), subscriber prison sentences and/or penalties (3 points)

Data Storage = length of contract and up to six months after (1 point), up to 1 year (2 points), 2 to 3 years (3 points), 4 to 5 years (4 points), 6 or more years (5 points). If no data storage timescales are given, countries are allocated 5 points if there is no data protection law and a 3 if there is a data protection law in place (as this will put some safeguards in place despite no timescales being given).

Sources

https://www.gsma.com/mobilefordevelopment/wp-content/uploads/2019/02/ProofofIdentity2019_WebSpreads.pdf

https://docs.google.com/spreadsheets/d/1VHwcBK514_4G-24UMBzoW0hiHzUMJ516q1ISVH0MSVw/edit#gid=0