Which governments impose SIM-card registration laws to collect data on their citizens_

Just over 5.4 billion people worldwide have mobile phones, accounting for almost 70 percent of the entire global population, according to the GSM Association.

The majority of national governments (around 160) require mandatory SIM-card registration, which means you need your real name and personal details to sign up for phone service. And just under 20 of these also require biometrics, e.g. your fingerprints or a facial scan, with eight more countries in the process of implementing such requirements.

Just how private is mobile phone usage in each country? And how are governments using the data collected?

Here at Comparitech, we looked at a number of factors to determine where in the world SIM-card registrations are the most invasive. This includes if biometrics are required in the registration process, whether the data is stored by providers or shared with government agencies, what is (or is not) required for law enforcement to gain access to this data, how long the data is stored, and whether any data privacy legislation protects this information.

This map includes all of the countries we know of that have or do not have SIM-card registration laws. Some of these have been omitted from the overall study (with scoring and rankings) due to insufficient information on the laws and processes in place. Therefore, it wouldn’t be fair for us to include them as we cannot accurately score them for things like law enforcement access, penalties, and so on.

Key findings for 2022/23

  • 3 countries have implemented mandatory SIM-card registration in the past year–Sweden, Namibia, and the Philippines. None of these countries place a limit on the number of SIM cards available to customers, but Namibia and the Philippines require biometrics (face and fingerprint biometrics for Namibia and facial scans for the Philippines). Sweden stores this data for one year, Namibia for five years (without an adequate data protection law), and the Philippines for ten years.
  • Belize, Cuba, Sri Lanka, and Tanzania all gained a point this year for implementing data privacy frameworks.
  • India introduced a mandatory IMEI database, bringing the total number of countries that do to 21.
  • Mexico was the only country to retract its biometric requirement. The National Register of Mobile Telephone Users (aka Panaut) was ruled unconstitutional by the Supreme Court of Justice. The register previously required fingerprints, iris scans, and facial recognition to prove the identity of mobile telephone and internet users.
  • Things to watch: The Maldives is considering mandatory SIM-card registration, while Australia and South Africa have had recent discussions regarding the use of biometrics in the registration process.

Top 14 countries with the worst SIM-card registration policies

1. Tanzania (4 points)

Tanzania is the worst-ranked country for SIM-card registration policies with a score of 4/18. While low, this is an improvement on its previous score of three. This is thanks to the implementation of a data privacy framework in November 2022. The other three points come from allowing citizens a maximum of eight SIM cards (one per provider), not having severe/invasive interception tools for law enforcement (but they can still access data without a warrant), and not having a mandatory IMEI database. In Tanzania, subscribers’ information is submitted to the relevant authority once a month and registration includes fingerprints. This data isn’t protected with storage limitations which leaves subscribers’ data open to various vulnerabilities. Furthermore, those who don’t comply with the law may find themselves fined 7 million Tanzanian shillings (US$3,000) and/or sentenced to more than two years in prison.

2. Myanmar (5 points)

Myanmar drops a point this time around due to the fact it has implemented a mandatory IMEI database. This came into effect in May 2022 and includes a mandatory tax of 6,000 kyat ($3) for device registration.

Elsewhere, Myanmar scores poorly for the lack of a data protection framework, as well as limiting the number of SIM cards allowed (two per person). Myanmar requires biometric data for SIM registration including both fingerprint and facial scans. The few points it does pick up were for the need for a warrant for law enforcement to access personal information and for not having any severe penalties for not registering your SIM (just deactivation).

3. North Korea, Tajikistan (6 points)

In North Korea, telecommunication networks are run by the government, so SIM-card use is heavily restricted. For example, if a user accesses something that they shouldn’t, they are sent an alert, warning them that the government has noted this action. Users who don’t follow the registration process are at risk of up to three years in prison and/or hefty fines. North Korea fails to protect registration data with no data protection laws or defined data retention periods. Furthermore, the government has ensured tourists aren’t able to leave SIM cards with residents by deactivating the SIM card after their visit and charging tourists $250 per SIM card.

Tajikistan collects fingerprints from SIM-card users and has a limit on the number of SIM cards allowed per provider, set at two (so 8 in total). Also, if a SIM card registered in your name is found in the hands of a criminal, then you could face between 2-3 years in prison. It also has a mandatory IMEI database.

4. Pakistan, Uganda (7 points)

Both Pakistan and Uganda share a number of similarities, including the requirement of fingerprints for registration, mandatory IMEI databases, law enforcement requiring a warrant for data access, and data only being stored for up to a year.

Pakistan has a limit of five SIM cards per person, while Uganda has no limit. But if users are caught breaking the law regarding SIM cards in Uganda, then they can face prison for up to 12 months. Deactivation is the biggest punishment in Pakistan.

5. Bangladesh, China, Jordan, Nigeria, the Philippines, Saudi Arabia, Singapore, United Arab Emirates (8 points)

As mentioned above, the Philippines introduced mandatory SIM-card registration in October 2022. Those registering must provide a selfie (facial recognition).

The rest of these countries also require biometric registration. Bangladesh, Jordan, Saudi Arabia, and the UAE require fingerprints. China, Nigeria, and Singapore require facial recognition instead of or alongside fingerprints.

Bangladesh and Nigeria are the only two to have mandatory IMEI databases.

Many of the countries also implement harsh penalties for those abusing the laws. For example, in the UAE, fake registration is punishable by at least one year in prison.

 

Type of ID required by country

The countries that currently have biometric registration laws are Bahrain, Bangladesh, Belarus, Benin, China, Ghana, Jordan, Lesotho, Myanmar, Namibia, Nigeria, Oman, Pakistan, Peru, Philippines, Saudi Arabia, Singapore, Tajikistan, Tanzania, Thailand, Uganda, United Arab Emirates, Venezuela, and Zambia. Those who are in the planning stages of implementing biometrics are Argentina, Ethiopia, Indonesia, Japan, Lebanon, Liberia, North Korea, and Russia. In Mozambique, subscribers can provide their fingerprints if they don’t have adequate ID.

In China, anyone registering a new phone number now needs to submit a facial scan. This is also a requirement in Myanmar, Nigeria, the Philippines, and Singapore (which uses technology from Singtel, making ID verification possible through an app). Thailand accepts a facial scan as an alternative to fingerprint scanning.

In all of the remaining countries (where we conducted our in-depth study) where biometrics aren’t yet implemented, photo ID is a requirement in order to register. If someone doesn’t have ID, authorities often implement rules stipulating they register through another person or seek a sponsor who will vouch for them.

In many countries, other requirements are stipulated alongside the ID, including a permanent address, date of birth, nationality, and gender (many personally identifying factors that may also be included on the ID). However, certain countries also have other unique stipulations. For example, in Chile and Sudan, your mother’s name is required on the registration form. Kosovo, Liberia, and Mali also want to know your profession, while Cameroon requires you to submit a localization map to confirm your country of residence.

Countries without mandatory SIM-card registration laws

Those without any SIM-card registration requirements are Bosnia and Herzegovina, Canada, Comoros, Croatia, Cyprus, Czech Republic, Denmark, Finland, Iceland, Ireland, Israel, Kiribati, Latvia, Liechtenstein, Lithuania, Malta, Marshall Islands, Micronesia, Moldova, the Netherlands, New Zealand, Nicaragua, Portugal, Romania, Serbia, Slovenia, the United Kingdom, the United States, and Vanuatu.

There are certain countries where SIM card registration is under discussion, e.g. Cabo Verde, Estonia, and the Maldives. And, in some countries, bills and even laws have been introduced but retracted. These include Romania and Vanuatu.

How does SIM-card registration threaten privacy?

Creating a database of citizens and their mobile numbers restricts private communications, increases the potential of them being tracked and monitored, enables governments to build in-depth profiles of their citizens, and risks private data falling into the wrong hands.

A SIM card is more than a phone number. It allows authorities to easily track people’s locations and movements. All of their online activity—websites visited, search queries, purchases, and more—can be traced back to their device. Authorities could selectively throttle, censor, or block internet connections of specific people or groups of people, giving way for harassment and persecution.

Without laws to protect registration data, personal details could be shared with third parties. These could include advertisers, other governments, or tax collection agencies, for example. This puts data at a higher risk of theft and abuse.

In China, SIM-card registration is combined with real-name registration for online accounts and services. When you sign up for a social media account or chat app, for example, you’re required to provide your real name and phone number. In combination with SIM-card registration, the policy prevents anyone from making anonymous accounts online or communicating in secret.

Furthermore, Qatar faced controversy during the 2022 World Cup for mobile phone tracking through apps as well as the possibility that they could track SIM cards. The country introduced new rules for football fans, making it much easier for them to obtain SIM cards. However, news outlets questioned the likelihood that phones were being tracked through IMEI numbers, SIM cards, and apps used on the phone.

Some experts also suggest that mandatory registration for SIM cards only seeks to fuel their illicit use. It creates the need for a black market as people want to communicate anonymously and it also encourages identity fraud as people try to evade the system.

Identity theft is also a threat to this system. Criminals might have little trouble finding someone else’s photo and other information required to sign up for a new SIM. This could cause a lot of trouble for the victim with little consequence for the impersonator.

Methodology

To conduct this study, we utilized various sources (government legislation/guidelines, telecommunication providers’ regulations, high-authority news sites, and industry reports) to find out whether or not SIM-card registration is mandatory in each country. We then followed this up by taking an in-depth look at each country’s laws to find out how this data was used, stored, accessed, and so on.

Where we were unable to find this information, we have omitted the country from the study.

Scoring

Registration Requirements:

  • Registration required = No (1 points), Yes (0 point), Optional (0.5 points)
  • Capture and Store = 1 point
  • Capture and Share = 0 points
  • Capture and Validate = 0 points

Data Privacy Framework:

  • Yes (1 point)
  • No (0 points)

Biometric Check:

  • Fingerprints and/or Facial Scans (0 points)
  • Fingerprints used for limited groups (i.e. those without ID (1 points)
  • In progress (2)
  • No biometrics (3)

Sim Card Limit:

  • 5 or less (0 points)
  • 6 to 10 (1 points)
  • Over 10 or other restrictions (2 point)
  • No limit (3 points)

Law Enforcement Access:

  • Severe interception capabilities (0 points)
  • Without warrant (1 point)
  • With warrant (2 points)

Penalties:

  • Subscriber prison sentences and/or penalties (0 points)
  • Subscriber penalties/fines (1 point)
  • Subscriber deactivation (2 points)

Data Storage:

  • 6 or more years (0 points)
  • 4 to 5 years (1 point)
  • 2 to 3 years (2 points)
  • Up to 1 year (3 points)
  • Length of contract and up to six months after (4 points)

If no data storage timescales are given, countries are allocated 0 points if there is no data protection law and a 2 if there is a data protection law in place (as this will put some safeguards in place despite no timescales being given).

IMEI Registration:

  • Mandatory (0 points)
  • Not Mandatory (1 point)

Countries where no SIM card or IMEI registration is required automatically received a score of 18.

Sources

For a full list of sources, please request access here.

Data researcher: Charlotte Bond