Which governments impose SIM-card registration laws to collect data on their citizens_

Just over 5.2 billion people worldwide have mobile phones, accounting for almost 70 percent of the entire global population, according to the GSM Association.

The majority of national governments (around 160) require mandatory SIM-card registration, which means you need your real name and personal details to sign up for phone service. And over 30 of these also require biometrics, e.g. your fingerprints or a facial scan.

Just how private is mobile phone usage in each country? And how are governments using the data collected?

Here at Comparitech, we looked at a number of factors to determine where in the world SIM-card registrations are the most invasive. This includes if biometrics are required in the registration process, whether the data is stored by providers or shared with government agencies, what is (or is not) required for law enforcement to gain access to this data, for how long the data is stored, and whether any data privacy legislation protects this information.

This year’s update also included whether or not these countries have mandatory IMEI databases.

This map includes all of the countries we know of that have or do not have SIM-card registration laws. Some of these have been omitted from the overall study (with scoring and rankings) due to insufficient information on the laws and processes in place. Therefore, it wouldn’t be fair for us to include them as we cannot accurately score them for things like law enforcement access, penalties, and so on.

Please note: Due to a change in the scoring (countries with lower scores are now deemed to have more invasive SIM-card registration laws) along with the addition of another category, we haven’t compared results year on year.

Top 16 countries with the worst SIM-card registration policies

1. Tanzania (3 points)

Tanzania is the worst-ranked country for SIM-card registration policies with a score of 3/18. It manages to scrape back just three points as it allows citizens a maximum of eight sim cards (one per provider), doesn’t have severe invasive interception tools for law enforcement (but they can still access data without a warrant), and doesn’t have a mandatory IMEI database. In Tanzania, subscribers’ information is submitted to the relevant authority once a month and registration includes fingerprints. This data isn’t protected with storage limitations and with no data protection law in place, this leaves subscribers’ data open to various vulnerabilities. Furthermore, those who don’t comply with the law may find themselves being fined 7 million Tanzanian shillings (US$3,000) and/or spending more than two years in prison.

2. Myanmar, North Korea (6 points)

Both Myanmar and North Korea receive 6 points. Both capture and store data and neither have a mandatory IMEI database.

Myanmar scores poorly for the lack of a data protection framework, as well as limiting the number of SIM-cards allowed (two per person). Myanmar also requires biometric data to be taken for SIM registration including both fingerprint and facial scans. The few points it does pick up were for the need of a warrant for law enforcement to access personal information and for not having any severe penalties for not registering your SIM (just deactivation).

While North Korea is only considering the implementation of biometric data for SIM-card registration, there are likely to be limitations on SIM-card use due to their networks being government-run. For example, if a user accesses something that they shouldn’t, they are sent an alert, warning them that the government has noted this action. Users who don’t follow the registration process are also at risk of up to three years in prison and/or hefty fines. North Korea fails to protect registration data with no data protection laws or defined data retention periods. Furthermore, the government has ensured tourists aren’t able to leave SIM cards with residents by deactivating the SIM card after their visit and charging tourists $250 per SIM card.

3. Pakistan (7 points)

Pakistan scores two points each for law enforcement needing a warrant to access data and only enforcing subscriber deactivation as a penalty. A further three points are given for its limit on storing subscriber information for a maximum of 1 year. However, Pakistan is one of sixteen countries that hold an IMEI database. The database requires all mobile phone users to register their independent 15-digit number and is aimed at identifying counterfeit and illegally imported mobile devices that avoid tax. Pakistan also uses a capture and validate registration system, has no data privacy framework, requires fingerprints upon registration, and only allows 5 SIM-cards per user.

4. Bangladesh, China, Jordan, Nigeria, Saudi Arabia, Singapore, Sri Lanka, Uganda, United Arab Emirates (8 points)

Bangladesh requires fingerprints to be taken for registration, and law enforcement can gain access without a warrant. In 2021, both Bangladesh and Nigeria implemented an IMEI database.

Sri Lanka and Jordan are the only two countries in this group that don’t have a data privacy framework in place and Sri Lanka doesn’t require biometric registration unlike all other countries that scored eight points.

Singapore offers the lowest number of SIM-Cards allowed for citizens (3 per person), doesn’t require a warrant for police access, and might see individuals put in prison for multiple years if found buying and registering SIM-Cards under false names.

Nigeria and China don’t subject citizens to a limit on the number of SIM cards they own but instead require facial scans/images during the registration process. If anyone is found fraudulently using SIM-Cards, they are highly likely to face imprisonment in China and explicitly so in Nigeria.

Imprisonment is also threatened in the UAE and subscriber data is stored for two years. Uganda had the most extensive specified storage period of all these countries (five years).

5. Bahrain, Kenya, Tajikistan (9 points)

All three countries are awarded a point for having a data privacy framework, for having a higher limit of between eight and 10 SIM-cards per person, for not having an IMEI database, and for not giving law enforcement invasive access to the databases (warrants aren’t always required, though).

Both Bahrain and Tajikistan require extensive biometric data to be collected upon registration. However, deactivation is the only penalty for not complying with the regulations. In Kenya, offenders face prison for up to 6 months or a large fine of 100,000 shillings ($1,000).

 

Type of ID required by country

The countries that currently have biometric registration laws are Bahrain, Bangladesh, Belarus, Benin, China, Ghana, Jordan, Lesotho, Mexico, Myanmar, Nigeria, Oman, Pakistan, Peru, Saudi Arabia, Singapore, Tajikistan, Tanzania, Thailand, Uganda, United Arab Emirates, Venezuela, and Zambia. Those who are in the planning stages of implementing biometrics are Ethiopia, Indonesia, Japan, Lebanon, Liberia, Jordan, Lebanon, Liberia, North Korea, and Russia. In Mozambique, subscribers can provide their fingerprints if they don’t have adequate ID.

In China, anyone registering a new phone number now needs to submit a facial scan. This is also happening in Myanmar, Nigeria, and Singapore (which uses technology from Singtel, making ID verification possible through an app). Thailand also accepts a facial scan as an alternative to fingerprint scanning.

In all of the remaining countries (that we conducted our in-depth study on) where biometrics aren’t yet implemented, photo ID is a requirement in order to register. If someone doesn’t have ID, authorities often implement rules stipulating they register through another person or seek a sponsor who will vouch for them.

In many countries, other requirements are stipulated alongside the ID, including a permanent address, date of birth, nationality, and gender (many personally identifying factors that may also be included on the ID). However, certain countries also have other unique stipulations. For example, in Chile and Sudan, your mother’s name is required on the registration form. Kosovo, Liberia, and Mali also want to know your profession, while Cameroon requires you to submit a localization map to confirm your country of residence.

Countries without mandatory SIM-card registration laws

Those without any SIM-card registration requirements are Bosnia and Herzegovina, Canada, Cabo Verde, Comoros, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Iceland, Ireland, Israel, Kiribati, Latvia, Liechtenstein, Lithuania, Maldives, Malta, Marshall Islands, Micronesia, Moldova, Namibia, the Netherlands, New Zealand, Nicaragua, the Philippines, Portugal, Romania, Serbia, Slovenia, Sweden, the United Kingdom, the United States, and Vanuatu.

There are certain countries where SIM card registration is under discussion, e.g. Cabo Verde and Estonia. And, in some countries, bills and even laws have been introduced but retracted. This includes Namibia, the Philippines, Romania, and Vanuatu.

How does SIM-card registration threaten privacy?

Creating a database of citizens and their mobile numbers restricts private communications, increases the potential of them being tracked and monitored, enables governments to build in-depth profiles of their citizens, and risks private data falling into the wrong hands.

A SIM card is more than a phone number. It allows authorities to easily track people’s locations and movements. All of their online activity—websites visited, search queries, purchases, and more—can be traced back to their device. Authorities could selectively throttle, censor, or block internet connections of specific people or groups of people, giving way for harassment and persecution.

Without laws to protect registration data, personal details could be shared with third parties. These could include advertisers, other governments, or tax collection agencies, for example. This puts data at a higher risk of theft and abuse.

In China, SIM-card registration is combined with real-name registration for online accounts and services. When you sign up for a social media account or chat app, for example, you’re required to provide your real name and phone number. In combination with SIM-card registration, the policy prevents anyone from making anonymous accounts online or communicating in secret.

Furthermore, Spain recently conducted a large study of its citizens’ phone tracking data in a bid to improve its public services. Even though this data was “anonymized,” it still demonstrates the intrusive ways governments may choose to use mobile data that’s made available to them. There were also some suggestions that the data was used against privacy laws as people hadn’t given their consent for the data to be used by the government.

Some experts also suggest that having mandatory registrations in place for SIM cards only seeks to fuel their illicit use. It creates the need for a black market as people want to communicate anonymously and it also encourages identity fraud as people try to evade the system.

Identity theft is also a threat to this system. Criminals might have little trouble finding someone else’s photo and other information required to sign up for a new SIM. This could cause a lot of trouble for the victim with little consequence to the impersonator.

Methodology

To conduct this study we have used various sources (listed below) to find out whether or not SIM-card registration is mandatory or not. We then followed this up by taking an in-depth look at each country’s laws to find out how this data was used, stored, accessed, and so on.

Where we were unable to find this information, we have omitted the country from the study.

Scoring

Registration Requirements:

  • Registration required = No (1 points), Yes (0 point), Optional (0.5 points)
  • Capture and Store = 1 point
  • Capture and Share = 0 points
  • Capture and Validate = 0 points

Data Privacy Framework:

  • Yes (1 point)
  • No (0 points)

Biometric Check:

  • Fingerprints and/or Facial Scans (0 points)
  • Fingerprints used for limited groups (i.e. those without ID (1 points)
  • In progress (2)
  • No biometrics (3)

Sim Card Limit:

  • 5 or less (0 points)
  • 6 to 10 (1 points)
  • Over 10 or other restrictions (2 point)
  • No limit (3 points)

Law Enforcement Access:

  • Severe interception capabilities (0 points)
  • Without warrant (1 point)
  • With warrant (2 points)

Penalties:

  • Subscriber prison sentences and/or penalties (0 points)
  • Subscriber penalties/fines (1 point)
  • Subscriber deactivation (2 points)

Data Storage:

  • 6 or more years (0 points)
  • 4 to 5 years (1 point)
  • 2 to 3 years (2 points)
  • Up to 1 year (3 points)
  • Length of contract and up to six months after (4 points)

If no data storage timescales are given, countries are allocated 0 points if there is no data protection law and a 2 if there is a data protection law in place (as this will put some safeguards in place despite no timescales being given).

IMEI Registration:

  • Mandatory (0 points)
  • Not Mandatory (1 point)

Countries where no SIM-card or IMEI registration is required automatically received a score of 18.

Sources

https://www.gsma.com/mobilefordevelopment/wp-content/uploads/2021/04/Digital-Identity-Access-to-Mobile-Services-and-Proof-of-Identity-2021_SPREADs.pdf

For a full list of sources, please request access here.

Data researcher: Charlotte Bond