Cape Town - Next time you buy a cellphone, your mobile phone company will have access to your fingerprints, facial recognition, retina scans, biometric and behavioural data, if a proposal by the Independent Communications Authority of South Africa (Icasa) of tying the biometric data held by service providers to people’s SIM cards becomes law.
The proposal is included alongside other draft regulations published by the regulator last month, and is currently out for public comment until May 11. The proposal was made to clamp down on fraudulent activities, but certain organisations said it was an invasion of privacy.
In the notice, the regulations define biometric data as the “measurement and statistical analysis of people’s unique physical and behavioural characteristics”.
This means that fingerprint mapping, facial recognition, retina scans and biometric and behavioural data will be held by mobile service providers and tied to SIM cards and phone numbers.
“On activation of a mobile number on its network, a licensee must ensure that it collects and links the biometric data of the subscriber to the number. A licensee must ensure that, at all times, it has the current biometric data of an assigned mobile number,” Icasa said.
However, submissions made to the DearSA website (https://dearsouthafrica.co.za/icasa-biometric/), which currently stand at more than 20 000, have rejected the proposal as a terrible invasion of privacy that would be “abused” by the government.
Some of the submissions argue that the linking of a person’s biometric data opens individuals to further possibility of identity theft through the theft or cloning of their SIM card, with the theft of a mobile phone another method by which a person’s identity can be stolen.
Questions around what would happen when the biometric data stored by the networks are hacked and how this data would be safeguarded were also raised.
Dear SA chairperson Rob Hutchinson said the regulations as proposed attempt to address concerns around SIM fraud in the banking sector. However, the regulations might encroach on the protection of personal information limitations set by the Popi Act.
South African Banking Risk Information Centre (Sabric) figures from November last year showed that SIM swop incidents increased 91% year-on-year when looking at digital banking fraud across all platforms.
Hutchinson said they were concerned as to how the biometric and behavioural data of private citizens would be stored and managed by service providers – as data breaches and hacking of systems were an increasing problem.
“Other concerns are around the usage of private data by the service providers and who will have access to the data,” he said. Hutchinson said security of private data, identify theft, and usage of personal information were also major concerns.
“We feel that this bill, although well-intentioned, has major flaws in practical application. The public participation process has so far revealed many valid concerns from those who will be affected – which will hopefully encourage Icasa to consider the public input and redraft the proposal to meet the concerns of the public and requirements of government,” he said.
South African Institute of Race Relations CEO John Endres said the state’s desire to combat fraud is laudable, but cautioned that this would inconvenience users, and would add to the cost of managing cell contracts.
He said this would be ineffective because criminals would still find ways to circumvent the safeguards.
"Capturing biometric data will also create risks for users if their data is compromised or used by government agencies for unauthorized purposes, e.g. surveillance and tracking of political opponents. Icasa should go back to the drawing board and develop a less intrusive way to combat SIM swap fraud," Endres said.
The Right2know campaign said it was in the process of preparing a submission to Icasa on the matter.
Right2Know spokesperson Sthembiso Khuluse said even the court judgment in the matter of AmaBhungane Centre for Investigative Journalism NPC and Another v Minister of Justice and Correctional Services and Others; and Minister of Police v Amabhungane Centre for Investigative Journalism NPC and Others, declared that parts of Rica were unconstitutional and infringing on the privacy of citizens.
He said Parliament was given time to revise the act to establish sufficient safeguards to protect the public.
“Have they done that? As the Right2Know Campaign we oppose this move and are working on a submission to ensure that constitutional rights are not infringed upon,” Khuluse said.