Johannesburg - Cyber security experts are divided about a proposal to link biometric data to sim cards.
The Independent Communications Authority of South Africa (Icasa) has proposed linking biometric data to SIM cards. If successful, the new regulations would require all South Africans to provide their biometric data to mobile service providers to obtain a new cellphone number or action a sim swop.
The proposals are included alongside other draft regulations published by the regulator which closed for public comment this week. Icasa’s proposal calls for biometric data such as fingerprint mapping, facial recognition, and retina scans to be bound to a consumer’s sim card.
Professor and chair for artificial intelligence(AI) in cyber security in the School for Data-Science & Computational Thinking at Stellenbosch University, Bruce Watson, said while he believed Icasa had good intentions, the proposal was a bad idea.
“Linking data is a very slippery slope. I would even say that it could lead to South Africa becoming a surveillance state. It is not always necessary… This could lead to more data leaks. Also, the ability of companies to keep data safe is weak,” he said.
Watson stressed that biometric data was the “crown jewels” of personal information and believes linking it to sim cards would increase the risk of identity theft.
“While there may be a genuine interest to protect data, I believe that it will be very difficult to put that genie back in the bottle should we go that way,” Watson said.
Privacy concerns were also raised by co-founder and CEO of iiDENTIFii (a leader in remote biometric digital facial authentication and automated onboarding technology) Gur Geva.
But he said he believed the new proposals was to prevent serious crime and protect consumers from the financial and emotional trauma of identity fraud where associated phone numbers were used.
“Criminals who use a multitude of mobile numbers in illegal activities, including fraud, money laundering, terrorism and kidnapping, would have a harder time hiding from law enforcement should new regulations come into effect.
“And because biometric data cannot be copied, consumers would have an added layer of protection against their cell number being used in identity theft or to authenticate fraudulent payments,” he added.
Geva said the technology behind binding biometrics to sim cards was well-established and, crucially, was safe and secure.
“Biometric technology is already a common security feature offered by financial service providers like banks and insurers to protect consumers. The proposed regulations are far more sophisticated than current RICA laws in terms of protecting South Africans against fraud,” he added.
The communications regulator said stricter security measures were required to curb the hijacking of mobile phone numbers, either through porting or via a sim swop transaction, among other instances of fraudulent activity.
Geva said how biometric data was managed by mobile operators would still be subject to strict privacy laws laid out in the Protection of Personal Information (Popi) Act and the General Data Protection Regulation (GDPR) guidelines.
Raw biometric data wouldn’t be stored so citizens could rest assured their information was encrypted and non-transferable, he added.
“There is concern that biometric data can be used for various other means once captured by the mobile service provider. But in reality, there is very little difference between what is being asked of the mobile service providers and what customers have had to provide to financial institutions,” he said.
Geva added that biometric authentication, together with liveness detection, was a powerful weapon in the fight against identity fraud which was on the increase and cost the South African economy at least R1 billion each year.
Geva also stressed that the move towards biometrics had several other important benefits beyond combattng identity fraud.
“Government departments, like Home Affairs and Social Development, would be able to ensure grants, documents, and other communication reached the intended recipient.
“There are also massive opportunities within the digital payments space as remote biometrics enable access to services that have the potential to make a meaningful impact on financial inclusion.
“As most South African adults own a mobile phone, biometrics takes the friction out of the payment process, making transactions easy, instant, and secure,” he said.
Icasa spokesperson, Paseka Maleka said they had been presented with concerns wherein mobile numbers had been hijacked, either through a porting and/or sim swop transaction.
“This hijacking of numbers may be seen as small, but it is an integral part of a wider form of fraud where sensitive data is diverted or may land in criminal hands. The authority is of the view that the association of mobile numbers with the biometric data of a subscriber will assist to curb the hijacking of numbers,” he said.
Paseka said Icasa was unable to pre-empt if the biometric switch would, in fact, happen as this was still in the consultation phase.