mm01

Myanmar wants mobile user biometrics

People in Myanmar will be required to give their biometric data, including thumbprints, when buying mobile phone services under a controversial government plan to store private information on a central database.

A tender document issued last month and seen by The Myanmar Times invites bids for a “national database to store and manage biometric mobile subscriber registration information from all mobile network operators in Myanmar.”

The biometric information includes at least a person’s name, both thumbprints, identity type, identity number and scan of identity card, the document says. It may also contain the father’s name, date of birth and street address.

The tender, which is still open, was put out by the Posts and Telecommunications Department (PTD) under the Ministry of Transport and Communications. It does not say when the system is to start operation.

The PTD says in the document that it “intends to build a national database capturing biometric subscriber registration information of every mobile network user” in order to “ensure proper and secure registration of mobile network users and to prevent any malicious use of mobile networks.”

The contact persons for this tender have not responded to written requests for comment by The Myanmar Times.

“We cannot think of a single legitimate reason to collect such complex information. It’s very worrying that the Ministry of Transport and Communications is intending to ask telecoms companies to collect biometric information,” commented Ma Yin Yadanar Thein, director of watchdog Free Expression Myanmar.

“All governments want to collect limited telecoms information, for example to improve services and policies, or to prevent crime. However, asking telecoms companies to collect biometric information – which is deeply personal – is the sort of grossly disproportionate policy that only authoritarian countries do. Telecoms companies in Vietnam and China collect biometrics because their governments want their populations to be constantly fearful of being watched,” she added.

Calling on the ministry to explain its aims, she said her worry was that this was not about preventing malicious use of telecoms networks but rather about collecting massive levels of personal data which could be used to monitor everyone and potentially target individuals for what they do or say online.

The tender document does not mention any intention of the government to track the population. But SIM card registration, and especially biometric data, allows the state to identify the card owner and infer who is most likely making a call or sending a message at any given time, according to UK-based watchdog Privacy International.

Without strong legal frameworks and strict safeguards, the group warns that biometric systems pose grave threats to privacy and personal security, as their application can be broadened to facilitate discrimination, profiling and mass surveillance.

Tracking would need the government to be able to access telecoms data from the companies in the form of lawful interception. Myanmar has no laws or regulations on privacy protection, so personal data is not legally protected from state access.

“As with any databases, collection of this information raises concerns about privacy and data protection,” said Vicky Bowman of the independent Myanmar Centre for Responsible Business.

This private biometric data will be accessible to the telecoms operators and the private sector company providing the system, she noted.

“The authorities need to explain why it is necessary for biometric data to be collected and how it will be used. There is also no clarity about whether this database is connected to the government’s e-ID plans,” Ms Bowman said.

Some NGOs have also expressed their concerns to The Myanmar Times about the impact of the database and SIM restriction on the access to mobile services by Internally Displaced Peoples and vulnerable groups, and the ability of humanitarian organisations to work in conflict areas.

Myanmar currently requires buyers of SIM cards to register their identity documents.

Daw Aung San Suu Kyi talks about mobile phone penetration and the Fourth Industrial Revolution during the 2018 World Economic Forum on ASEAN in Hanoi. Photo: EPA

Daw Aung San Suu Kyi talks about mobile phone penetration and the Fourth Industrial Revolution during the 2018 World Economic Forum on ASEAN in Hanoi. Photo: EPA

Further restrictions proposed

The request for bids says the system “must be able to define a chosen business logic in order to restrict the number of registered SIM per subscriber.”

Since last April the PTD has ordered that a maximum of only two SIM cards per ID can be registered. The tender’s requirements suggest that the new system will implement this restriction. But the government has so far not made the economic or public policy case for taking this measure.

Other countries in the region, including India, Pakistan and Singapore, also limit the number of SIM cards per individual. Meanwhile, the Chinese government this month started requiring people to have their faces scanned when registering new mobile phone services in order to verify the real identities of internet users.

The document also says the system must be able to link one biometric scan with multiple valid identity documents issued by the authorities, such as a National Registration Card and driving licence.

This means the centralised database has the potential to link up different form of IDs, including thumbprints, which will be accessible to telecoms operators. Based on the tender document, it is unclear what the scope of this database is. The supporting office of the electronic ID working committee confirmed to this newspaper that the Ministry of Labour, Immigration and Population is involved in the database project.

The tender adds that the bidder is required to supply all hardware, software, licences and services to implement a “government-level centralised biometric database” and provide the price of all interconnected devices to be used in all mobile network operator’s point of sales.

In addition, the system must include “stringent security measures preventing loss of confidentiality, integrity and availability and leakage of information against disaster and cyberattacks” and that all personal data must be encrypted. The responsibility to prevent data leak is on the bidder.

The request for proposal does not specify whether the government or the bidder is responsible for operating the database. Neither does it outline who owns or controls the data, how might the data be used and what consent is required at point of sales.

Telecom operators express interest

Ooredoo Myanmar supports this project and has consulted with the government while it developed the request for proposal, Christopher Peirce, Ooredoo’s chief legal and regulatory officer, said. The database project is “important for the security of the customer and will help stop the practice of the sale of multiple SIMs to individuals who use and discard SIMs.”

The best path, as in other countries, is to connect the database with the smart national ID, Mr Peirce said, adding that this will enable operators to more reliably protect customer information and so “supports privacy protection rather than being a threat.”

Telenor Myanmar declined to comment on the tender as the process is ongoing. However, it said “privacy is very important to us” and that it has “strong internal procedures across markets including Myanmar to protect our subscribers’ privacy.”

Mytel said it has not decided whether to bid for the project. It said the system, if properly implemented, would reduce cyber threats. “I don’t see more impact on privacy issues than the current situation as we all are already providing our personal info to banks, hospitals etc. “And the personal data that are being collected by the common data base ranges [from] quite normal or basic to biometric, e.g. fingerprint,” its chief external relations officer told this newspaper.

State-owned MPT said it “will be following the instruction from” the PTD.

Source: https://www.mmtimes.com/news/myanmar-wants-mobile-user-biometrics.html