As Namibians Rush to Register SIMs, Major Telco Hoards Biometric Data

This December, citizens of Namibia are faced with a catch-22. In 10 days, more than half of the population of Namibia may lose phone service. As a price for keeping it, the other half has handed over sensitive biometric data to the country's premier telco.

The messy story begins with the best of intentions, back around the turn of 2022–2023. In an effort to combat mobile fraud and identity theft, and generally align with international norms, the Namibian government began a yearlong push for all citizens to register their SIM cards.

Most of those citizens have to do so through Mobile Telecommunications Limited (MTC), Namibia's first and largest mobile telecommunications provider. MTC controls more than a 90% share of the market, servicing over 2 million customers in the country of just 2.5 million, according to company documentation.

In registering their SIMs, though, the company has also collected customers' facial scans and fingerprints. It's an unnecessary measure that has privacy advocates worried.

"Now I've got a mobile network operator (MNO) that's taken my biometrics, my identity, and it knows where I live," laments Paul Rowney, chairperson of the Payment Association of Namibia's e-Money Forum. "This is valuable data that's now sitting in a database, and nobody really knows how that database came about. What's the oversight for that data? Where's it stored? None of this is known."

Namibia Failing Push to Register SIMs

Namibia's SIM registration campaign hasn't gone according to plan.

The Communication Regulatory Authority of Namibia (CRAN) has reported that, as of this month, just 43% of the country — 1,043,144 of 2,463,367 total mobile phone users — have completed registration.

This, Rowney says, was predictable. Besides the long lines and bureaucracy involved, "a lot of the people that are not registered live in rural areas. For them to comply, it's quite difficult. They've got to travel long distances, it costs money — they tend to have the least amount of money — they've got to go to one of the registration points, and these tend to be in the urban areas." Registration also requires an official home address, which many rural citizens lack.

Rowney adds that this week, to speed up compliance, the government rescinded one step in the process: obtaining a declaration from the police prior to registration.

A representative of the Ministry of Information and Communication Technology (MICT) told The Windhoek Observer that, despite poor adherence, the government will not push the registration deadline.

Instead, Jan. 1 will kick off a three-month suspension period, CRAN's legal adviser explained in a press conference on Dec. 15. Through March, unregistered numbers will be suspended. After three months, those numbers will be lost to their original owners.

Rowney, for his part, does not believe the telcos will comply with such a firm stance. "Do you think they're going to switch off 50% of their subscribers? It's the first of January, during the middle of the holiday, peak revenue time. They're going to ignore it," he says.

It should be noted that the majority of MTC is owned by the government, as well as the entirety of its sole competitor, Telecom Namibia.

MTC's Biometric Data Collection

Besides the threat of service interruptions, or the theoretical specter of mobile fraud should the plan fail, there's one other risk to this late drama: that MTC will gain further leverage to collect sensitive biometric data.

According to Part 6 of Chapter V in Namibia's Communications Act of 2009, in registering a SIM card, companies must obtain certain standard personal information such as an individual's name, date of birth, address, and a form of government ID.

Biometric data is not required by law. Yet as part of the registration process, MTC employees have been capturing photos and fingerprints of customers. It's unclear whether the company intends to use this data for a particular purpose. Equally unclear is how it plans to store and secure it.

Dark Reading has reached out to both MTC and CRAN for further information as to where this data is being stored, how, and how it's being protected, if at all.

The confusion is compounded by the fact that Namibia does not yet have any data protection laws. Its first Data Protection Bill was drafted two years ago and is as yet moving through Parliament.

"The MNOs are now capturing all this information into their database. Not CRAN's database. And it raises the question: Who owns the data, anyway? Does the regulator own it? Does the government own it? Does the MNO own the data?" Rowney wonders.