Everyone who buys a mobile telephone will be forced to register their identity on a national database under government plans to extend massively the powers of state surveillance.[From Passports will be needed to buy mobile phones – Times Online]
This is hardly an original idea. It’s already the case in many countries that law-abiding citizens have to provide identity documentation in order to obtain a mobile phone. Ah, you might say, that’s not going to help catch criminals — which I’m sure isn’t true, as such an initiative must necessarily catch some stupid criminals — because the criminals will just carry on using pre-paid SIMs that have not been registered. Well, yes, but surely if a government makes a law that SIMs must be registered, then it will naturally get the operators to block all of the SIMs that haven’t been registered, as they are in the process of doing in Botswana.
The process of registering all prepaid Subscriber Identity Module (SIM) cards in the country will start in September, says the Chief Executive of Botswana Telecommunications Authority (BTA), Mr Thari Pheko. Speaking at a press conference in Gaborone this week… Mr Pheko said the registration process was expected to take 17 months and will be completed on the last day of 2009, adding that unregistered cards will be taken off-air in the beginning of 2010.[From BOPA Daily News Archive]
Something similar is underway a little closer to home, in Spain.
From November 9, 2007, people who purchased pre-paid mobile phones have been obliged to provide proof of identity, but for those who purchased phones before this date, a two-year period of grace was granted which runs out on November 9, 2009. It is estimated that more than 15 million pay-as-you-go phones are still unregistered in Spain.[From Costa News – Mobile phone cut-off]
If there is going to be a government database of all mobile phone numbers against registered names, then surely the only way to manage the new identity world that it creates is to just put it on the web and let new businesses spring up to use it. It’s the same principal as with initiatives around health and all sorts of other personal data. If people believe that their connection to their mobile phone number is “secure” but it isn’t, then the outcomes will be perverse. The bad guys will have access to the data and the good guys won’t. Since there is no more possibility of keeping this database secure than keeping, for sake of emotive comparison, the Children’s Index secure, isn’t it better to make it available for mash-up? And, by the way, I didn’t choose this emotive example at random…
Security flaws have halted work on the internet database designed to hold the details of 11 million children and teenagers. The Department for Children, Schools and Families (DCSF) admitted last night that it had uncovered problems in the system for shielding details of an estimated 55,000 vulnerable children.[From Security flaws halt work on ContactPoint child database – Times Online]
If you can’t keep a government database like this secure, what chance is there of keeping a government database of mobile phone IDs secure?
So it would make sense to put all this on the web? No, of course it wouldn’t. It would be a nightmare. It could easily lead to the first “privacy Chernobyl”, a nice phrase coined over at Burton…
privacy “Chernobyls,” events and trends that will fundamentally alter our privacy in the next 3 to 10 years.[From Burton Group Identity Blog: Trip report from the Privacy Symposium]
I think the analogy here is reasonable. Just as Chernobyl looms over every discussion of nuclear power, so one day there might be a failure of some major system — let’s say a government’s national identity card system, to pick an obvious example — that means that no-one will want to commission a future system no matter how beneficial or failsafe or secure. This is not a good outcome if you think, as I do, that modern society desperately needs an identity management infrastructure and, as I shall be discussing later this month at the European e-Identity Management Conference, that mobile phones are an integral part of that infrastructure.
The solution is not to make all data available to all but to implement an identity infrastructure based on modern cryptography, secure systems (you can’t have privacy without security, as we say at the Identity & Privacy Forum), biometrics and so forth. I strongly suspect that this means that the mobile phone number will be come part of a virtual identity, bound to a digital identity (stored in the SIM) by private sector identity providers — most likely, in this case, the mobile operators.
These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]