SIM card registration: Fighting cyber criminals or breaching privacy?

MANILA, Philippines—On Dec. 6, the House of Representatives has approved on final reading House Bill No. 5793, a measure seeking to require the registration of subscriber identity module (SIM) cards.

With 181 votes supporting the bill, six against, and no abstentions, the chamber passed the proposed SIM Card Registration Act, which aims to promote accountability and help enforcement agencies in tracking down criminals through mobile phones with pre-paid and post-paid SIM cards.

READ: House OKs bill requiring SIM card registration

According to data consumer company Statista, the number of mobile phone users in the country has been consistently increasing since 2017.

Graphic by Ed Lustan

As of 2019, data gathered by Statista showed that there were around 169 million mobile subscribers in the Philippines.

In this article, INQUIRER.net will explain more about the bill, as well as the pros and cons of imposing mandatory SIM card registration to get a glimpse of how the measure could affect the over 100 million mobile subscribers in the country and help fight cybercrime.

House Bill 5793

The proposed measure mandates every Public Telecommunications Entity (PTE) or direct seller of SIM cards to require all end users—any individual or subscriber who will buy a SIM card from a direct seller—to present valid identification with photo upon purchase.

Graphic by Ed Lustan

End users will also be required to accomplish and sign a control-numbered registration issued by the respective PTE of the purchased SIM card.

“The registration form shall include an attestation by the end-user that the person appearing before the direct seller is the same person who accomplished and signed the registration form and that the identification documents presented are valid and correct,” the bill stated.

“Failure of an end-user to comply with the requirements under this section shall be a ground for the PTE or direct seller to refuse the sale and issuance of a SIM card,” it added.

Graphic by Ed Lustan

The accomplished registration form must be submitted to the concerned PTE within 15 days from the date of sale—except in cases where the PTE is the direct seller.

“Failure on the part of the direct seller to comply under this section shall constitute a violation of this Act,” the bill read.

Section 7 of House Bill No. 5793 stated that a verified list of authorized dealers or agents nationwide shall be submitted by the PTEs to the National Telecommunications Commission (NTC) within 30 days from the bill’s effectivity.

The PTEs will be required to submit an updated list to the NTC every quarter of each year.

The bill likewise requires all PTEs to maintain a SIM Card Register of their subscribers.

Requirements

Section 5 of the bill stated that all direct sellers will be required to register the following information in the SIM card registration form:

(A) Full name, date of birth, gender, and address of the end user in the presented original copy of the government-issued ID with photo. Among the accepted, valid government IDs include:

  • passport
  • national ID
  • digitized Social Security Service (SSS) ID
  • Government Service Insurance System (GSIS) e-Card
  • driver’s license
  • firearms’ License to Own and Possess (LTOP) ID
  • Professional Regulation Commission (PRC) ID
  • Integrated Bar of the Philippines (IBP) ID
  • Overseas Workers Welfare Administration (OWWA) ID
  • digitized Bureau of Internal Revenue (BIR) ID
  • voter’s ID
  • senior citizen’s card
  • Person with Disabilities (PWDs) card
  • other government-issued ID

“In the absence of any of the above IDs, a National Bureau of Investigation (NBI) clearance, police clearance, or a Philippine Statistics Authority (PSA) certified birth certificate with an ID picture taken within the last six (6) months prior to the purchase of a SIM card shall suffice,” the bill stated.

“The direct seller may make further inquiries or require the submission of additional identification, if necessary. The purchase of a SIM card may be withheld pending submission of the additional requirements,” it added.

(B) Assigned cell phone number of the SIM card, including the serial number.

According to the measure, end-users who are foreign nationals will be required to register their full name, passport number, and address in the SIM card registration form.

They will also be required to submit the following:

For foreign nationals who are visiting as tourists for not more than 30 days:

  • passport
  • proof of address in the Philippines
  • return ticket to own country of the tourist or any other ticket showing the date and time of departure from the Philippines

For foreign nationals staying for over 30 days either as workers or students:

  • passport
  • full name as indicated in the passport
  • proof of address in the Philippines
  • Alien Employment Permit issued by the Department of Labor and Employment (DOLE)
  • Alien Certificate of Registration Identification Card (ACRI-Card) issued by the Bureau of Immigration (BI)
  • school registration and ID for students

Section 10 of the measure explained that the SIM card subscriber shall notify the PTE within 48 hours in case of loss of SIM card or any change in the information contained in the form after purchase of the SIM card.

Existing prepaid subscribers

How about existing mobile phone subscribers?

Section 11 of the bill said all existing mobile phone subscribers with prepaid SIM cards will be required to register with their respective PTE within 180 days from the effectivity of the measure.

“An extension period of not longer than 120 days shall be allowed upon a valid request to the Department of Information and Communications Technology (DICT).”

“Failure to register within the prescribed period shall authorize the PTE to automatically deactivate its services the concerned prepaid SIM card subscriber.”

Penalties

If passed into law, failure to comply with any of the provisions of the bill will result in the following penalties:

For offenses committed by a PTE, including the president and other responsible officers of the PTE:

  • First offense: a fine not exceeding P300,000.00
  • Second offense: a fine not exceeding P500,000.00
  • Third and subsequent offenses: a fine not exceeding P1,000,000.00 per every offense

For offenses committed by a direct seller:

  • a penalty of suspension of its operation
  • fine of up to P5,000.00 to P50,000.00

For offenses committed by an officer or employee of an implementing agency under the said measure:

  • a penalty of suspension or dismissal from service
  • fine to be determined by the court, “without prejudice to the filing of an appropriate criminal, civil, and administrative case”

Security concerns

A similar bill has been filed in the Senate.

Earlier this year, Sen. Sherwin Gatchalian pushed for the passage of  Senate Bill No. 176 amid criminal activities committed by fraudsters—especially during the pandemic.

READ: Gatchalian gives prepaid SIM card registration bill another push

Recently, many mobile subscribers in the country received text messages from anonymous users offering high-paying jobs that are too good to be true.

READ: Cyber criminals run rampant via SMS, prey on Filipinos in need of jobs

While the measure passed by lawmakers in the House seems timely amid the increasing cases of ‘smishing’—a combination of SMS (short message service) and phishing—some have already raised concerns on the unintended security and data privacy issues that could arise if the measure is passed into law.

READ: Privacy body warns: SIM registration bid may lead to ‘heightened risk’ in personal data breach

Pierre Tito Galla, an engineer and co-founder of the advocacy group Democracy.net.ph, raised such concerns in a television interview together with Rep. Ruffy Biazon, co-author of House Bill No. 5793.

“[R]emember, any registry that exists, especially a registry that has our personal identifiable information (PII)…what happens if there is a breach?” Galla asked in an interview over ANC.

“For example, if a person has seven numbers to his name because he uses one for his business, one for personal use, others for engineering projects, what happens if these numbers are leaked and these PII under the Data Privacy Act is leaked?” he continued.

“[The measure] creates an additional vulnerability to all of us [if passed into law],” said Galla.

On the other hand, Biazon said that aside from the Data Privacy Act, there were sections in the House version of the bill which ensure confidentiality and the safety of collected data from end-users.

Under Section 8 of the passed bill, it stated that:

“Any information in the SIM card registration shall be treated as absolutely confidential, unless access to information has been granted upon written consent of the subscriber.”

“Provided, that the waiver of absolute confidentiality shall not be made a condition for the approval of subscription agreements, The confidentiality clause in the SIM card registration shall take effect at the point of sale.”

Meanwhile, Section 9 of the bill stated that:

“[T]he PTE shall be required to disclose the full name and address contained in the SIM card registration, upon a duly issued subpoena or order of a court upon finding of probable cause, or upon written request from a law enforcement agency in relation to an ongoing investigation, that a particular number is used in the commission of a crime or that it was used as a means to commit and unlawful act.”

Shortcutting due process?

Aside from data privacy concerns, Galla also raised the issue of shortcutting due process if the measure is passed into law.

“There’s a lot of data out there that law enforcement can already get from voluntary sim registration, that already happens now without going through mandatory registration—which its only function is to get a name,” Galla said.

“It’s an obvious shortcut, that’s as much as you can get from it,” he added.

According to Galla, law enforcement officers can simply go to court and ask for a warrant to search telcos, banks, companies and provide information—including the name of a mobile number’s owner, address, latest activity in a website, etc.—based on a mobile number.

He also cited instances in Mexico, which passed a SIM registration law in 2019 as part of its anti-illegal drug, anti-human trafficking, and anti-criminality operations.

The law was repealed in 2012 due to its ineffectivity to counter-drug, human trafficking, and other criminality operations.

In a position paper published last February, Democracy.net.ph added that the law was found to result in the rise of various illicit activities such as “black market SIM trading, SIM cloning, SIM spoofing, petty theft, or robbery of cellphones for the SIMS inside them” in Mexico.

“We urge our congressmen that look, we understand that you feel that there’s a need to file such a registry, but why don’t we pass a bill instead empowering law enforcers to have more knowledge on how to pursue digital forensics and other such means by securing a warrant so that they’ll be able to go to telcos and get their information,” Galla suggested.

For Biazon, however, the bill will not shortcut due process. Instead, the lawmaker said he sees it as a “strengthening of the ability of law enforcers” to gather evidence and go after criminals.

“Under the current regime, the system is already being abused by criminals. That’s a fact. The anonymity provided by prepaid cards give rise to a variety of crimes and any measure to provide or lessen those crimes, we believe, is welcome,” said Biazon.

“What we are looking at is making it difficult for criminals to get away because of anonymity. Mandatory registration would provide that evidence, close another gap where criminals can perpetuate their acts, provide the evidence trail that can easily lead to their arrest,” he added.

While the lawmaker sees it as a difference of point of view between him and Galla on the issue regarding the alleged shortcut in due process, Democracy.net.ph’s previous position paper stated that:

“In summary: while there may be a number of use cases where SIM registration may be useful to a society, there are likewise many use cases that lead to abuse or are by nature abusive.”

“We must be careful in considering the implementation of SIM registration, and if we are to implement it the law must be crafted specifically for the use case we choose it for.”

Voluntary instead of mandatory

Galla, in the television interview, likewise said that voluntary registration instead of mandatory registration would suffice.

“In the first place, SIM card registration already exists. Those who use Paymaya, Gcash, those of us who register our bank accounts, we provide our mobile numbers to them anyway, don’t we?” he said.

“In other countries, voluntary SIM registration has been found to be the better way to go when it comes to SIM registration. In fact, it has been used in several central African countries to expand mobile banking and mobile governance, where the governments were even able to provide frontline government services through registered SIMs,” he added.

“But again, this is voluntary.”

TSB
Read more...