Myanmar to introduce mandatory biometric data collection for massive national database
The Ministry of Transport and Communications in Myanmar has come up with a strategy to create a national database of private citizen information by making biometric data collection mandatory when purchasing mobile phone services, The Myanmar Times reports.
Residents already have to show and register an identity document when purchasing SIM cards.
According to a tender document the publication claims to have reviewed last month, the government is accepting proposal submissions for a “national database to store and manage biometric mobile subscriber registration information from all mobile network operators in Myanmar.”
It further “intends to build a national database capturing biometric subscriber registration information of every mobile network user” to “ensure proper and secure registration of mobile network users and to prevent any malicious use of mobile networks.”
The much-desired data includes not only name, both thumbprints, a scan of the identity card and its number, but also the father’s name, date of birth and street address. For now, there is no explicit timeframe or start date.
The initiative was put forward by the Posts and Telecommunications Department (PTD). The institution has not commented on the news.
Human rights organization Free Expression Myanmar has criticized the government’s intention to collect biometric information. The watchdog’s director Ma Yin Yadanar Thein argues there is not “a single legitimate reason” for such massive personal data collection and it is “very worrying” that they have even thought about this as it is a concealed way to monitor people and their online activity.
“All governments want to collect limited telecoms information, for example to improve services and policies, or to prevent crime,” she said. “However, asking telecoms companies to collect biometric information – which is deeply personal – is the sort of grossly disproportionate policy that only authoritarian countries do. Telecoms companies in Vietnam and China collect biometrics because their governments want their populations to be constantly fearful of being watched.”
Although the document does not clearly state the information will be used for surveillance, the state can still have access to the person’s activity because it would gain access to both SIM card registration and biometric data, as explained by Privacy International. It further adds that the lack of clear legislation specifically for biometrics could lead to deployments that jeopardize privacy and encourage discrimination and mass tracking. For the government to pull this through, it would have to intercept telecom data, which is possible in the country as it does not have a law to ensure privacy and that prevents the state from accessing personal data.
“The authorities need to explain why it is necessary for biometric data to be collected and how it will be used. There is also no clarity about whether this database is connected to the government’s e-ID plans,” said Vicky Bowman of the independent Myanmar Centre for Responsible Business.
The Myanmar Times spoke with a number of NGOs who warned about the consequences SIM restrictions may have on humanitarian organizations and vulnerable groups.
Not only does the government aim to create a massive database of personal and biometric information, but it established in April that an ID is restricted to a registration of maximum two SIM cards. A similar measure has been taken in India, Pakistan, and Singapore, while China has introduced mandatory facial recognition scans to verify the identity of people purchasing phone plans.
By introducing the central database, the government wants to link biometric scans with government-issued identity documents, such as drivers’ licenses and National Registration Cards, but does not explain why it wants to implement this measure. Telecom operators will have access to all the information collected.
The company that wins the contract is to provide all the hardware, software, licenses and services required to roll out the biometric database, as well as a price for the smart devices used in the mobile network operator’s point of sales. Security and data encryption also fall on the winner’s plate as the company must ensure “stringent security measures preventing loss of confidentiality, integrity and availability and leakage of information against disaster and cyberattacks.” Information about who will operate the database is not given, nor about how the data is used or who owns it.
Ooredoo Myanmar has already expressed interest in the project and put forward a request for proposal because it is “important for the security of the customer and will help stop the practice of the sale of multiple SIMs to individuals who use and discard SIMs.”
Telenor Myanmar, on the other hand, did not comment on its involvement in the project, but ensured that they take privacy protection seriously and have procedures in place to protect subscriber’s policy.
Mytel is still undecided, and state-owned MPT is waiting for government instructions.