POTRAZ’s subscriber database might not track you, but it can identify you

Recently, POTRAZ published an interesting call to tender in the press.

The tender called for:

Eligible bidders for the supply, installation and commissioning of a National Central Subscriber Information Database System (NACSID) and associated hardware and networking infrastructure

A National Central Subscriber Information Database System?

In simple terms, it is a National Directory of registered mobile subscribers.

All information provided to mobile network operators on sim card registration will be recorded in this directory.

The database of subscribers will be pooled from existing databases of licensed mobile network operators in Zimbabwe.

The mobile operators already had our information since POTRAZ enforced its Statutory Instrument 95 of 2014,requiring that:

No service provider shall activate a SIM-card on its telecommunication network system or provide a telecommunication service unless the customer details have been registered

According to the same SI, where the client is a natural person, registration of a sim card requires: full name; permanent residential address; nationality; gender; subscriber identity number; national identification number or passport number.

From what we have gathered so far, the establishment of a National Directory has been in POTRAZ plans for the past two years.

So now POTRAZ is finally making steps to implement its plans and establish its own centralized database.

POTRAZ expressed its intentions of establishing a “Central Subscriber Information Database” in which “all subscriber information shall be stored” in its Statutory Instrument 95 of 2014.

POTRAZ main reasoning for establishing a database included the ability to:

• monitor service providers’ compliance with the provisions of regulations
• assist with the operation of the emergency call services or assisting emergency services
• assist law enforcement agencies or safeguarding national security
• assist with the provision of mobile-based emergency warning systems
• authorize/allow for research in the sector

On the issue of access to subscriber database, POTRAZ outlined that access to any subscriber information stored in the service provider registers and central database shall be prohibited except on the following grounds-

• the operation of the emergency call services or assisting emergency services
• assisting enforcement agencies or safeguarding national security
• the provision of mobile-based emergency warning systems
• undertaking approved educational and research purposes
• assisting the Authority to verify the accuracy and completeness of information held by licensed operators

The only relief to subscribers being that:

any person who is aggrieved by any unlawful use of his or her personal data shall have the right to seek legal redress

There are two issues we have identified as possible causes for concern:

1. In POTRAZ’s reasoning for establishing their own database, they state that they intend on assisting law enforcement agencies or safeguarding national security.
2. The information in the database is accessible to any enforcement agency or entity safeguarding National Security.

Based on the information contained in the SI, POTRAZ is not integrating with existing MNOs they are just receiving a copy of their records and plugging into a stand-alone database.

Service providers shall, on a monthly basis or at such regular intervals as the Authority may from time to time specify, transmit to the Authority all subscriber information captured in their subscriber registers within the preceding month or such period as stipulated by the Authority in accordance with these regulations.

The Authority shall set up mechanisms that will enable data controllers to conduct periodical compliance audits to verify the accuracy of data submitted by service providers.

POTRAZ will not be able to track you, just identify you.

With this National Directory, POTRAZ can simply receive a request from an approved source, identify you on all mobile networks, and provide them the information you produced on SIM registration.

The Police, for example, can now simply approach POTRAZ with your ID or name, get information from POTRAZ of what lines you are registered with, take this information to MNOs and proceed with their investigation from that point on (voice call recordings, text message logs tracking etc) based on the Interceptions of Communication ACT without all the red-tape involved in approaching a MNO.

Although this could be a major concern to most subscribers, the database does have a benefit.

There is a depressing lack of research and statistics in the telecommunications industry in Zimbabwe.

Having a centralized database will help ease research into the state of Telecoms in Zimbabwe, we have long suspected we are being misled by some of the facts and figures we receive from Mobile Network Operators reports with the SI stating that:

Persons seeking to use statistical subscriber information for approved research purposes are required to apply to the Authority, specifying the reason for which they seek to use the information.

Please share what you think of POTRAZ having a National Database of Subscribers, its intentions and how it could impact you in our comment section

You can download POTRAZ’s Statutory Instrument on SIM registration and establishing a National Database here .