Nigerian IMEI Data Bank: Privacy Rights Violation or National Security Issue?

Background

On 8^th May, 2021, the President, Federal Republic of Nigeria, stated that he had directed the Minister for Communications and Digital Economy (the “Minister”) “to ensure that no SIM card is allowed to access our telecommunications network unless it has a NIN (national identity number) attached to it” (the “President’s mandate”).

The President’s mandate forms part of the Revised National Identity Policy for SIM Card Registration  that the Minister issued subsequent to 8^th May, 2021 (the “Revised SIM Registration Policy”). We note that the President’s mandate did not refer to nor direct the Minister to build a Centralized Equipment Identity Register (CEIR) otherwise known as Device Management System (DMS).

The Minister claims his authority to issue the Revised SIM Registration Policy flows from Sections 23(a) and 25(2) of the Nigerian Communications Act, 2003 (the “NCA 2003”). The Minister’s exercise of his general functions under the NCA 2003 is consistent with the authority he invoked to issue National Policy for Promotion of Indigenous Content in Nigerian Telecommunications Sector  which we criticized here.

Sections 23(a) and 25(2) of the NCA 2003 respectively require the Minister to always ensure the independence of the Nigerian Communications Commission (“NCC”) while performing his functions under the NCA 2003 and limits the Minister functions to issuance of general policy or to communicate federal government’s general policy to NCC only.

The DMS (IMEI data bank) which the Minister directed NCC to build, operate and manage, grossly violates Nigerians’ Constitutionally protected and guaranteed rights to privacy and family life – in the absence of any urgent national crisis.

Device Management System

DMS aims to reduce availability of counterfeit mobile phone, discourage mobile phone theft, enhance National Security, protect consumer interest, and increase revenue generation for the government.

The Minister appears too single-minded in implementing the federal government’s digital economy agenda. This is because, it is the functions of Nigerian Customs Service (“NCS”) and Standard Organization of Nigeria (“SON”) to ensure that counterfeit mobile devices and other handheld devices are not imported into Nigeria.

Should counterfeit devices be imported into Nigeria, SON and NCS exist to ensure that it is not distributed or sold in Nigeria. Responsible governance requires that NCS and SON account for the performance of their duties.

The DMS as well seeks to reduce rate of kidnapping, mitigate the use of stolen phones for crime, and facilitate blocking or tracing of stolen mobile phones and other smart devices – we will return to the lapses in these claims soon.

DMS will be a registry for keeping records of all registered mobile phones’ International Mobile Equipment Identity (IMEI) and personal details of owners of such devices. Once an IMEI is reported as either stolen or illegal, all operators and service providers will be notified via DMS

The software will ensure that such devices do not work even if different SIM Cards are inserted into those devices.  DMS will also provide access to all operators to cross-check the IMEIs and their status before allowing a device to become active on their network

Interestingly, accredited mobile phone (handheld device) technicians will also be provided with an interface to check IMEIs and ensure it has not been reported as stolen or illegal before they render their technical services.

DMS Implementing Agency

Under the Revised SIM Registration Policy, the Minister has directed NCC to implement and manage the DMS. The Minister, insists that the President has directed that DMS be implemented within 3 months from May, 2021.

The President’s mandate is audibly silent on all aspects of the DMS and its implementation. All reference to implementation is contained in the main body of Revised SIM Registration Policy.

The Minister who did not cite the President’s mandate as part of the authority to issue the Revised SIM Registration Policy is reasonably required to clarify his assertions that the President has “directed that DMS be implemented within 3 months”.

NCC’s Upend Understanding of Implementation of DMS

Nigerians have soulfully criticised the Revised SIM Registration Policy’s IMEI registry or DMS on the social media platforms. Following Nigerians’ reactions, NCC’s clarified that “at no time did the Commission issue a Statement regarding the registration of IMEI by subscribers and it has no plans to do so”

The Revised SIM Registration Policy’s objectives of implementing the DMS include the following:

• to register and capture IMEIs of all mobile phones and other smart devices on the DMS which will serve as a repository for sharing data of stolen devices across all networks;
• to ensure all un-registered devices do not work in any of the Networks in Nigeria; and
• to ensure every reported IMEIs for stolen and illegal mobile phones and other smart devices are blacklisted and shared with all operators across all networks.
• to mitigate theft of hand-held devices;
• to blacklist and render all stolen hand-held devices valueless in the market;
• to ease the use of hand-held devices in all public places without fear of been attacked by snatchers;
• to facilitate use of digital technology solutions to address key issues bothering Nigerians in the telecommunication Sector; and
• to facilitate the implementation of Device Management System in Nigeria in accordance with best global practice.

To implement DMS in Nigeria, NCC may require mobile network providers to share or transmit any subscriber’s IMEI to the DMS – this appears to be a fair assumption, unless it could be shown that government has a data bank of all device’s IMEI in Nigeria.

If true that governments have access to IMEI of devices, data protection questions need to be resolved and, network service providers risk both criminal and civil liabilities to subscribers in the event of IMEI data sharing with NCC’s DMS.

NCC seems to have underestimated its implementation of Item (b) above. Item (b) reasonably creates a dead-end and an unnecessary hardship on Nigerians, residents or visitors (the “subscribers”).

Should we trust NCC that devices will not be registered, the question is, how will a SIM card work on any device upon successful SIM registration. When no DMS ensure that un-registered devices do not work on any of the network providers’ platform.

May we assume that NCC will collate IMEI of any handheld devices imported into Nigeria – currently, this is not a process of importing devices into Nigeria. It becomes, difficult to anticipate how NCC will collate IMEI of personal handheld devices that subscribers or businessmen bring into Nigeria, without requiring registration.

The Revised SIM Registration Policy does not provide for how subscribers may de-register or depersonalize their handheld devices in the event of gifting it to a colleague, friend or charities.

In a free market economy, anyone could bring in any number of devices that do not amount to commercial quantity. How would NCC capture any such devices, without unnecessary hardship to subscribers?

DMS ensure that all un-registered devices do not work in any of the Networks in Nigeria. We recall that the process of activation of a SIM card in Nigeria, do not require registration of device with a network provider.

Upon registration of SIM card, a subscriber may at any time activate the SIM on any device. Post July, 2021, this may no longer be the case, yet, what will be is not clear.

Doubtful validity of the DMS

Section 37 of the Constitution of the Federal Republic of Nigeria (as amended) 1999 (the “1999 Constitution”) guarantees and protects privacy of citizens, their homes, correspondence, telephone conversation and telegraphic communication. Section 1(1) of the 1999 Constitution speaks of its supremacy and bindingness on all authorities and persons.

Section 21 of the Cybercrimes (Prohibition, Prevention, etc.) Act 2015 (“Cybercrimes Act”) criminalizes data privacy breaches and, IMEI of devices is a personal data capable of ensuring constant intrusive surveillance of Nigerians and subscribers.

The Cybercrimes Act applies to persons that include service providers that possess personal data and requires such persons to appropriately protect any such data. The National Information Technology Development Act, empowers NITDA to regulate ICT related data sharing and protection.

Consequently, NITDA issued the NDPR (Nigeria Data Protection Regulation 2019) which provides for how personal data ought to be shared within Nigeria or transferred outside Nigeria. The NDPR has ample provisions on sanctions for related data breaches.

We agree with Obinna Ede, a university law lecturer and researcher that the President in times of national crisis, reserves the right to restrict applicable human rights in any part of Nigeria provided:

• it is a national crisis such as the COVID 19 pandemic; and
• it is for a specified period.

The Minister did not invoke national crisis as a justification for his unconstitutional and unlawful policy to NCC to obtain IMEI from Nigerians.

Sections 23(b) and 25(1) of the NCA 2003, give the Minister rights to general policy directives only. The Minister who is a delegate of the President cannot validly take away constitutionally protected rights of Nigerians under the said provisions of the NCA 2003.

There is no national crisis, and the DMS is not intended to last for a specific period. The DMS under the Revised SIM Registration Policy is to the extent of its intrusion on the constitutionally guaranteed and protected rights to privacy, manifestly, unconstitutional.

DMS is liable to abuse

The federal government of Nigeria apparently enjoys a battered reputation among Nigerians. Should it be correct that the ordinary Nigerians’ perception of the present government is misconceived, we hold that not only security agencies that include the Nigerian Police Force, Economic and Financial Crime Commission, and Department of State Security Services may abuse the DMS.

Generally, any Nigerian with a minimum contact in Nigerian banking industry can unofficially obtain any bank’s customers’ statement of account for any purpose – criminal gangs are not excluded.

We fear that DMS will, cheaply, be accessible to and useful in a boyfriend-girlfriend love quarrels – that is how low it could get.

Conclusion

The Minister within the last 24 days, have demonstrated clear zealous intentions in his discharge of the specific duties the President and Nigerian’s people delegated to him – duties he should exercise lawfully and in the interest of the good of the public.

The digital economy cannot be achieved in isolation. Basic digital infrastructure has to be consciously built – with time. Phone thefts are nominal actions in Nigeria, it happens because financial institutions lack compliance to regulations and directives

We urge the Minister to undo this grave Constitutional error and, to patiently engage all other sectors and stakeholders to build a more robust and dynamic digital economy capable of serving Nigerian.

We call on the National Assembly, State Houses of Assembly, the Presidency, the Nigerian Bar Association, coalition of civil societies, socio-cultural groups, political parties, data protection experts and every Nigerian to prevail on the Minister to undo this clear violation of Constitutional provision which he swore to protect.

Our appeal is more crucial in view of the national industrial strike that has suspended our judicial system.