Thin SIM Technology: A Threat to Data Privacy in Kenya?
- CIPIT |
- April 14, 2015 |
- Guest Post
By Wanjiku Karanja
Equity Bank’s plan to launch mobile phone services though “Thin SIM technology” was blocked by the High Court on the 18th of December 2014 following an application by legal advocacy lobby “Kituo cha Sheria”, which argued that the use of the technology raises legitimate concerns as to the security of data or personal identification numbers (PIN) on the primary SIM. The lobby further accused the Communications Authority of authorizing the technology without a full audit of the security risks to the subscribers’ personal data of the primary thin SIM that will be overlaid by the thin SIM. The court orders barring the roll out of the SIMs were directed to Finserve Africa Ltd, a subsidiary of Equity Bank, and the Communications Authority of Kenya.
“Kituo” sought the order in pursuance of their constitutional right to institute court proceedings to claim a contravention or threatened contravention of the Constitution, as under Article 258 of the Constitution, as a matter of public interest. Thin SIM/ Skin SIM technology is an overlay technology that involves the placing of a paper-thin plastic sheet (skin SIM) on top of a standard SIM card without affecting the original service provider’s network reception but while providing an additional service. This essentially creates a dual SIM feature. This technology was developed in China nearly a decade ago by a Shanghai based company; F-Road, to address the demands of Chinese customers who frequently found that their mobile phones were roaming when travelling outside their home province.
This SIM technology has been brought to Kenya not by a mobile operator, interestingly enough, but by Equity Bank. Equity was licensed as a mobile virtual network operator (MVNO) in early 2014 under the name “Equitel”, making it the latest entrant into a fiercely competitive mobile money market that has long been dominated by Safaricom. Following a hearing before a Parliamentary Committee on Energy, Information and Communication in September 2014, the Communications Authority of Kenya (CAK) gave Equity Bank the green light to roll out its thin SIM cards in a yearlong pilot scheme. In a press release, Equity CEO James Mwangi stated: “ In this venture of enhancing our mobile banking offering, we are as always, driven by our focus of making financial services convenient, accessible, affordable and inclusive”. He further added that the charges under their service would be at a “sixteenth of the current market charges”.
While it may seem that Safaricom’s main concern is its 73% mobile money market share, the company claims that their concerns are essentially based on what they claim is the technology’s potential to:
– Record and divulge mobile user PIN details (including Mobile Banking PINS)
– Intercept, manipulate and/or destroy Unstructured Supplementary Service Data (USSD) communications
– Cause denial of service to existing SIM’s by intercepting, manipulating and/or destroying SIM toolkit instructions
– Carry out actions without the explicit permission or knowledge of the mobile user for example monitor calls and SMS
– Obtain unauthorized access to the SIM card and change configuration settings and thus impacting the customer experience adversely.
Taisys Technologies, the manufacturers of the thin-SIMs, however insist that the technology is neither intended, nor has the capability, to disrupt or interfere with the functions of the primary SIM card.
Motives aside, the issues expressed by Safaricom raise major concerns as to the implications of the technology on the consumers’ right to privacy. Article 31 of the Constitution of Kenya (2010) protects the right to privacy of every individual including the right not to have information relating to their family or private affairs unnecessarily required or revealed or the privacy of their communications infringed. The Kenya Information and Communication Act and Consumer Protection Regulations (2010) further provides that a consumer has the right to personal privacy and protection against unauthorized use of personal information. The roll out of a technology that compromises the security of the data of members of the public is in blatant contravention of these two provisions.
The case, which continues, to be heard is bound to have a far-reaching impact on the mobile money sector status quo, irrespective of its outcome. However, it is only in the fullness of time that the implications of this technology will be clear.
This blogger awaits further developments in this case.