• Sunday, Mar 24, 2019
  • Last Update : 08:59 am

How safe is your biometric data?

  • Published at 12:42 am November 10th, 2017
How safe is your biometric data?
When the government took the initiative to biometrically register mobile phone subscribers in 2015, it stirred mixed reactions across the country. Many were concerned about the security of the process through which such sensitive, personal information was collected, as well as the security of the database it would be stored in. In light of the information that the law enforcement agencies have uncovered while investigating a fraudulent transaction case, it seems the concerned citizens may not have been completely off the mark. In one of the most recent cases, a team of the Criminal Investigation Department (CID) recovered 1,200 Subscriber Identification Module (SIM) cards of Teletalk while investigating a shady transaction through mobile financial service bKash. When these SIM cards were sent to Teletalk for verification, the company said they had no information against any of the SIM cards, even though all of them were active, sources in the CID told the Dhaka Tribune. There have been many other cases where the law enforcement agencies have found mobile phone numbers registered with either fake or someone else's personal information – even the fingerprints. The investigators found not just Teletalk numbers, but numbers of all the other mobile operators which have been registered with fake information and, subsequently, are being used for criminal activities. These SIM cards are activated mostly in the northern region of the country, the bulk of which is supplied to Dhaka and Faridpur, the CID sources said. However, the SIMs can be delivered to any part of the country if ordered. CID officials said these “fake” numbers are used in six major crimes: issuing threats, extortion, opening fake social media accounts for fraudulent activities, opening bKash accounts, illegal VoIP business and other criminal activities. This situation is the result of the gross negligence during the re-registration procedure in 2015-16, said a CID official. “Take Teletalk for example. They have registered their numbers using National ID [NID] number, but they did not verify the information. Banglalink used only NID number and date of birth,” he told the Dhaka Tribune, requesting anonymity.

It's an inside job

The information that was required for successful re-registration of a mobile phone number was the photocopy of the subscriber's NID and his or her fingerprints, which were collected by designated call centre officials and vendors. “We were surprised when we learnt that Teletalk did not have any information on the 1,200 SIM cards we seized,” said Additional Superintendent of Police Rajib Forhan, who is leading the CID team investigating the bKash fraud case. During investigation, the CID found that customer care officials and vendors of all the mobile operators were involved in this shady business. In the bKash fraud case, the CID arrested three people from Rangpur and Dhaka, one of whom was Ahmed Jahid Anwar, a customer care supervisor of Teletalk, and another was Mahmudul Hasan Mamun, a computer operator at Rangpur City Corporation. “This is a case of gross negligence, which helped the criminals to trade faulty numbers,” said Additional SP Rajib Forhan. Furthermore, Rajib said the mobile operators neglected four major issues during the re-registration process: taking fingerprints on the forms as biometric information, verifying NID information against the mobile phone number, second contact or reference contact, and permanent address. The Detective Branch (DB) of police and the Rapid Action Battalion (RAB) have been investigating fake SIM cards as well. On February 17 this year, RAB arrested 61 vendors of Banglalink who were trading a huge cache of numbers that had been registered with fake information. These vendors filled up customers' registration form with stolen photos and fake data and NID numbers, said RAB officials.

Where is the problem?

There has always been concern regarding the safety of the information collected for the NID. The announcement of biometric registration fuelled it further. A writ petition challenging the legality of biometric SIM registration was filed by lawyer SM Enamul Haque on March 9, 2016, arguing that collecting such private information of citizens by the mobile companies was not safe as, except for Teletalk, owners of the five other mobile operators were foreign entities which posed a risk of leak of the information, to be used by anyone – even criminal organisations. The High court dismissed the petition later and gave the biometric registration a go-ahead. However, the recent revelations of fraud and negligence regarding biometric registration have raised the question again: How safe is the database that stores our personal information? When asked, NID Wing Director Abdul Baten said with confidence that there was no chance that the security of the NID server had been compromised and information had been stolen. Asked about the mobile operators having access to the NID server during biometric registration, he asked to contact Brig Gen Mohammad Saidul Islam, the project director. The Dhaka Tribune could not reach him on phone despite several attempts. M Zakir Hossain, assistant director of Bangladesh Telecommunication Regulatory Commission (BTRC), said the information of Teletalk subscribers were stored in the BTRC server which was maintained by the government itself. However, Zakir admitted that some data had been stolen, but he did not give any details. “It is not possible to steal Teletalk subscribers' information from its server; Teletalk does not have its own server,” said BTRC Brig Gen Nasim Parvez, director general of BTRC Spectrum Division. He further said they had sent a letter to Teletalk seeking explanation about the fake SIM cards, to be submitted within 10 working days. He also said the BTRC was running its own investigation, and they had already taken action against a few vendors who had been selling SIM cards pre-activated with fake information and other irregular activities. Earlier on February 11, BTRC Chairman Shahjahan Mahmood said they would take strict actions, including financial penalty, if any mobile phone retailers were found involved in selling SIM cards using false information. Dhaka University IIT Department head Prof Dr Shariful Islam said when subscribers provide their information, they want assurance from the authority. If this trend of fraud continues, question must be raised over security measures taken for the safety of the citizens' personal data. “If the information has been stolen, anything could happen. An innocent person could face criminal charges because a SIM card registered under his or her name was used to commit the crime,” he told the Dhaka Tribune. CID Additional SP Rajib Forhan said it was important to raise awareness among the subscribers so they would regularly check to see how many mobile phone numbers had been registered under his or her name. When a contacted, a Teletalk high-up, requesting anonymity, said the mobile phone operator had formed a three-member committee to look into the matter. “Strict action will be taken against those who are found guilty,” he told the Dhaka Tribune. He further said information leak from the Teletalk server was impossible. The Dhaka Tribune contacted Banglalink for a comment, but they refused to talk over phone.