After the approval of the National Register of Mobile Phone Users, six million Jalisco citizens will have to give the telephone companies their personal and biometric data (such as fingerprint, iris scans, and facial and voice recognition, among others) if they want to continue communicating through cell phones. Nationally, 86.4 million people are required to submit their biometrics to the national registry.
PVDN wrongly reported earlier this week that the new law would apply to any new cell phone registrations. The law requires all cell phones in use to be registered with the user’s biometric data within the next two years or service will be canceled.
The federal government claims the new law is of national security and to combat extortion and fraud, among other criminal operations carried out with these devices, although most crimes carried out using cell numbers are from stolen devices.
The Federal Telecommunications Institute ( IFT ) will manage the information, which will be shared with the authorities when a crime committed with mobile equipment is investigated.
The IFT will have six months to issue the administrative provisions to create the national registry. Once published, the companies will have half a year to register new users and two years to register all the lines acquired before the reform. This sets a deadline of two and a half years that the Mexican government expects to have the biometric data of nearly every person in the country.
What information will Mexico collect on all cell phone users?
The National Register of Mobile Telephone Users will contain, on each telephone line, the following information:
- Phone number.
- Date and time of activation of the phone line.
- Full name or, where appropriate, name or company name of the user.
- Nationality.
- Official identification number with a photograph or Unique Population Registry Code of the line holder.
- Biometric data of the user (fingerprint, iris scan, facial and voice recognition) and, where appropriate, of the legal representative of the legal entity (in accordance with the general administrative provisions issued by the Federal Institute of Telecommunications).
- User’s address.
- Data of the telecommunications company to where the phone service is registered.
- Mobile phone line contracting scheme, either postpaid or prepaid.
The government promises not to misuse your personal data
The government promises the information contained in the National Register of Mobile Phone Users will be confidential and reserved in terms of the general laws on Transparency and Protection of personal data.
It’s unclear how Mexico plans to keep the biometric data of over 80 million people secure in a country where government corruption is widespread.
“When a password is compromised, you can defuse password re-use attacks simply by changing the password. However, you cannot change your biometric data, so once it’s compromised, it can persist as an identity-based threat. Your eyes, face, or fingerprints are forever linked to your identity (excluding bio-hacking—a topic for another day). Any future hacks that solely rely on compromised biometric data can be an easy target for threat actors,” according to BeyondTrust.com.
The INAI considers it essential to limit the collection of biometric data as much as possible, “since any damage or violation could generate significant damage that is difficult or impossible to repair.”
According to the new law, three months to three years in prison, a very small amount of time, will be imposed on those who, being authorized to process personal data, cause a breach of security to the databases in their custody (for profit). The amount of money that can be generated through the sale of biometric data of 80 million people is much greater than the risk of three years in prison.
Your phone line will be terminated if you don’t submit your biometric data to the government
The reform for the creation of the National Register of Mobile Telephone Users, which will include the biometric data of the users, establishes that they will have up to two years to comply with the new law.
The law highlights that the federal government, through the Ministry of Communications and Transportation (SCT) and the Federal Institute of Telecommunications (IFT), as well as telecommunications companies and, where appropriate, those authorized, must carry out an information campaign aimed at its customers, which allows them to comply with the obligation to register and update their data (also within a period of two years).
In addition, they must inform users that, if they do not carry out the procedure of submitting their biometrics to the government within the indicated period, the provision of the service related to the mobile telephone line will be canceled, without the right to reactivation, payment or compensation.
“Once the period indicated for the registration of holders or owners of mobile telephone lines has elapsed, the Institute will request the telecommunications concessionaires and, where appropriate, those authorized, the immediate cancellation of those mobile telephone lines that have not been identified or registered by users or clients ”.
New mobile phone users will have a period of six months from the moment the Institute issues the general administrative provisions to register their SIM card and submit their biometric data to the federal government’s registry of users.
The federal government, through the SCT, the Security Secretariat, and the IFT, as well as telecommunications companies, must carry out information campaigns and programs for their clients or users to encourage the obligation to immediately report the theft or loss of their cellular equipment or SIM cards, as well as to prevent identity theft and the illicit use of mobile telephone lines, in addition to cases of sale or transfer of a mobile telephone line.
Mexico has tried this before and the data was hacked and published online
In 2009, the Federal Telecommunications Law was amended to establish the National Registry of Mobile Telephone Users (Renaut), which was terminated due to data management failures.
The registry included the name of the owner of the telephone line, the number, and data of the device, as well as the Unique Population Registry Code (CURP), but in June 2010 it was reported that the information contained in the registry was already published online.