Mexico Tells Cellphone Users to Hand Over Biometric Data

MEXICO CITY - Mobile phone users in Mexico will now have to provide biometric data as part of a new national registry that has come under fire from privacy advocates who warn that personal information could be vulnerable to hackers or leaked to organized crime.  

The government argues that collecting data on Mexico’s 120 million mobile lines is needed to tackle extortion rackets, which rely heavily on cell phones. 

One out of six reported crimes in Mexico is an extortion demand, according to Mexico’s national statistics institute. Nearly 90 percent of extortion threats are made using a mobile phone, amounting to an estimated $605 million dollars a year, said Lucía Meza, president of the Senate’s transport and telecoms committee, during debate on the measure in the chamber. Thieves call numbers and extract money from users through different scams or threats. In the most terrifying cases, they claim to have kidnapped a relative, and to the sound of background screams from the supposed victim, demand a ransom payment.

But legal analysts question whether the new law will make any difference. Many extortion calls in Mexico originate from prisons on devices that are smuggled into the penitentiary system after having been bought on the outside. As a result, registering those phones is unlikely to help identify those making calls from within the prison walls, opponents argue. 

The law won support from President Andrés Manuel López Orbador’s Morena party and its allies while opposition parties voted against it. Opposition senators said the law is a violation of users’ privacy and vowed to appeal in Mexico’s Supreme Court. The registry was signed into law on April 16.

Claudia Ruiz Massieu, a senator from the opposition Institutional Revolutionary Party, said that a registered mobile user could be falsely accused of a crime because someone could steal their phone and use that number to make extortion calls. She also said that the national registry is similar to the one created by former Mexico President Felipe Calderón which only lasted two years – it was cancelled in 2011 after its database was leaked. Critics say the new registry could be subject to the same problems. 

The law’s wording gives no indication of what sort of biometric information will be required nor does it lay out clear security measures to safeguard the data. But typically, such data could include fingerprints, facial recognition technology or iris scans. The data will be required for new SIM cards and mobile companies will have two years to collect the information from existing users. 

Privacy activists raised several concerns as they lobbied unsuccessfully against the law. The new registry provides no protections against government access to private information, said the Network in Defense of Digital Rights, known as R3D. The group also doubted that the registry would have any effect on crime, noting that extortion rates actually went up when the earlier registry was in place. 

“It is naive to think that the registry will prevent crimes, because criminal networks use multiple techniques and mechanisms to evade the use of phones associated with their identity,” the group said. Among the techniques are cloned SIM cards, stolen phones and making calls on lines from places which are not subject to registries, the group said.

The largest telecoms operator in Mexico is América Móvil, which is owned by tycoon Carlos Slim. The company’s Mexico mobile unit, Telcel, has nearly 63 percent of all of Mexico’s cell phone lines followed by the Spanish company Telefónica and the US firm AT&T with much smaller market shares.

José Caballero, a law professor and analyst at Mexico’s CIDE university, said compiling the registry and its information is very complex, and it is oversimplified in the new law.

“When you talk of biometric data, you’re talking about very sensitive information,” Caballero said. “Any shop that sells you a SIM card will need to have some kind of interconnection with the national registry and the shop will need to obtain your [biometric] data. 

“The risks regarding the custody of the information become infinite,” he added. “The most important thing in data custody is to try and not generate any information you don’t actually require. Imagine how much data is going to be generated – handling all that data is bound to be a disaster.”

Today, SIM cards can be bought without any sort of legal identification in a myriad of places in Mexico – from street vendors to corner stores and open-air markets. 

Caballero added that authorities already have the legal ability to access a given mobile user’s phone, which is why the new law is counterproductive.

“Authorities had excessive attributions to carry out investigations [already],” Caballero said and explained that investigators need only a phone number to associate it with a location and details of the phone’s user for the past two years. 

Elsewhere in Latin America, regulators require personal information but no biometric data to buy a cellphone. Colombia has been asking SIM card buyers to register their national ID number and other basic information since 2011. Peru also requires all SIM cards to be associated with a national ID number or passport since 2010. Although people who purchase SIM cards have had to register their information since 2008 in Brazil, the largest cell phone line market in Latin America, extortion from jails is also rampant.