In response to security incidents around the country. The government has hatched an intervention to curb insecurity by re-registering people with their national ID’s.
This re-registration exercise is opening up space for identity theft which could lead to other crimes. This exercise is making all Ugandans more insecure regardless of status.
In the exercise, users register their national id data using USSD codes. Users are prompted first to enter their NIN followed by Names.
In the exercise, users register their national id data using USSD codes. Users are prompted first to enter their NIN followed by Names.
What is wrong with the registration exercise ?
This registration exercise does not provide an independent way to verify that someone is who they say they are. In other words I could register as some else if I had access to their national ID card.
How can a person be independently verified ?
The most reliable and affordable way to independently verify a registration is to have an independent person who verifies that the ID is used by its rightful owner. This way if anything goes wrong the registering party can be held to account. This system is often useful for tracking fraudulent bank accounts and transactions. Persons who register are held to account if details are not sufficient to identify an account holder.
There are other ways which might be less reliable, for example for a re-registration, a Telecom company would double check to ensure that the new name of a sim card matches the name of the old identity. This has nuances that can cause mistakes. Its biggest loophole is the fact there not all people registered before and can be cross referenced. This means that all those people who had not registered have a free pass to register with whichever ID they have access to or are targeting (if the companies are using this method). Given this fact of presence of unregistered numbers. I think it is very highly unlikely that the Telecom companies are cross referencing to ensure that someones new names matches the previous names. And it really does not guarantee ownership.
It might also create additional security if people re-registering are asked a question only they can reliable know such as their mother's maiden name. This is not common information and we would expect only the children to know their mothers maiden name. This would prevent random thefts of identity but it would not prevent targeted thefts ( i.e. a person chooses an individual whose identity they want to steal and finds out their mothers maiden name).
There are other ways which might be less reliable, for example for a re-registration, a Telecom company would double check to ensure that the new name of a sim card matches the name of the old identity. This has nuances that can cause mistakes. Its biggest loophole is the fact there not all people registered before and can be cross referenced. This means that all those people who had not registered have a free pass to register with whichever ID they have access to or are targeting (if the companies are using this method). Given this fact of presence of unregistered numbers. I think it is very highly unlikely that the Telecom companies are cross referencing to ensure that someones new names matches the previous names. And it really does not guarantee ownership.
It might also create additional security if people re-registering are asked a question only they can reliable know such as their mother's maiden name. This is not common information and we would expect only the children to know their mothers maiden name. This would prevent random thefts of identity but it would not prevent targeted thefts ( i.e. a person chooses an individual whose identity they want to steal and finds out their mothers maiden name).
What can go wrong if someone registered using my National ID details ?
If someone registered with your national ID, they could use that number to extort money from someone else. For example they could kidnap and ask for ransom money to be sent to that number. When the police start investigating, they would come for you. Given our justice system, you would only be able to go free if at all you are able to prove your innocence after paying significant sums of money to a significant number of people in the justice pipeline. That is in addition to the time you would have lost trying to prove to the police that you are innocent.
It might also be used to fool and defraud your friends. Some people have known of crime stars who create fake profiles on Facebook of famous and important people. Then they use this as a means to obtain money from friends of this famous or important person promising to pay back. I was myself almost once a victim. This new registration exercise opens up the real possibility that someone could create a fake Facebook profile and corroborate it with a Telephone number. The person sending the money would never suspect since they see they are indeed sending the money to that famous person. The possibility of this might be limited by the way mobile money might be handled. But it is a possibility I can only rule out with full knowledge of the protocol of mobile money and the separations of the mobile money system and the regular usage of sim cards.
In a twist, if you are important, it might be used to trick innocent people into committing crimes and or being innocent accomplices in the commission of crimes. For example, someone might ask an innocent victim to do surveillance on a party of interest with the claims the request is coming from a police chief. He would then corroborate that with a mobile money transaction showing clearly the names of the Chief. The things that can be done with a faked identity are endless. I can not list them all here.
It might also be used to fool and defraud your friends. Some people have known of crime stars who create fake profiles on Facebook of famous and important people. Then they use this as a means to obtain money from friends of this famous or important person promising to pay back. I was myself almost once a victim. This new registration exercise opens up the real possibility that someone could create a fake Facebook profile and corroborate it with a Telephone number. The person sending the money would never suspect since they see they are indeed sending the money to that famous person. The possibility of this might be limited by the way mobile money might be handled. But it is a possibility I can only rule out with full knowledge of the protocol of mobile money and the separations of the mobile money system and the regular usage of sim cards.
In a twist, if you are important, it might be used to trick innocent people into committing crimes and or being innocent accomplices in the commission of crimes. For example, someone might ask an innocent victim to do surveillance on a party of interest with the claims the request is coming from a police chief. He would then corroborate that with a mobile money transaction showing clearly the names of the Chief. The things that can be done with a faked identity are endless. I can not list them all here.
In what ways can my identity be stolen ?
Your identify can be stolen by practically anyone who has access to your national ID information since there is no independent verification of ownership.
- It could be employees of the national ID system who can search in the database for your details.
- It can also be done by hackers who have compromised the national ID system. Yes this is possible; everyone can be hacked including the FBI. It might actually be easier than imagined because of the problem of people who are weak links. Once a malicious person has access to your name and national ID number they can register as you.
- Agents helping people to complete their registration could copy their ID and register as those persons.
- It can also be done by thieves who have stolen National ID cards or who have access to stolen cards.
- It could also be done by Telecom insiders who may have access to the portal.
There is no direct way to know that someone has stolen your identity unless it has been used to commit crime. One possible way would be to search for Telephone lines registered to each and every National ID and verify that these are indeed owned by that 'owner'.
This is not a practical solution because it requires every individual to check their registration which cannot happen. It also presents challenges in implementation because it requires searching information in different sources (different operators and the national ID system).
What can be done to ensure security given this system ?
The only reliable and workable solution is to stop the exercise and invalidate all the information that has been collected. Because for all I know, it is possible that many fake and stolen Identities are already lying in wait to be exploited.
If the government maintains that people should re-register with their national ID’s it should create a program which stretches over time and which has a mechanism to guarantee ownership of identity such as through a third party. The re-registration should exclude self registration. I also think that the government should do more in evaluating its capacity to handle an intervention in the long run whenever new interventions are being implemented.
Another way of ensuring security given such an insecure process is to do surveillance of all calls that people have so as to detect possible identity theft. There are companies which have this kind of system to detect fraud and theft. An example is VISA, one of the companies that allows users to perform transactions online. Like in the case of our ID; possession of a VISA card is sufficient for a person to perform a purchase.
However unlike the case of the national ID, the company does monitor every transaction. It also has access to both the buyer and seller and could easily void a transaction. VISA uses algorithms which tell it if a card is likely to be stolen and is being used by thieves or not. This is possible because VISA is directly involved in every single transaction that takes place. It knows where you are and what you usually buy. This system is further protected by the fact that every item ordered is sent to a location and an individual which can be tracked. Unlike VISA however our systems are distributed with each Telecom operator having their own information store which they cannot share with other people for purposes of protecting the consumer. Further the Telecom operators are not motivated like VISA to monitor fraud because it does not directly affect them or directly benefit them.
Finally setting such a system of surveillance with such an insecure system would create a weak link. A malicious person can commit crime with impunity by just compromising the surveillance system. It is the reason why security camera’s alone are not sufficient to prevent security incidents, for the simple reason that when such places are robbed, the Camera’s will be conveniently turned off. Or even everything else can appear on the Camera except the face of the person causing the security incident. With our national ID system, it is possible that before a major security incident, power blacks out and the backups are conveniently under repair or get spoiled at that critical time. Such a system does not fail safe and therefore fails catastrophically.
Further, we have a history of interventions which create news, cause pain and some economic activity in the short run but which are eventually abandoned. The examples range from seat belts, speed governors and even previous registration efforts. It is highly possible that this intervention too will be abandoned after a few months. The only difference with this intervention will be that it will have opened up a huge portal for unprecedented levels of identity theft. Exposing many more Ugandans to crime and many more to being victimized by crime rings.
Can I be victimized ?
If the government maintains that people should re-register with their national ID’s it should create a program which stretches over time and which has a mechanism to guarantee ownership of identity such as through a third party. The re-registration should exclude self registration. I also think that the government should do more in evaluating its capacity to handle an intervention in the long run whenever new interventions are being implemented.
Another way of ensuring security given such an insecure process is to do surveillance of all calls that people have so as to detect possible identity theft. There are companies which have this kind of system to detect fraud and theft. An example is VISA, one of the companies that allows users to perform transactions online. Like in the case of our ID; possession of a VISA card is sufficient for a person to perform a purchase.
However unlike the case of the national ID, the company does monitor every transaction. It also has access to both the buyer and seller and could easily void a transaction. VISA uses algorithms which tell it if a card is likely to be stolen and is being used by thieves or not. This is possible because VISA is directly involved in every single transaction that takes place. It knows where you are and what you usually buy. This system is further protected by the fact that every item ordered is sent to a location and an individual which can be tracked. Unlike VISA however our systems are distributed with each Telecom operator having their own information store which they cannot share with other people for purposes of protecting the consumer. Further the Telecom operators are not motivated like VISA to monitor fraud because it does not directly affect them or directly benefit them.
Finally setting such a system of surveillance with such an insecure system would create a weak link. A malicious person can commit crime with impunity by just compromising the surveillance system. It is the reason why security camera’s alone are not sufficient to prevent security incidents, for the simple reason that when such places are robbed, the Camera’s will be conveniently turned off. Or even everything else can appear on the Camera except the face of the person causing the security incident. With our national ID system, it is possible that before a major security incident, power blacks out and the backups are conveniently under repair or get spoiled at that critical time. Such a system does not fail safe and therefore fails catastrophically.
Further, we have a history of interventions which create news, cause pain and some economic activity in the short run but which are eventually abandoned. The examples range from seat belts, speed governors and even previous registration efforts. It is highly possible that this intervention too will be abandoned after a few months. The only difference with this intervention will be that it will have opened up a huge portal for unprecedented levels of identity theft. Exposing many more Ugandans to crime and many more to being victimized by crime rings.
Can I be victimized ?
Every one is vulnerable to being victimized if they have a National ID. Important people are even more vulnerable because they are vulnerable to being targeted by crime rings and enemies. Yes that includes every one including the Police Chief and our honorable MP's in the August house.
What can I as an ordinary citizen do?
As an ordinary citizen, there is practically nothing you can do to change the situation. The only thing that would perhaps be of help is to pester your area MP so that parliament can inquire and block this process. Also reminding them that as public figures they are especially vulnerable to identity theft and to being targeted in malicious ways using this system that is flawed. Indeed every person is vulnerable to insecurity as recent events have showed.
Any questions ?
Feel free to leave them below as a comment and I will be glad to answer them
