Harare – The Post and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) is lobbying the Government to introduce mandatory registration of mobile handsets by SIM card holders, citing the need to bolster the security of electronic transactions and combat the escalating threat of cybercrimes.
Engineer Hasha Myambo, POTRAZ’s competition and standards manager, emphasised the critical importance of registering handsets alongside the existing SIM card database to enhance transaction security and restore trust in the country’s ICT sector.
“There is a need for appropriate policies to address the different vices that happen in cyberspace,” Eng Myambo said during a recent ICT stakeholder engagement.
He explained that while existing regulations compel mobile network operators (MNOs) to register all issued SIM cards, POTRAZ is advocating for a “corresponding instrument that puts in place a Central Equipment Identification Database for handsets to which operators subscribe.”
This proposed database would enable the swift blocking of stolen or lost devices from operating on any network shortly after a report is filed, acting as a deterrent to mobile-related crimes and fostering greater confidence in the ICT ecosystem.
Eng Myambo added that this registration initiative signifies a shift from a command-and-control regulatory approach to a collaborative model, fostering a competitive digital economy.
“The regulator is engaging ICT stakeholders, particularly other regulators, to come up with coherent national plans that integrate ICT-based development to maximise the impact of ICTs on economic growth and social development,” he said.
However, the proposal has sparked debate, with some experts raising concerns about data control, privacy, and the appropriate role of a regulator in a democratic society like Zimbabwe.
Engineer Jacob Mutisi, a former Zanu PF activist-cum-critic now based in the United Kingdom, has penned an article questioning the wisdom of entrusting a government regulator with such sensitive data.
Mutisi argues that the responsibility for registering and managing handset data should remain with MNOs, who are already subject to security and privacy standards. He raises concerns about the potential for misuse of data by a government body like POTRAZ, particularly in a country with Zimbabwe’s history.
“The question on every person’s mind is: what will the regulator do with the data once it has it? POTRAZ, being a government body, is inherently political. Granting it access to a central equipment identity register containing IMEI numbers, user identities, and other personal information creates a powerful surveillance tool. Without clear legal safeguards, independent oversight, and a robust data protection framework, this data will be misused for purposes far beyond its original intent. Zimbabwe’s history has shown that, in the wrong hands, such data can be used to track political activists, monitor dissent, or suppress opposition,” Mutisi wrote.
He cites examples from countries like China and India, where centralised phone and SIM registration has been used for extensive state surveillance, raising concerns about the potential for similar abuses in Zimbabwe.
Mutisi contrasts this with countries like the United Kingdom, Germany, and South Africa, where MNOs are responsible for SIM registration and handset tracking, with regulators playing a facilitating role rather than a custodial one.
He also argues that effective cybercrime strategies must focus on enhancing digital literacy, strengthening forensic capabilities, and fostering international cooperation, rather than relying solely on registering devices. “The idea that registering every phone will stop cybercrime is akin to saying that recording every car will end all traffic offences; it is a simplistic approach to a complex problem,” Mutisi stated.
Furthermore, Mutisi points out that MNOs already collect IMEI numbers when handsets connect to their networks and maintain their own databases, questioning the need for a duplicate system managed by the regulator. He also warns that centralised databases are attractive targets for hackers, posing a significant risk to users’ personal data.
“Centralised databases are attractive targets for hackers. A breach in such a system could expose millions of users’ personal data. In a decentralised setup, where data remains with the MNOs and only limited, necessary information is shared, such a risk is mitigated. Regulators should focus on setting and enforcing cybersecurity standards, not hoarding data,” he argues.
Mutisi concludes by emphasising the importance of transparency, accountability, and consent in any initiative that impacts personal freedoms, calling for public consultation and legislative scrutiny before implementing such sweeping measures.
