This article was originally published as the editorial for Issue 3 of Southern Africa Digital Rights, an online publication produced under the project "The African Declaration on Internet Rights and Freedoms: Fostering a human rights-centred approach to privacy, data protection and access to the internet in Southern Africa".
Biometrics involve biological data stored digitally which is unique to individuals. According to the United Nations Children’s Fund (UNICEF), biometric technologies utilise measurable physical traits like fingerprints, facial images, and iris scans to identify or verify a person’s identity.
Various entities, including banks, e-commerce platforms, civic registration authorities handling birth and death records, mobile service providers for SIM card registration, and agencies issuing identity cards and passports, maintain personal information. These platforms are susceptible to potential breaches by malicious actors seeking to exploit vulnerabilities.
This discussion delves into the vulnerabilities of identification cards, e-passports, SIM cards, and financial institutions that collect biometric data in exchange for services. It explores how the increase in biometric datarelated crimes exposes weaknesses in these systems, posing a threat to people’s right to privacy.
The case of Botswana
Botswana is reputed to be the first country in the Southern African Development Community (SADC) to successfully introduce identification cards with the Automated Fingerprint Identification System (AFIS) and according to the United Nations Conference on Trade and Development (UNCTAD) sponsored National ICT Policy Review and E-commerce Strategy for Botswana (2021), “is in the process of upgrading this system to into a single, multi-biometric and multiple-use new-generation platform.” [1]
Although the initiation of National Identification cards, locally recognised as Omang (‘who are you?’), dates back to 1988, Botswana only ratified the Data Protection law in 2018. This legislative stride was designed to regulate the collection of personal data, ensuring monitoring and governance over its acquisition and storage by both public and private entities (Data Protection Act, 2018). This legal framework aimed to assuage concerns regarding potential misuse of personal information in the era of biometrics, a landscape previously devoid of regulatory oversight. [2]
The Legislative Framework Change Report (2004), arising from a benchmarking exercise to formulate Botswana’s ICT policy, forewarned of the requisite measures for safeguarding personal data, particularly in light of burgeoning digital biometric technologies. [3]
Discussions pertaining to identity theft and the impetus behind the Data Protection Act had been underway.
Salient Biometric Advancements
There are key biometric developments that have taken place over time which form a picture of the country’s status on the matter.
Identification Cards
The crux of Botswana’s biometric progression hinges on the Automated Fingerprint Identification System (AFIS), inaugurated in 1988 to preclude duplications.
These ID cards incorporate dual-layered security protocols, enabling visual and machine-based readability. [4] Mandated for citizens aged 16 and above, these cards ensure a direct linkage between birth and death registrations (ID4D, 2018).
Omang functions as an elemental document for services necessitating biometric identification. On registration, individuals furnish personal details encompassing name, age, date and place of birth, eye colour, height, and a portrait image captured by the issuing department. All these are visible on the card upon production while some of the information is machine readable. [5]
Sim Card Registration
In 2009, the government of Botswana introduced registration of mobile phones’ sim-cards. The Executive Director of the then Botswana Telecommunication Authority (BTA), Thari Pheko was quoted as saying the initiative was meant to fight crime and that it was ‘international best practice’. [6]
Since then, when installing a new sim card, registration is required, where upon personal data is provided. At the time the initiative was introduced, the media cried foul, insisting the system was open to abuse as the media has, as some of its stakeholders, undisclosed sources.
The Media Institute of Southern Africa (MISA) was fearful that media sources would be targeted for personal and political reasons (Afrol.com). Also of interest is the requirement to repeat this biometric information whenever a service is required from mobile operators.
This means the information is available to all and any customer service personnel handling calls at any given time.
E-passport
Botswana introduced the e-passport in 2010 and this was regarded as a move to curb forgery and other related misdemeanours. [7]
Just like the ID cards, e-passports require retention of biometric information in digital systems, leaving the data subjects with no control over the safety of such information. It is, however, notable that the passports are said to be installed with an Extended Access Point (EAC) in their security chip, which is expected to mitigate illicit access. [8]
Human Rights Considerations
All the projects identified run short of strict assurance to respect or adhere to human rights. The service users are often not given an option or explanation but are expected to just give away their personal data. The human rights approach in the collection of biometric data is lacking.
The whole PANEL concept is breached as there is no participation, accountability, non-discrimination, empowerment and legality in the process. The examples discussed below will demonstrate this observation.
Multi-national corporates and data flight
Data subjects are not in control of their information, especially its retention by the processors. Personal data is often passed around across different jurisdictions with the assumption of prior consent from the customer. While these conglomerates publish privacy statements alerting users of the possible flight of their personal data, [9] customers in need of urgent services would usually just give away their biometrics.
Institutions such as banks maintain distinct privacy policies, often shaped by legislative mandates within their home jurisdiction and not originating in Botswana.
Take Stanbic, a subsidiary of the Standard Bank group, for example. It adheres to the same privacy protocols centralised at Standard Bank. Notably, the bank, like others, elucidates its privacy and data stance on its website, outlining its approach and procedures.
However, this scenario underscores the limited influence customers in Botswana wield over the destination of their personal data, a clear human rights concern. [10] This issue is not exclusive to Stanbic or the banking sector; it is widespread among companies with headquarters abroad.
For instance, customers of Multichoice might receive calls from individuals in Zambia, promoting the company’s offerings and seemingly possessing intimate knowledge of the customer’s biometrics. Similarly, insurance companies like Hollard, operating their customer service desks from South Africa, solicit personal data, including biometrics, from customers in Botswana, despite claiming domicile within the country.
Ernst & Young (E&Y) Botswana is another example of an institution who publishes a ‘Privacy Statement’ on its website, in what appears to be proactively absolving themselves from possible legislative issue in their host jurisdictions. Just like others, E&Y is a global company that shares its customer data across different jurisdictions. [11]
Despite the publishing of privacy statement, customers are ignorant of the way their personal information is passed around. Worse still, even if they are aware, they have no option if they want the service provided. It must be noted that all this is contrary to the provisions of the Data Protection Act, 2018, which is explicit in Section 48 (1) that: “the transfer of personal data to other countries is prohibited.” [12]
Identity theft and surveillance
Mmegi (2020) highlighted a surge in incidents of identity theft in Botswana, particularly during the Covid-19 period. Criminals engaged in phishing tactics to obtain individuals’ identities, gaining access to their personal and financial information. [13] They masqueraded as reputable organisations, ostensibly seeking information to aid the targeted individuals. Once they acquired a fragment of information, such as age, these criminals exploited it to acquire further details.
Social media platforms are inundated with narratives of scammers contacting unsuspecting customers of mobile operators, often falsely claiming to offer services or declaring that the customers have won prizes. These calls, appearing authentic and furnished with accurate customer information, coax individuals into confirming banking or mobile money account details. In certain instances, individuals are coerced into depositing money into provided accounts. [14]
The Sunday Standard (2020) reported on Orange Money, a prevalent mobile money service in Botswana, acknowledging awareness of the reported scams through its parent company, Orange.
Surveillance
Botswana has advanced its surveillance ambitions over the years and with the advent of technologies, this has become prevalent. Surveillance is also provided for in law, notably the Intelligence and Security Act, which allows the Director General to secure a court order to intercept private communications. [15]
An illustrative case involved a retired senior soldier, Pius Mokgware who won an out of court case, in which he accused his former employer (Botswana Defence Force) of targeting him for surveillance. It was revealed the surveillance was done through intercepting his phone communications with the assistance of an employee of a state-owned Botswana Telecommunication Corporation’s then subsidiary, be Mobile. [16]
Another development related to surveillance has been the installation of street cameras by the Botswana police. The cameras, installed in partnership with Huawei technologies, are said to be fitted with facial recognition technology. [17] This has raised fears that, contrary to what they are officially meant for, which is to fight crime, the use of this technology is vulnerable to abuse. While there has not been a public case specifically arising from the CCTV surveillance, the ‘body language’ of government justifies suspicions. In January 12, 2022, government gazetted and pushed to parliament a bill seeking a blank cheque to snoop and intercept the public’s private communications. [18]
The Criminal Procedures and Evidence (Controlled Investigations) Bill 2022 alerted the nation to the government’s appetite for surveillance. The push back was successful as it resulted in a watered-down version. [19]
Section 16 (i) of the initial bill gave the head of investigation a right to order interception of communication without a court warrant. Civil society amongst them the Universal Periodic Review Working Group consisting of several NGOs, considered the bill an affront to human rights, and an intrusion into someone’s privacy. [20]
The bill further provided for interference with the national civil registration database as it allowed for ‘assumed identities’ to be officially recognised through regular registration and issuance of identity documents.
This would have the effect of embellishing the national civic registration with fake biometric information and in the process eroding the integrity of the identity process.
Legal instruments
International legal instruments that recognise the right to identity and nationality include the Universal Declaration of Human Rights and the Convention on the Rights of the Child, resolution 44/25 of November 20, 1989 (ID4D, World Bank, 2016). There is, however, scanty specific mentions of biometric data protection in many legal instruments, with the General Data Protection Regulation of European member states being one of the few that addresses it specifically. [21]
A number of laws in Botswana facilitate the use of Biometric data and some even speak to its protection.
The Cyber Crime and Computer Related Crimes Act of 2007/8 provides the basis to curb digital crimes. The law, as in Section 17, can be helpful in preventing unlawful disclosure of information gained through provision of service. [22] In practice, however, the law has been largely used to frustrate whistle blowing and to protect the reputations of politicians. It has been used, for instance, to arraign people for ‘maligning the leadership’ thereby limiting their freedom of expression.
While the Data Protection Act of 2018 was also expected to protect privacy and personal data, it has not been fully enforced and no public awareness campaigns have been conducted. This is one law, which, while it can do with some improvement, is informed by international best practices. Section 25 (i and ii) of the Act specifically speaks to ‘Processing of genetic data and Biometrics.’
Another notable mention is Section 48 and 49 that prohibits cross border data flight as discussed above under the multi-national corporates subheading. The Children’s Act, Section 23 provides for the right to privacy for children. While it can be argued that collection of the child’s biometric information is in both the child and public interest, and the confidence that the system is locked against any intrusion, stolen identity is still possible.
Conclusion
The enforcement of the right to privacy, particularly regarding the protection of biometric data, remains insufficient, both in terms of legal provisions and practical application. While certain laws, such as the Data Protection Act of 2018, make mention of biometric data, there’s a pressing need for a dedicated law that comprehensively addresses and elaborates on this critical matter. The current legislation only touches upon biometric data briefly, necessitating a more expansive scope and detailed reflection within the legal framework.
Given the prevalence of identity theft, state surveillance, financial fraud, and other related crimes, treating biometric data as a peripheral concern is no longer viable. Financial institutions tend to merely present privacy statements as a formality, neglecting to implement additional measures that ensure customers fully comprehend the risks associated with divulging their biometric data. Moreover, these institutions are complicit in what can be termed as ‘data flight,’ wherein personal data is exchanged among their branches globally, sometimes conducting customer interviews via phone from international offices. Such practices persist despite the explicit provisions within the Data Protection Act of 2018 addressing the issue of data flight.
Consequently, the conclusion arises that biometric data collection in Botswana lacks the essential components integral to human rights: participation, accountability, non-discrimination, empowerment, and legality.
Observations and recommendations
- There exists a deficiency in legal frameworks safeguarding personal biometric data. Government should urgently enforce the Data Protection Act in Botswana.
- Government should develop a dedicated Biometric Data Protection Act that comprehensively addresses the rights of diverse segments of society, including children, persons with disabilities, and those living in poverty.
- Civil society displays apathy toward issues concerning biometric data protection, underscoring the necessity for a comprehensive mapping of necessary actions.
- The public and civil society at large should participate in the formulation of laws; hence, the recommendation stands to establish a platform facilitating engagement for civil society organisations and the public before parliamentary debates to either adopt or reject bills.
- Government should prioritise the operationalization of the Data Protection Act of 2018, and desist from adopting conflicting laws that impact negatively on citizen’s right to privacy.
Notes:
1. UNCTAD https://unctad.org/system/files/official-document/dtlstict2021d4_en.pdf
2. One trust Data Guidance https://www.onetrust.com/products/data-guidance/
3. Maitlamo, Botswana National ICT Policy - Legislative Framework and change Report 2004 https://ictpolicyafrica.org/en/document/khdaorfc689?page=1
4. ID4D, World Bank, 2016) https://www.studocu.com/ph/document/university-of-the-philippines-system/electricalengineering/botswana-id4d-diagnostic-web-040418/14195549
5. Ibid
6. Afrol News http://www.afrol.com/articles/29785
7. Sunday Standard, 2010 https://www.sundaystandard.info/botswana-introduces-electronic-passport/
8. networkweek.net
9. Stanbic Bank privacy statement https://www.stanbicbank.co.bw/botswana/personal/About-us/privacy-and-securitystatement
10. Ibid
11. Earnst and Young Privacy statement https://www.ey.com/en_bw/privacy-statement
12. Data Protection Act 2018 https://www.bocra.org.bw/sites/default/files/documents/DataProtectionAct.pdf
13. Mmegi, 2020 https://www.mmegi.bw/opinion-analysis/keeping-your-identity-safe-through-a-pandemic/news
14. Sunday Standard, 2020 https://www.sundaystandard.info/orange-botswana-warns-of-scammers/
15. State of Internet Freedom in Botswana, 2019; https://cipesa.org/wp-content/files/State-of-Internet-Freedom-in-Botswana-2019.pdf
16. Sunday Standard, details of BDF intelligence illegal spying onformer deputy commander kept secret, 28 February 2013 https://www.sundaystandard.info/details-of-bdf-intelligenceillegal-spying-on-former-deputy-commander-kept-secret/
17. LONDA- Botswana Digital Rights and Inclusion, 2020 report https://paradigmhq.org/report/londa-digital-rights-and-inclusion-in-botswana/
18. Government Gazette Extraordinary- Criminal Procedures and Evidence (controlled Investigations) Bill January 12, 2022 https://cpj.org/wp-content/uploads/2022/01/Botswana-Criminal-Procedure-and-Evidence-Bill.pdf
19. VOA-Botswana Government waters down phone tapping Bill after public outcry, February 4, 2022 https://www.voanews.com/a/6426756.html
20. UPR Working Group statement, February 1, 2022 https://www.facebook.com/ditshwanelobotswana/posts/upr-ngo-workinggroup-press-statement-on-the-criminal-procedure-andevidence-con/2086553018220146/
21. Thales Group- Biometric Data and Privacy Laws (GDPB, CCPA/CPRA) https://www.thalesgroup.com/en/markets/digitalidentity-and-security/government/biometrics/biometric-data
22. State of Internet Freedom in Botswana, 2019 https://cipesa.org/wp-content/files/State-of-Internet-Freedom-in-Botswana-2019.pdf