First published: 16th February 2021
A consultation paper titled, "Real-name Registration Programme for SIM Cards" was issued by the Commerce and Economic Development Bureau of the HKSAR Government on 30 January. This Response is the comments on the issued covered, written by Allan Dyer.
The need for this regulation has not been shown, the proposals will not have the desired effect and they will cause undesirable effects.
While criminals desire anonymity, the current situation still allows them to be traced. Law enforcement can already use an IMEI number as input for tracking devices that are able to locate a mobile phone with an accuracy of a few meters.
If real-name registration was required for PPS cards, criminals desiring anonymity would achive it by other means. Utilising stolen phones and SIM cards would be an obvious option.
The last large-scale bombing campaign in Hong Kong was in 1967 when 1100 real bombs were found. They did not use PPS cards or mobile phones, because the technology was unavailable. The organisation behind it ordered the end of the campaign in December 1967.
During the 2019 disturbances, there were many reports of petrol bombs being made and used. There was one report of a bomb controlled by a mobile phone (on 2019-10-13, Police strongly condemn massive violent and vandalistic acts ). The availability of anonymous PPS cards does not appear to be a significant factor for the criminals.
Presumably, a criminal willing to plant a bomb would not hesitate to steal a phone to control it. There are also alternatives to using a mobile phone. A simple FM receiver or a timer are obvious options.
There could be detection advantages to allowing anonymous PPS cards. A bomb controlled by a mobile phone could be tracked retrospectively by the phone's IMEI, revealing its movements before deployment and perhaps even the IMEI of other phones in close proximity to it.
The consultation paper does not present evidence that real-name registration would address the most prevelent crimes. In Section 2.5, statistics for "Guess Who" fraud cases are given, 70% of such cases use PPS cards and are anonymous. Therefore, 30% of cases use an originating number that can be traced to a business or individual paying the bills. Are those 30% investigated and prosecuted more successfully than the 70% PPS card cases? The same question could be asked for the additional crime statistics in Section 2.6.
The Consultation Paper is correct in Section 1.3, "PPS services are popular because of such flexibility and convenience, particularly for low-volume users and those who do not wish to be bound by a fixed-term monthly plan or service package." Such users are likely to be poor or in vulnerable groups, the elderly, retirees or those who are less familiar with the use of technology. Their choice of phone is likely to be price-driven: a cheap, out-of-date or second-hand phone because it meets their needs. Currently, this makes them unlikely to be targetted by phone thieves who will naturally seek the new, high-price models. Having a phone that is unlikely to be stolen is an advantage for these users.
Therefore, the expected result of real-name registration would be an increase in phone theft from exactly the people the Consultation Paper claims in Section 2.3 are most vulnerable to telephone deception.
A victim of phone theft incentivised by real-name registration will, automatically, become a suspect in any crimes that involve the stolen SIM. Hopefully, the Police will consider the possibility and be considerate, but they will still be wasting time investigating an entirely innocent victim. In the worst case, a vulnerable person might have their phone stolen multiple times, because it is easier to steal from such a victim, and the repeated pattern will, inevitably, trigger a deeper Police investigation.
Additional personal data will be collected by the service providers and stored. There have been many cases, some in Hong Kong, of large companies mishandling the security of personal data. There is also the possibility that dishonest employees could steal selected data.
The service providers will have to train their staff to correctly collect and handle the additional personal data and buying a PPS card will take a lot longer for the staff involved. These costs will, inevitably, be passed on to the user, hitting the poor and vulnerable most. The additional cost will be the same for a low duration PPS card or a high duration one, so the low duration cards may cease to be cost-effective for the service providers. The disappearance of the low duration cards will again hit hardest at those who are most cost-sensitive.
As noted in Section 2.2, "PPS services have benefited local users and visitors looking for affordable, flexible and convenient mobile services usage". A traveller arriving after a long flight does not want to go through a long registration procedure to get connected. When I needed a phone connection on arriving in Mainland China, I bought a PPS card from a stall in the arrivals hall, but it was a difficult decision to hand over my passport for copying to a person who might have been employed by a phone company I had not heard of. It would be easy to trick a tired traveller into responsibility for two PPS cards ("and sign the copy here, sir"), again defeating the purpose of the registration.
Exhibitors at trade shows sometimes need temporary staff to have assured communications. Some companies achieve this by giving the temporary staff PPS cards. The cards are a "throw-away" item that does not need to be collected after the event. Each card would need to be registered, there would need to be one permanent employee responsible for every three temporary employees with PPS cards, and the company would have to recover the cards at the end of event. Making sure a temporary employee doesn't wander off with a PPS card is an unwanted inconvenience at the end of a trade show, when everyone is trying to pack up and go home. These all increase the costs.
Real-name registration would destroy the potential of IoT. Cheap communications will soon be available to thousands of tiny devices through 5G, but requiring real-name registration will make that difficult or impossible. A recent IoT deployment in Hong Kong has put a device on thousands of trees, monitoring their health and safety. Would that be feasible if an employee is required for every three trees, to be responsible for the SIM cards?
Even if the employee count problem can be avoided, what will happen to IoT deployments in Hong Kong if the easiest way for a criminal to get an untraceable SIM card is to steal an IoT device?
Informants and whistleblowers have an important function in a society, they can trigger investigation into wrongdoing by the powerful. Organised criminals could obtain personal information from service providers to trace and target informants.
Some junk or suspicious calls come from unreachable numbers. This makes it impossible for users to call back. While the originating number information might not be available for all international calls, it should be possible for service providers to provide an accurate originating number for all local calls. No legitimate tele-marketing company should have an issue with their potential customers being able to identify and contact them, so enforcing this makes a useful division between legitimate and fraudulent callers and will increase public confidence in telecommunication services in Hong Kong.
Many fraudulent calls are being recognised by ordinary phone users and dropped or blocked. Presumably these represent the equivalent of a car thief walking down a line of parked cars, checking for unlocked doors. Making a formal report for a failed attempt is too much trouble for the user and the authorities. If the service providers were required to support a simple code to indicate, "previous call was suspicious", the reports could be collected and processed automatically, patterns of abuse identified and the numbers involved targetted for follow-up action. Simply disabling the abused SIMs would increase costs for the criminals.
The proposed real-name registration would damage Hong Kong's technological progress, the poor and vulnerable, and business development. It would increase crime and not have significant benefits in allowing criminals to be caught and prosecuted.