The Lebanese Ministry of Telecommunications recently announced that residents must register the International Mobile Equipment Identity number (IMEI) associated with their phone numbers on a new website. After people register their IMEI number, the ministry then sends them a link, which will activate their phone on the mobile network. It claims that this measure will limit illegal phone trafficking, but in practice, IMEI registration will also restrict citizens’ privacy and give the government a way to track, and potentially target mobile devices.
What is an IMEI Number?
The 15-digit IMEI number, which is linked directly to a physical device, “denotes the standards board responsible for assigning the identifier, the time that [a device] was manufactured, the serial number issued to the model of the device, and the version of the software installed on the phone.” Telecom operators use the IMEI number to identify valid devices and in turn, can also use them to detect stolen phones. When an operator has determined that a phone is stolen, it can prevent the phone from working on a mobile network by blacklisting the IMEI number in a database, such as the Equipment Identity Register (EIR). If a network blacklists the IMEI number, the phone will not work whether or not the owner of the phone changes the SIM card.
The Dangers of Linking Phone Number with IMEI
There are many concerns about linking the Mobile Subscriber Integrated Services Digital Network Number (MSISDN), more commonly referred to as the phone number, with the IMEI number. To register a new prepaid SIM card, Lebanese citizens and residents already must provide identification with their name and personal details. Therefore, the MSISDN and the International Mobile Subscriber Identity (IMSI) are fundamentally linked to the holder’s identity. Within the current law, the ministry has also attached the IMEI number and likewise a people’s devices to their identity. To counter mobile phone trafficking, states and operators are currently able to check the EIR for registered IMEI numbers, which means there is functionally no need for link the IMEI number to the MSISDN and to a person’s identity.
Therefore, the Ministry of Telecom’s new policy gives the government the capability to do far more than just track illegitimate phone trafficking. If the government has the IMSI, IMEI, and MSISDN linked to a residents’ identity, it is capable of tracking devices and connecting them to their owners. Additionally, the law makes it more difficult for users to easily switch phones to protect their privacy, which is particularly important for journalists and activists. This policy makes searching for exploits or seeking professional help to target a specific device easier because the IMEI number reveals many of a device’s technical features. A government with enough resources could use these numbers conduct more targeted surveillance operations.
The Ministry’s new policy also potentially exposes IMEI numbers to third parties. The new site, intended to verify IMEI numbers, has numerous security issues, according to our technical analysis. These lapses could jeopardize users’ personal data and threaten their privacy because third parties, including other governments, could potentially obtain their IMEI. Access to IMEI numbers could enable these third parties to conduct targeted, widespread surveillance operations or to conduct targeted marketing without the consent of the website’s users.
The recently passed Electronic Transactions and Personal Data Law does not explicitly mention IMEI number as a type of personal data. Under the European Union’s General Data Protection Regulation (GDPR), both the IMEI number and MSISDN are considered to be personal data, but the new Lebanese law rarely mentions explicit types of data and the exclusion of the IMEI number enables the state to continue to harvest this data without users consent.
The Ministry’s new IMEI registration requirement, which the MoT previously introduced in a different form between 2013 and 2014, effectively turns every cell phone into a tracking device without protecting the data, technically or legally. Considering the Lebanese state’s history of digital surveillance, the unregulated collection of IMEI numbers poses a threat to the privacy of all Lebanese residents.
To check your own IMEI number, dial*#06# and then can check your phone specifications on https://imei.info.
Ragheb Ghandour is a PhD Student at Mines ParisTech France. He is a computer scientist with a Masters degree in Information Systems for Risk Management and a cybersecurity enthusiast. He mainly focuses on human-error in cybersecurity and the rights to online free expression and privacy.