Ministry of Telecommunications’  IMEI Registration Policy Threatens Digital Privacy

An example of an IMEI number, IMEIInfo.com.

The Lebanese Ministry of Telecommunications recently announced that residents must register the International Mobile Equipment Identity number (IMEI) associated with their phone numbers on a new website. After people register their IMEI number, the ministry then sends them a link, which will activate their phone on the mobile network. It claims that this measure will limit illegal phone trafficking, but in practice, IMEI registration will also restrict citizens’ privacy and give the government a way to track, and potentially target mobile devices.

What is an IMEI Number?

The 15-digit IMEI number, which is linked directly to a physical device, “denotes the standards board responsible for assigning the identifier, the time that [a device] was manufactured, the serial number issued to the model of the device, and the version of the software installed on the phone.” Telecom operators use the IMEI number to identify valid devices and in turn, can also use them to detect stolen phones. When an operator has determined that a phone is stolen, it can prevent the phone from working on a mobile network by blacklisting the IMEI number in a database, such as the Equipment Identity Register (EIR). If a network blacklists the IMEI number, the phone will not work whether or not the owner of the phone changes the SIM card.

The Dangers of Linking Phone Number with IMEI

There are many concerns about linking the Mobile Subscriber Integrated Services Digital Network Number (MSISDN), more commonly referred to as the phone number, with the IMEI number. To register a new prepaid SIM card, Lebanese citizens and residents already must provide identification with their name and personal details. Therefore, the MSISDN and the International Mobile Subscriber Identity (IMSI) are fundamentally linked to the holder’s identity. Within the current law, the ministry has also attached the IMEI number and likewise a people’s devices to their identity. To counter mobile phone trafficking, states and operators are currently able to check the EIR for registered IMEI numbers, which means there is functionally no need for link the IMEI number to the MSISDN and to a person’s identity.

Therefore, the Ministry of Telecom’s new policy gives the government the capability to do far more than just track illegitimate phone trafficking. If the government has the IMSI, IMEI, and MSISDN linked to a residents’ identity, it is capable of tracking devices and connecting them to their owners. Additionally, the law makes it more difficult for users to easily switch phones to protect their privacy, which is particularly important for journalists and activists. This policy makes searching for exploits or seeking professional help to target a specific device easier because the IMEI number reveals many of a device’s technical features. A government with enough resources could use these numbers conduct more targeted surveillance operations.

The Ministry’s new policy also potentially exposes IMEI numbers to third parties. The new site, intended to verify IMEI numbers, has numerous security issues, according to our technical analysis. These lapses could jeopardize users’ personal data and threaten their privacy because third parties, including other governments, could potentially obtain their IMEI. Access to IMEI numbers could enable these third parties to conduct targeted, widespread surveillance operations or to conduct targeted marketing without the consent of the website’s users.

Legal Protections

The recently passed Electronic Transactions and Personal Data Law does not explicitly mention IMEI number as a type of personal data. Under the European Union’s General Data Protection Regulation (GDPR), both the IMEI number and MSISDN are considered to be personal data, but the new Lebanese law rarely mentions explicit types of data and the exclusion of the IMEI number enables the state to continue to harvest this data without users consent.

The Ministry’s new IMEI registration requirement, which the MoT previously introduced in a different form between 2013 and 2014, effectively turns every cell phone into a tracking device without protecting the data, technically or legally. Considering the Lebanese state’s history of digital surveillance, the unregulated collection of IMEI numbers poses a threat to the privacy of all Lebanese residents.

To check your own IMEI number, dial*#06# and then can check your phone specifications on https://imei.info.

 

للقراءة باللغة العربية.


Ragheb Ghandour is a PhD Student. He is a computer scientist with a Masters degree in Information Systems for Risk Management and a cybersecurity enthusiast. He mainly focuses on human-error in cybersecurity and the rights to online free expression and privacy.

, , , , , , ,

10 Responses to Ministry of Telecommunications’  IMEI Registration Policy Threatens Digital Privacy

  1. Fadi kattan June 27, 2019 at 7:58 pm #

    Hi i receive this message from mot( Dear Subscriber, this Samsung Galaxy J7 with IMEI 352206088375396 was used before) plz can you tell me what it mean. I bought my phone from 4 years ago and more from lebanon

  2. Sylvia July 10, 2019 at 8:37 pm #

    I wanted to change my WhatsApp number bt it refused do I have to register another line or not

  3. BestErnestine July 22, 2019 at 12:34 am #

    I have noticed you don’t monetize smex.org, don’t
    waste your traffic, you can earn extra cash every month with new monetization method.
    This is the best adsense alternative for any type of website (they approve all
    websites), for more info simply search in gooogle: murgrabia’s tools

  4. kimo AD August 18, 2019 at 5:09 pm #

    my phone locked
    note 4
    model : SM-N910T
    imei code : 35459406512327938

  5. micheledisaverio September 16, 2019 at 6:06 pm #

    This is contrary to the basic principles for which Internet was founded during the 1960s: openness and freedom. It gives to a public governamental authority or to a manopolistic cartel of private mobile phone companies the power to exclude single users from the access to Internet, or to a have a mobile phone at all.

    The Ministry isn’t obliged by law to forward (by e-mail or SM) any confirmation link, after users has asked foran IMEI confirmation. Hence, he can discriminate, he has the power to deny the access to the national mobile phone network, for all the mobile phone companies operating into it.

    This is possible not only by a legal point of view, but also from a technical one. When you sign a contract with a mobile phone company, you must give your identity card or other identity document which your mobile mobile number is associated to. In other words, any SIM is linked with the personal identity of the owner.

    For registering the IMEI iinto the prescribed-by-law website, many people have a unique way to access to Internet, their mobile phone. So, the IMEI is linked with their SIM accessing Internet and it also can be linked with their personal identity.

    Are we so confident that the public authority (e.g.police and independent authorities for military/national security reasons) hasn’t the right to be noticed by private companies about the name and surname of some (extended) categories of owners?

    It also can have further legal implications, even if penal law requires a major degree of proof than the civil law. And this is the case: any future use of the mobile phone-IMEI with the same SIM card used for its registration can be used as a legal proof of the identity of the user.

    We don’t understand Arab, but if the request isn’t anonymous and the confirmation reply isn’t automatic, the question is rightly put.

  6. LalarAmkewat September 26, 2019 at 10:08 am #

    869445038330486

  7. Marwan Dumariah October 20, 2019 at 3:26 pm #

    i bought my s8 plus from about two years, it worked good from that time till now, but suddenly the phone can’t connrct to the network, it says no service, and can’t get any GSM Signal.
    i checked the IMEI and it it’s approved
    what is the problem?

  8. Rochell Miyasaki November 16, 2019 at 2:33 am #

    You ought to take part in a contest for one of the highest quality sites on the web. I most certainly will recommend this website!

Trackbacks/Pingbacks

  1. سياسة تسجيل IMEI التي تفرضها وزارة الاتصالات اللبنانية تهدّد الخصوصية الرقمية للمواطنين | - December 5, 2018

    […] Read in English. […]

  2. 9 Ways To Protect Your Phone From Being Stolen - Folkire - June 29, 2019

    […] Credits: SMEX […]

Leave a Reply

I footnotes