The terms of Resolution 1373 of the United Nations Security Council, relating to the drying up of sources of financing and other assets of terrorists and their organizations, for which electronic communications networks are essential vectors, make the question of identification of subscribers to electronic communication networks, which is now part of the criteria for labeling international best practices for telephone operators and associated or derived services, although it is likely to dissociate it from the problem of data manipulation at personal character, which can be, a fortiori , of a greater urgency.
1. Definition, objectives and methods of identification.
Identification is the fact of collecting the information – entered on an official identification document – of any subscriber when taking out a subscription with the operator, operator or supplier of an electronic communications network open to audience.
2 Terms of subscriber identification.
The operation consists in obliging the subscriber to be identified, physically and electronically, the network subscriber, by means of the collection of his identification document: national identity card, passport, residence permit, visa, consular card, etc. It is also a question of physical presence, does this mean that the subscriber must be able to be identified scrupulously as being the person really concerned? This should not be the case because the operator does not have the capacity to carry out such an operation..
The objectives of identification are of various orders. For operators, this involves: identifying all their subscribers, creating and updating a reliable and secure subscriber identification database, proceeding with the systematic suspension of subscribers without a name or without an identity document number , but active in their respective telephone networks, and to respond to legal requisitions.
For the State’s public security services, the objectives are to: expedite investigations and legal proceedings relating to offenses committed using electronic communications networks – cybercrime: threats, insults, slanderous denunciation, defamation, extortion , attacks -, send requisitions to the operators of the Judicial Police for the purpose of identifying presumed offenders, ensure the identification of the caller of the emergency services.
3. Limitations of Subscriber Identification.
The ineffectiveness of identification is firstly due to the group sale of chips and the identification of the buyer who will then resell them to other people, without carrying out their identification. The second problem is fake identification during auctions of chips. The last problem is that of the non-existence of identification. In any event, these practices make it impossible to reconcile the chip with its end user, who is no longer the previously identified subscriber.
With regard to security objectives, identification, the purpose of which is to fight against cybercrime, has no impact because the chips given when the subscription is taken out, and especially those not attached to the identification of subscriber, and to those, although recorded, that have been abandoned, stolen, lost or given away, can be recovered and used for criminal purposes, including financing and terrorist activities. This insufficiency makes the process incomplete because of failure to achieve the expected results.
With regard to the objectives of the operators, the incompleteness of the identification is also dependent on their responsibility for the data that they have the duty to collect, and that they have the more or less avowed possibility of processing or marketing . However, operators do not always have subscribers’ data preservation interests in their sights, especially when there is no regulation requiring or prescribing it, even though they derive financial benefits from it. and considerable economics.
4. Proposal of means of protecting subscribers
The first measure would be a triangular cooperation between the services holding the file for the identification and control of the movement of populations inside the territory, and between inside and outside the country – national identity card, residence permit, passport, visas for entering the territory -, civil status file management services, and the subscriber file, held by the operators. Thus, a subscription, even taken out, should only be activated when the verifications have been carried out with satisfaction either in the identification file or in the civil status file.
According to the said checks, with satisfaction on the reality of the existence and the status of the subscriber, the security services should give the discharge to the operator to activate or deactivate the subscription. This approach also makes it possible to migrate from an identification regime to an authentication regime. When you identify yourself, you give an identity that should already exist and be recorded in a database. Authentication, on the other hand, makes it possible to verify the accuracy of the identity communicated.
A two-pronged approach is possible, both on the side of the operators and at the level of the State, in particular when there is no dedicated legislation on the protection of subscriber data, and, in the presence of the fundamental principles and requirements presumption of innocence and respect for the privacy of the subscriber.