An article in the Herald on the 8th of April 2025, indicates that the Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) is to establish a centralised register for all mobile handsets linked to SIM cards. This may seem like a progressive step in combating cybercrime. However, this move raises concerns about data control, privacy, and the proper role of a regulator in a democratic society like Zimbabwe. While securing digital platforms and reducing crime are important goals, the responsibility for registering and managing handset data should remain with mobile network operators (MNOs), not a government regulator.
The question on every person’s mind is: what will the regulator do with the data once it has it? POTRAZ, being a government body, is inherently political. Granting it access to a central equipment identity register containing IMEI numbers, user identities, and other personal information creates a powerful surveillance tool. Without clear legal safeguards, independent oversight, and a robust data protection framework, this data will be misused for purposes far beyond its original intent. Zimbabwe’s history has shown that, in the wrong hands, such data can be used to track political activists, monitor dissent, or suppress opposition.
In countries like China, centralised phone and SIM registration is already being used for extensive state surveillance. Authorities can monitor citizens in real time, often under the pretext of maintaining security. Similarly, in India, while the Aadhaar-linked SIM verification project was rolled out to improve transparency and security, it also sparked legal challenges over privacy violations, leading to court rulings that placed limits on mandatory linkage. These examples serve as cautionary tales of what can go wrong when regulators or governments have unchecked access to personal digital data.
In contrast, countries like the United Kingdom, Germany, or South Africa have MNOs responsible for SIM registration and handset tracking. These operators are required by law to comply with security and privacy standards, and regulators play a facilitating role, rather than a custodial one. In the UK, for instance, Ofcom does not hold a central handset database. Instead, MNOs work with the GSM Association’s Equipment Identity Register (EIR) to block stolen phones using their IMEI numbers. This model ensures that the data remains with those who collected it, entities that are already regulated and subject to consumer protection laws.
Furthermore, it is essential to recognise that cybercrime cannot be defeated merely by registering devices. Most cybercriminals exploit software vulnerabilities, use anonymised internet services, or operate outside jurisdictional boundaries. Therefore, effective cybercrime strategies must focus on enhancing digital literacy, strengthening forensic capabilities, and fostering international cooperation. The idea that registering every phone will stop cybercrime is akin to saying that recording every car will end all traffic offences; it is a simplistic approach to a complex problem.
Another practical issue is redundancy and inefficiency. MNOs already collect IMEI numbers when handsets connect to their networks. They maintain their own databases and have the capability to block devices across networks, especially when working together. Creating a central database managed by the regulator would mean duplicating this infrastructure at a significant cost to the taxpayer. What additional value does this bring? Instead of centralising control, the government should encourage greater inter-operator cooperation, infrastructure sharing, and developing common standards to share critical data without creating a single point of failure.
Centralised databases are attractive targets for hackers. A breach in such a system could expose millions of users’ personal data. In a decentralised setup, where data remains with the MNOs and only limited, necessary information is shared, such a risk is mitigated. Regulators should focus on setting and enforcing cybersecurity standards, not hoarding data.
Finally, we now have data protection regulations which POTRAZ should follow. Any initiative that impacts personal freedoms must involve public consultation and legislative scrutiny. Citizens must be informed about what data is being collected, why it is needed, who will have access to it, and for how long it will be stored. The principles of transparency, accountability, and consent must be upheld. It is unacceptable for such sweeping measures to be implemented without open debate or proper oversight.
While registering handsets to fight cybercrime may sound reasonable in theory, placing that responsibility in the hands of a government regulator like POTRAZ poses serious risks. MNOs already possess the necessary data and systems to manage handset security effectively. The regulator’s role should be to create enabling policies, monitor compliance, and protect consumer rights, rather than to act as a data warehouse. Zimbabwe must learn from global best practices and avoid repeating the mistakes of others. Security must never come at the cost of personal liberty and privacy.
Engineer Jacob Kudzayi Mutisi