In a move to combat mobile phone theft, the Department of Telecommunications has rolled out a pan-India tracking system for lost or stolen mobiles called Central Equipment Identity Register (CEIR) as a part of the Sanchar Saathi Portal, last week.
The Sanchar Saathi Portal is an artificial intelligence-based portal which will enable telecom users to trace and block their lost or stolen phones, trace whatever phone connection is taken on an individual's name across the country and determine the number of connections each person has taken. It is meant to "empower mobile subscribers, strengthen their security and increase awareness about citizen centric initiatives of the Government".
The CEIR service was originally launched in December 2019 for regions like Dadra & Nagar Haveli, Goa and Maharashtra. The service was then extended to Delhi in later months, the Times of India reported.
The service has been designed to deter mobile phone theft and make it easier for authorities to locate lost or stolen phones, find cloned or counterfeit phones, and restrict the usage of those cloned phones.
How does CEIR work?
According to its official website, CEIR is a citizen centric portal which facilitates blocking of lost/stolen mobile devices in the network of all telecom operators so that lost/stolen devices can not be used in India.
“If anyone tries to use the blocked mobile phone, its traceability is generated. Once a mobile phone is found it may be unblocked on the portal for its normal use by the citizens,” the official website reads.
The CEIR uses the IMEI number of the stolen/lost mobile to track it. The IMEI or the International Mobile Equipment Identity is a unique 15-17 digit number which is registered with the telecom providers as soon as the phone is connected to a network. This number is used by service providers to uniquely identify valid devices, and will now be used by CEIR to track and locate stolen or misplaced phones.
For requesting blocking of a number, a police case must be filed and a copy of the SIM card pertaining to the lost number must be procured. According to the official procedure, “This is essential because you will need to provide this as the primary mobile number (OTP will be sent on this number) while submitting the request for blocking your IMEI.”
After filling the request registration form for blocking the IMEI of lost/stolen phone, and attaching the required documents (a copy of police report and an identity proof), the complainant gets a request ID which will be used for checking the status of the request and for unblocking the IMEI in future.
After the lost phone is recovered, the complainant has to fill another form on the CEIR website requesting to unblock the IMEI number.
How is CEIR different from ‘Find My App/Device’?
The ‘Find My App’ on iOS and ‘Find My Device’ on Android can also help find the missing device. However, they operate differently as compared to the CEIR.
As the IMEI number is being used by the authorities to track and prohibit active phones, it means that after the phone has been stopped by the CEIR system, it will be unable to connect to any national telecom network. “After the phone has been blocked, it cannot be used on any network across India", the CEIR website states. This, however, does not prevent the police from tracking the lost/stolen phone.
On the other hand, the Find Phone services offered by Apple and Google, use device level authentication to find and locate their devices, with and without Wi-Fi or cellular network. Once a phone has been blocked using Apple's or Google's Find Phone feature, the phone won't unlock unless the original owner can re-verify and re-authenticate the phone's information.
The device level authentication also enables users to completely delete all of the data on their device in case it ends up in the wrong hands. This feature is not available with CEIR.
What are the privacy concerns with CEIR?
Speaking to BOOM, Akshay, an independent security researcher, explained the privacy concerns related to the CEIR facility. "CEIR does not give users the option to opt out of the facility nor does it provide an option to opt out of the database that the government will maintain," he said. The Find Phone features of Apple and Google allows users to switch off this feature as any phone can be easily tracked if somebody else other than the owner has the access to the credentials.
However, as the CEIR system uses IMEI number, it can by default, track any phone in India in real-time. Moreover, in 2022, the Indian government made it mandatory for all the phone companies like Apple, Samsung and others to disclose the IMEI number of all their devices to the Centre.
As the telecom operators are required to place a blind trust on the government for the IMEIs to be tracked, according to Akshay, there is a lot of potential for abuse by the government or 'accidental' errors that could render anyone's device inoperable or tracked.
Another concern remains about the storage of these sensitive data. The current form that CEIR website uses to submit a request for a stolen mobile phone gathers personal details, including sensitive IDs and Aadhaar numbers. This, according to Akshay, is a matter of concern as "there is no clarity on if it is being stored with the same level of protection as it is at UIDAI".
According to Prateek Waghre, policy director at Internet Freedom Foundation, the concern is also whether this phone tracking service is powered by a deeper surveillance architecture as the privacy policy of CEIR does not provide sufficient information.
"We also don't know whether the information being taken and stored in a centralised database will identify a person or shall remain anonymised/restricted to handset level information," he said.
Waghre's foundation has filed an RTI application to get more clarity on concerns stemming from the data storage issues and accessibility of that data.