NIN: How presidential aide exposed Nigerians to data breach via NIMC Mobile App registration
We need your support to produce excellent journalism at all times.
IN a clear contradiction of the position of National Identity Management Commission (NIMC) on the use of the commission’s new Mobile Identification Application (MWS), Anjuri Ngelale, the Senior Special Assistant to the President on Public Affairs has asked Nigerians to commence use of the mobile application.
The advice shared on Twitter Sunday, August 15 was to Nigerians who have gotten their National Identity Number (NIN) but yet to receive the NIMC cards.
“The card is just for convenience; the real thing is the number you have. With that number, you are on the databank,” Aregbesola stated in a report by ThisDay Newspaper.
“Everything about you is there. We are just upgrading it such that your DNA too will be there very soon.
“Even if you are in a car, I will know if you are the one in the car with your DNA. It’s already captured. You are already captured, you cannot run away anymore,” Aregbesola said.
But Anjuri’s advice to Nigerians may have cost those who eventually downloaded and used the mobile application a data breach.
This is because as of the time he made the announcement, the Commission was yet to officially launch and declare the application safe for public use.
Ngelale said with the MWS App, the public could reduce the time wasted at the NIMC offices while trying to receive the physical cards.
“Patriot, for those who have successfully registered for the NIN, kindly use this excellent medium to eliminate wait time and expense for the national identification cards,” he tweeted on Sunday, August 15, 2020.
“Download App on link below, input NIN number and mobile number, then print.”
Mixed reactions trail App download
The news was widely accepted by most people on social media until some users began to express concerns about the suspected glitch in the technology.
Some complained of being presented with wrong identities when they input their NINs and mobile numbers as directed. Others complained over wrong photographs.
Michael @itsparrow, one of the complainants criticised the application for producing a different identity such as image and personal details of a different user.
“This thing seems like scam oo, for them to have your details. it’s bringing out someone else’s details and photo,” he tweeted in response to the thread.
A social media user identified as Prosperity @prosperiosy had similar experience of conflicting data.
“@nimc_ng after downloading the App and inputting my NIN, I found out that the ID was not mine. See attached; how come about this error and how can it be rectified?” he tweeted.
“The laminated copy I collected since 2014 is different from what is online and there’s no picture on this one.”
The Presidential aide tried to enlighten the aggrieved ones to get the right usage of the software. He retweeted those who eventually got the process right.
“Wow! This is fantastic. It works. I just did mine now. @Mbuhari Ayaya,” Boyobanty @megaclose tweeted.
A similar positive tweet came from Chinaka @ClintonChinaka. “Yes, I renewed my national identity card through this process three weeks ago.”
Oladipo Idris, another user shared his good experience, though after initial hiccups.
“I just downloaded the app, it works. At first, it fetched a wrong data for me, but when did a reset it generated my actual data. Good one from the @NigeriaGov @FMoCDENigeria”
Thank you @MBuhari
I just downloaded my National ID card online in less than 3minutes. 🤸🤸
Go and get yours too ✌️ pic.twitter.com/J62ruFgs1O
— Jerry Durojaiye 🕗 (@kokomatic) August 15, 2020
Don’t use App until it is officially launched- NIMC
Meanwhile, Kayode Adegoke, the NIMC’s spokesperson had in an interview with The ICIR on August 4 told the public to wait until the application is officially launched. He advised that whatever information that does not emanate from the official social media handles or press releases from the Commission should be discarded.
Adegoke said then the security infrastructure among others relating to the application was yet to be perfected, noting that once everything regarding the software is completed, it would officially be declared open for public use.
“The general public should be aware so that they won’t be swindled of their money,” he said while responding to a similar viral WhatsApp message about the mobile application.
“We are building up the mobile applications where Nigerians can actually access their cards. We are doing the pre-trial stage but we have never asked anyone to supply their BVN number or Tax number or so,” Adegoke explained.
“What we are doing is work in progress. That is why we have not officially launched it. So, not until it is officially launched, we want to ensure everything and the security is in place. Then, we will communicate to Nigerians…to download en masse.”
Adegoke during the interview had advised The ICIR to use its official platform to enlighten Nigerians against trusting information from other sources. “Anything outside NIMC official platforms, people should not regard it.
“We noticed that some unscrupulous elements want to manipulate Nigerians. It is still being processed, that’s why it has not been officially launched.”
So, on Saturday, when The ICIR sighted Ajuri’s post which has generated lots of reactions and threads, Adegoke was contacted to verify if the mobile application has been launched as earlier advised but he responded ‘no’.
“We would communicate the date appropriately,” he said.
On Sunday, August 16, Adegoke was contacted again for comments because the claim has gone more viral.
Repeated calls to his line were unsuccessful. He failed to answer the calls.
The reporter subsequently shared the link of Ngelale’s tweet with Adegoke via the WhatsApp platform but still did not respond to the messages.
The controversial tweet was deleted shortly after.
The mobile application was also removed from the Google Play Store where it was originally hosted.
Though applauded by few users on the google store, majority of those who rated the application before it was deleted ranked it 1, from 1 – 5.
The review rating was fair (2.4).
However, The ICIR still found the App on Apple Store.
On August 18, the NIMC officially debunked the tweet, advising Nigerians to hold on until it is launched.
“The App is still in the test environment and currently being fine-tuned to give users the best experience with adequate privacy and data security safeguards. Once the test stage is concluded, the Commission will issue a formal statement regarding its usage by our esteemed NIN registered persons,” Adegoke stated in a press statement.
Ngelale keeps mum
The ICIR reached out to Ngelale on his verified handle to ascertain if he was aware of the NIMC’s position on the mobile software before he made the announcement. More so, the Commission’s standpoint to put on hold the software until its formally launched, but he gave no response.
Akindayo Akindolani, Managing Partner, McAnderson Institute of Technology (MiT), in his reaction expressed concern on the premature announcement by Ajuri.
He observed the software could still be a work in progress as reflected in reactions under the tweets.
“I want to believe that the NIMC has not perfected the whole system as seen by so many errors we noticed on the mobile application,” he told The ICIR.
Akindolani, however, advised for retooling of the application to address the glitches. He emphasised, “a whole lot still needed to be done behind the scene before its official release.”
Solomon Okedara, a Lagos-based lawyer and Co-founder of Digital Rights Lawyers Initiative (DRLI) accused the Federal Government of gambling with the public data. He also identified the misrepresentation of data as earlier captured by The ICIR.
Okedara, for instance, cited those whose NIN did not correlate with their personal information and pictures. He expressed concern that the digital rights of Nigerians might have been compromised.
“Digital identity is an issue that can only thrive on a strict legal framework…there are issues of misplacement of data and when that happens, that shows that people’s data have been compromised,” the lawyer said.
“Do you know your digital identity could almost mean everything about you?” he queried.
“So once your digital identity is compromised, your fiance, security and almost everything you represent can be compromised. So, that is actually a great unpardonable gamble by the federal government.”
He recalled how his organisation recently instituted two legal actions against the NIMC on privacy matters.
The lawyer, however, advised the commission to comply with the extant provision of the Nigeria Data Protection Regulation (2019), meant to protect peoples data. The responsibility, he said lies on the FG to ensure the process aligns with the NDPR.
Check by The ICIR shows NDPR was issued in 2019. The regulation clearly sets a guideline on processing peoples data which lies on the NIMC to ensure there is strict compliance with the legal framework.
“Anyone who is entrusted with personal data of a Data Subject or who is in possession of the Personal Data of a Data Subject owes a duty of care to the said Data Subject,” Part 2 Section 2 (2) of the NDPR reads. “Anyone who is entrusted with personal data of a Data Subject or who is in possession of the Personal Data of a Data Subject shall be accountable for his acts and omissions in respect of data processing, and in accordance with the principles contained in this Regulation.”
Part of the regulations also proposes that if the government agency would hire a third party, such party should comply with the regulation and its provision.
“Data processing by a third party shall be governed by a written contract between the third party and the Data Controller. Accordingly, any person engaging a third party to process the data obtained from Data Subjects shall ensure adherence to this Regulation,” the guideline states further.
Okedara concludes that even if there was going to be a mistake, such should not be on the peoples’ personal data.