Does the NEIR's 'crime prevention' promise hold up to scrutiny?   

The launch of the National Equipment Identity Register (NEIR) on the first day of the year did not go as planned. 

First, mobile phone traders took to the streets in front of the Bangladesh Telecommunication Regulatory Commission (BTRC) headquarters on Thursday, which then led to vandalism. The army had to be deployed to restore order and a Dhaka court sent 45 people to jail over the incident on Friday.  

The protest was sparked by the government reducing total duties on handsets from 61.8% to 43.4%, which traders found insufficient. Indeed, even after the reduction, Bangladesh's import tax on mobile phones remains among the highest in the region.

Beyond the concern over higher phone prices, however, there are deeper fears of surveillance and data security. And does the government's claim that a national registry can prevent phone theft and digital crimes hold up to scrutiny? 

Global practice

While the use of International Mobile Equipment Identity (IMEI) blacklists – lists of stolen phones – is a global practice, the mandatory pre-registration of phones and linking them to a National ID is rare. 

Most Western democracies, including the US, the UK, and countries in the EU, instead, favour a system where IMEI blocking is a voluntary service to protect victims of theft, rather than a state-mandated whitelist where a phone is considered illegal until proven otherwise.

By adopting the NEIR, Bangladesh joins a small group of nations – including Pakistan, Turkey, Azerbaijan, and Indonesia – that treat mobile hardware as a monitored state asset. 

However, as seen in Mexico, these systems can create massive honeypots of sensitive data that, when breached, leave the entire population vulnerable to identity theft. 

In 2012, the country's Registro Nacional de Usuarios de Telefonía Móvil (RENAUT) was shut down after its database, which contained sensitive personal information of millions of Mexicans, was leaked and sold on the black market. 

Years later, in 2022, Mexico's government attempted to launch a new initiative, the Padrón Nacional de Usuarios de Telefonía Móvil (PANAUT), which sought to register not only personal IDs but also biometric data like fingerprints and iris scans. 

However, the Mexican Supreme Court declared PANAUT unconstitutional, ruling that the mandatory collection of biometric data was an undue violation of privacy rights and could not be justified as an effective crime prevention measure.

The surveillance vs security debate 

In 2016, the Awami League government made fingerprint collection mandatory for all mobile SIM users, claiming it was necessary to fight crime and support a "Digital Bangladesh".

This forced millions to submit biometric data, risking long-term privacy violations and surveillance. The normalisation of biometric and device surveillance has become so embedded in daily life that they are no longer seen as threats.

Bangladesh's NEIR mandates device-level registration, binding the IMEI number to a user's National ID (NID) and their SIM card. This triple-binding creates a comprehensive digital map of the population that is surveillance-ready by design.

Globally, there is little evidence that mandatory registration ensures public safety. Criminal networks today have migrated to encrypted messaging apps, VoIP services, or foreign SIM cards.

Furthermore, given the history of the National Telecommunications Monitoring Centre (NTMC) and its documented eavesdropping on citizens, the integration of NEIR into this existing surveillance infrastructure risks further eroding privacy. 

Citizens have lost trust in government-managed databases after experiencing multiple personal information breaches in recent years. People are understandably spooked; when privacy is repeatedly compromised, it becomes difficult to sell a new registration mandate as a security benefit.

BM Mainul Hossain, professor and director, Institute of Information Technology (IIT), Dhaka University

Data breaches remain a concern

BM Mainul Hossain, professor and director of the Institute of Information Technology (IIT) at the University of Dhaka, argues that the rollout of the NEIR faces a fundamental crisis of public confidence. 

"Citizens have lost trust in government-managed databases after experiencing multiple personal information breaches in recent years," Mainul observes. "People are understandably spooked; when privacy is repeatedly compromised, it becomes difficult to sell a new registration mandate as a security benefit."

Just a month ago, a fraudulent website designed to mimic Bangladesh's official e-apostille platform exposed sensitive personal data belonging to more than 1,100 citizens. And back in 2023, more than 50 million Bangladeshis' personal information was exposed on a government website. 

The government has defended the NEIR project, citing a 2024 Bangladesh Bank report, which found that 73% of digital fraud involves unregistered or illegal devices.

However, tech experts like Mainul Hossain refute the argument of crime prevention. "The criminals readjust their tactics far more quickly than state regulations can keep up," he explains. "Handset registration does not solve the fundamental vulnerability of IMEI cloning, which remains technically possible." 

The greater concern is that by centralising such a massive amount of personal data, the state risks building the architecture of "a police state". There is a legitimate worry that this system will eventually be used to "track and suppress dissent rather than catch actual criminals," Mainul adds.

"The intention is good but it backfires if the execution is weak or used purposefully," he further notes.

Miraj Ahmed Chowdhury, founder of Digitally Right, a digital rights advocacy platform, sees data privacy as a real concern, adding, "The government must ensure customer data protection."  

Mainul notes in this regard that "when IMEI is linked with NID, it becomes personal data and can be used for tracking, profiling, etc – hence the database should go under the purview of the Personal Data Protection Act."

What about stolen or second-hand phones?

The promise that the NEIR will curb mobile phone theft overlooks the cold economic reality of law enforcement. In most cases, the cost of a comprehensive police investigation to retrieve a stolen phone far exceeds the actual retail value of the handset itself.

And this inability to recover stolen handsets is a global crisis. For instance, a 2023 BBC report highlighted that in London, where a smartphone is reported stolen every six minutes, the recovery rate remains stalled at a mere 2%.

Furthermore, even if the IMEI of a stolen phone is blocked from every network in Bangladesh, it does not stop a thief from profiting.  

A dead phone remains a goldmine for the "organ-donation" market, where devices are dismantled and sold part-by-part. High-end components – such as original iPhone or Samsung screens, cameras, and body frames – retain massive resale value. A genuine screen for a recent flagship can be sold for thousands of taka, and even batteries and plastic casings find a ready market.

One of the most immediate practical concerns is the informal resale market. In a tech-driven culture where enthusiasts often upgrade to a new handset every year, the process of selling or gifting a device has become an official hurdle. 

Under the new regulations, a mobile phone is no longer a simple piece of personal property that can be handed over to a friend or buyer; it is a registered entity linked to a specific NID. Transferring ownership now requires a formal de-registration and re-registration process through the NEIR portal to pair the device with the new owner's SIM and identity. 

Glitches on first day of portal launch

According to posts by some social media users, the NEIR portal seems to allow anyone to search random NIDs and harvest sensitive personal data. 

Registration to the website seems to be another issue. At 6pm on Friday, we tried to register on the platform but were unsuccessful.

Some have begun reporting that dozens of handsets are registered to their names without their knowledge, with a few even finding upwards of 50 devices linked to their NIDs. 

While citizens are rightfully alarmed by the discovery of dozens of "ghost devices" registered to their names, the government has explained this as a technical byproduct of data migration rather than a fresh breach. 

Faiz Ahmad Taiyeb, special assistant to the chief adviser on Posts, Telecommunications and Information Technology, clarified that mobile operators have uploaded over 3 billion historic datasets into the NEIR. Because this legacy data was migrated using current timestamps, the system erroneously lists every device a citizen has ever used as being "active" today.