On January 9, 2026, Mexico’s Telecommunications Regulatory Commission (CRT) issued binding guidelines with a deadline most of the country’s 130 million mobile subscribers have barely registered: by June 30, 2026, every phone line in Mexico — prepaid, postpaid, physical SIM, eSIM — must be linked to a biometric national identity record. Any number not registered by midnight on June 30 will be suspended on July 1.

That’s not a warning. That’s a hard cutoff.

The mechanism is an upgraded version of Mexico’s existing Clave Única de Registro de Población, or CURP — the alphanumeric national population registry code that Mexicans have carried for decades. The new biometric CURP is a different thing entirely. It captures facial recognition data, fingerprints, and iris scans, and packages them alongside a QR code and a digital signature into a comprehensive biometric identity record. Link that record to every mobile number in the country, and you’ve built something qualitatively different from a phone registry: you’ve built a biometric surveillance backbone that maps every call, every text, every data connection to a specific face, a specific set of fingerprints, a specific set of irises — searchable, in real time, by the government.

The legislation grants broad data access to law enforcement, intelligence agencies, and the National Guard. It does not require the government to notify individuals when their records are accessed.

The Third Time Is Not the Charm — Or Shouldn’t Be

The reason this story deserves more attention than it’s getting is the history behind it.

This is not Mexico’s first attempt to build a mandatory phone-identity registry. It is the third. The first two failed — one through data disaster, one through the courts. The pattern is worth understanding.

RENAUT, 2008. The Registro Nacional de Usuarios de Telefonía Móvil launched under pressure from security agencies who argued that anonymous prepaid phones were enabling kidnapping networks. Every mobile user was required to register their number with a government-issued ID. By 2012, the program was quietly shut down. The official reason was low compliance. The real reason, widely reported at the time, was that personal data from tens of millions of registered users had been exposed — available for purchase on the street in some Mexican cities for a few hundred pesos.

PANAUT, 2021. The Padrón Nacional de Usuarios de Telefonía Móvil required biometric data collection. Civil society groups challenged it immediately. Mexico’s Supreme Court ruled the program unconstitutional in 2022, citing the right to privacy enshrined in the Mexican constitution. The decision was explicit: you cannot compel citizens to hand over biometric data to participate in the telecommunications market.

The current program, 2026. The CRT issued its binding guidelines. A court in Yucatán suspended the program in September 2025 on privacy grounds — another legal challenge, another judge agreeing that the constitutional concerns are real. The federal government proceeded with implementation anyway, framing the suspension as a local matter and continuing the national rollout.

The lesson the Mexican government appears to have drawn from two prior failures is not that the program is structurally flawed. It’s that previous programs weren’t implemented fast enough to survive legal challenge. The June 30 deadline isn’t just an administrative timeline. It’s a race to create facts on the ground before the courts can stop them again.

Who Pays the Price When Anonymous Phones Disappear

There’s a version of this story that sounds reasonable in the abstract. Linking phone numbers to verified identities reduces crime. Kidnappers can’t use burner phones. Scammers can’t operate anonymously. Cartels lose a communication channel.

The actual population that relies on anonymous prepaid SIMs is somewhat different from that framing.

Domestic abuse survivors use prepaid phones to communicate with lawyers, shelters, and support networks without their abusers being able to trace or monitor those calls through shared accounts. Journalists in Mexico — which has been one of the world’s most dangerous countries for reporters for over a decade — use anonymous numbers to communicate with sources, particularly sources inside government, law enforcement, and organized crime that face severe retaliation risks. Political activists and opposition organizers have used prepaid phones specifically because they know the government can and does surveil telecommunications infrastructure. And ordinary people in communities with long, documented histories of government corruption and data misuse have simply chosen not to hand their identities to a database that has already been breached once.

All of those use cases disappear on July 1.

The civil society and human rights organizations that have raised alarms about CURP biometric registration are not making a naive argument that anonymity is always good. They are making the specific argument that in Mexico, in 2026, a centralized biometric database linked to every phone number, accessible by the National Guard without notification requirements, operated by a government with the Pegasus spyware track record, is not a neutral administrative tool. It is infrastructure for control.

The Pegasus comparison is not rhetorical. Reporting by Citizen Lab and others established that the Mexican government used the NSO Group’s Pegasus spyware to target journalists, human rights lawyers, and opposition politicians. Biometric phone registration doesn’t give the government new surveillance capability so much as it formalizes and scales the capability it has already demonstrated a willingness to misuse.

The Single Point of Failure Problem

Even setting aside intentional misuse, there is the straightforward security problem. A centralized database containing the facial recognition data, fingerprints, and iris scans of 130 million people is an extraordinarily high-value target. Unlike passwords or account numbers, biometric identifiers cannot be reset. If your fingerprints are in a database that gets breached, you do not get new fingerprints.

Mexico’s track record with large government databases is not reassuring. The RENAUT breach was not an anomaly. Mexican government databases have been repeatedly compromised, with records appearing on dark-web markets at prices reflecting their value for identity fraud, extortion, and targeted surveillance.

Centralizing the biometric identities of an entire country’s mobile subscriber base in this environment isn’t a security measure. It’s a liability.

What This Means If You’re in Mexico — Or Communicating With Someone Who Is

If you are a mobile subscriber in Mexico and have not yet registered your line with the biometric CURP, you have until June 30. Carriers are required to facilitate registration. The practical reality for most Mexicans is that compliance, while deeply concerning from a civil liberties standpoint, is likely preferable to losing phone service.

For journalists, activists, lawyers, and others with specific operational security needs: the elimination of domestic anonymous SIM options means rethinking your communications architecture now, not in July. Signal on a registered SIM still encrypts content — the government cannot read your messages, though it can see that you communicated and with whom. VOIP numbers and international SIM options are worth examining, though Mexican carriers are moving to close those gaps as well.

For Americans traveling to Mexico or communicating with sources or contacts there: understand that as of July 1, 2026, any Mexican phone number you contact is linked to a biometric identity record accessible by the Mexican government without notification. Adjust your source protection practices accordingly.

For organizations operating in Mexico — multinationals, NGOs, news organizations — review your communications policies for employees and contractors based in the country. The threat model just changed.

A Pattern Worth Watching

Mexico’s move doesn’t happen in isolation. Across Latin America and beyond, governments are linking telecommunications access to verified identity — Brazil, Colombia, and several others have implemented or are considering similar frameworks. The specific Mexican story matters because of the constitutional history, the data breach history, and the Pegasus history. But the broader pattern — mandatory biometric identity as the price of a phone — is becoming a global norm, implemented one country at a time, with insufficient scrutiny at each step.

The Mexican Supreme Court ruled in 2022 that you cannot compel biometric registration to participate in modern communications. The current government has decided to try again anyway. How that legal conflict resolves — whether the courts hold, whether the deadline creates facts on the ground that are practically irreversible — will matter well beyond Mexico’s borders.

Resources for Understanding Digital ID and Surveillance Risk

  • Privacy assessment tools and guides for navigating biometric identity systems and surveillance risk: MyPrivacy.blog
  • Regulatory and compliance frameworks for GDPR, CCPA, Latin American privacy law, and telecom data obligations: ComplianceHub.wiki
  • Corporate and government breach tracking: Breached.company

Organizations and CISOs managing operations in Mexico or cross-border communications subject to the new biometric registration regime can find vCISO consulting, privacy program assessment, and operational security guidance at CISO Marketplace.