You are here

State of Privacy Pakistan

Last modified: 
Tuesday, March 14, 2017 - 14:21

Introduction

Acknowledgment

The State of Privacy in Pakistan is the result of an ongoing collaboration by Privacy International and Bytes for All.

Right to Privacy

The constitution

The Constitution of the Islamic Republic of Pakistan accords the right to privacy as a fundamental right. Article 14(1) of the Constitution confirms that "[t]he dignity of man and, subject to law, the privacy of home, shall be inviolable." 

As a fundamental constitutional right, the right to privacy is meant to take precedence over any other inconsistent provisions of domestic law. Article 8 of the Constitution provides that "[a]ny law, or any custom or usage having the force of law, in so far as it is inconsistent with the rights conferred [under the Constitution], shall, to the extent of such inconsistency, be void." Article 8 (5), furthermore, states that "The rights conferred by this Chapter shall not be suspended except as expressly provided by the Constitution."

Yet Pakistan’s constitution also includes a wide-ranging exception to the primacy of fundamental rights. The provisions of Article 8 do not apply to any law relating to the ‘proper discharge’ of the duties of the Armed Forces or the police. The breadth of this exception is troubling, especially given the central role that the Armed Forces in particular have historically played in Pakistan’s domestic political landscape.

Regional and international conventions

Pakistan is a signatory to the following international and regional instruments with privacy implications:

  • The International Covenant on Civil and Political Rights (signed April 2008, ratified June 2010). Article 17 of the ICCPR states that "no one shall be subject to arbitrary or unlawful interference with his privacy, family or correspondence." The ICCPR also commits Pakistan to ensuring the protection of other rights that rely on the protection of privacy such as freedom of expression and freedom of association.
  • The Cairo Declaration on Human Rights In Islam (signed August 1990). Article 18 of the CDHRI affirms that: "a) Everyone shall have the right to live in security for himself, his religion, his dependents, his honor and his property. (b) Everyone shall have the right to privacy in the conduct of his private affairs, in his home, among his family, with regard to his property and his relationships. It is not permitted to spy on him, to place him under surveillance or to besmirch his good name. The State shall protect him from arbitrary interference. (c) A private residence is inviolable in all cases. It will not be entered without permission from its inhabitants or in any unlawful manner, nor shall it be demolished or confiscated and its dwellers evicted." 
  • The Convention on the Rights of the Child (ratified November 1990). Article 16 of the CRC states that "1) No child shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home or correspondence, nor to unlawful attacks on his or her honour and reputation. 2) The child has the right to the protection of the law against such interference or attacks."

Communication Surveillance

Introduction

Surveillance laws

Surveillance actors

Surveillance capabilities

Surveillance oversight, checks and balances

Surveillance case law

Examples of surveillance

Data Protection

Data protection laws

Pakistan does not at present have direct data protection legislation. As noted above, the Constitution limits the individual's protection of privacy in cases related to the “proper discharge” of the duties of the Armed Forces or the police. 

In the absence of direct data protection legislation, data privacy and protection is theoretically regulated through provisions in the following pieces of legislation.

The Electronic Transactions Ordinance (2002)

The Electronic Transactions Ordinance (2002) does not regulate data protection directly, but it criminalises unlawful or unauthorised access to information. Section 36 of the ETO states:

"Any person who gains or attempts to gain access to any information system with or without intent to acquire the information contained therein or to gain knowledge of such information [...] shall be guilty of an offence under this Ordinance punishable with either description of a term not exceeding seven years, or fine which may extend to one million rupees, or with both."

The same law envisages the establishment of a government-appointed body to certify electronic documents, and in Section 43(2)(e) grants powers to that body to make regulations for the privacy and protection of its users. However, it appears that the government is yet to establish this certification body, let alone draft regulation to protect the privacy of its users.

The Freedom of Information Ordinance (2002)

According to section 17 of the Freedom of Information Ordinance, "Privacy and personal information", certain forms of "information is exempt if its disclosure under this ordinance would involve the invasion of the privacy of an identifiable, individual (including individual) other than the requester.”

Prevention of Electronic Crimes Act (2016)

The recently passed Prevention of Electronic Crimes Act (2016) also contains a number of sections related to data privacy. However, these are intended to grant law enforcement and other government entities access to the private data of citizens, or to restrict citizens from gaining access to government data. Section 3 makes it a crime for anyone to gain unauthorized access to any information system or data, punishable with a prison sentence up to 3 months or a fine of up to fifty thousand rupees.

Section 28 allows a law enforcement officer to require a person to hand over data if it is believed that it is “reasonably required” for a criminal investigation. This can be done at the discretion of the officer and needs only be brought to the notice of a court within 24 hours after the acquisition of the data. Section 29 requires telephone and Internet service providers to retain traffic data for at least one year and law enforcement bodies can demand access to that data subject to a warrant issued by a court. Section 30 allows courts to issue a warrant to a law enforcement officer to search and seize any data that “may reasonable be required” for a criminal investigation. In cases involving the vaguely defined “cyberterrorism”, the officer can search and seize the data without a warrant and notify the court within 24 hours.

Section 32 requires that law enforcement officers carrying out a search and seizure “take all precautions” to maintain the secrecy of the seized data and not interfere with any data not related to the crime being investigated. Under Section 38, if a law enforcement officer knowingly shares seized data to any other person, it can be punished with a prison term of upto three years and a fine of upto one million rupees.

Section 39 allows the government to share any data obtained from its investigation with any foreign government or international agency.

Electronic Data Protection Act 2005 (draft)

In 2005, the Ministry of Information Technology circulated a draft law on data protection, however for unclear reasons it was never tabled in parliament by the government. It appears that this draft legislation was initially written primarily with the intention of meeting the needs of Pakistan's software industry to conduct international business, rather than to address actual privacy issues. This is made clear in Section 4 the draft law:

"4. Government activity and exemptions — (1) This Act does not apply to the processing of personal or corporate data carried out by federal, provincial or local government.

(2) The federal government, in respect of local data only, by notification in the official gazette, may exempt any public or private sector, entity or business from the operation of this Act.

The rest of the draft law is filled with similar exemptions for and vague terminology.

Law enforcement access to stored data

Since 2004 network providers have been required to comply with requests for interception and access to network data as a standard condition of the PTA’s award of operating licenses to phone companies.

Accountability mechanisms

Habeas Data/Subject access requests

Pakistan does not have any legislation explicitly for a person to request data about themselves; however, it may be possible request this information under Freedom of Information legislation.

Freedom of Information

The Constitution has an explicit provision for the public's right to information in Article 19A, which states:

"Every citizen shall have the right to have access to information in all matters of public importance subject to regulation and reasonable restrictions imposed by law."

The federal government and all four provincial governments have passed Freedom of Information laws. The provincial laws for Khyber-Pakhtunkhwa (K-P) and Punjab have received praise from experts, while the FoI laws for the federal government and Sindh and Balochistan have been found to have serious flaws.

In 2013, the federal government drafted a new Right to Information Act which was finalised in 2014 with amendments by the Senate Standing Committee on Information and Broadcasting. The draft has received widespread praise as it incorporates many progressive elements from the K-P and Punjab laws. However, the government has so far not moved forward with the process of getting it passed by the parliament for unclear reasons.

Article 8 of the current federal Freedom of Information Ordinance 2002, excludes a wide range of information from public access under the law. This includes any records ancillary to defence and national security, and further gives the federal government the discretion to exclude any other document from the purview of the law “in public interest”.

Consumer protection rules

Pakistan has consumer protection legislation for all four of its provinces and the Islamabad Capital territory. The laws establish consumer courts to allow for redress by consumers primarily against defective products and misinformation by sellers.

The laws do not have any provisions explicitly to protect the privacy of consumer data held by suppliers of goods and services. However, there are some provisions which could potentially be exploited for this purpose. For example, Article 13 of the Sindh Consumer Protection Act 2015 states that a “provider of services shall be liable to a consumer for damages proximately caused by the provision of service that have caused damage.” However this would seemingly require the damage from any data breach to have already occurred in order for the provider to be held accountable.

Data breaches: case law

Privacy International and Bytes for All are not any legal cases directly related to data protection that have been brought in Pakistani courts. However, there do exist a few informative cases related to the right to privacy which may be precedent-setting.

In Ghulam Hussain vs Addition Sessions Judge, Dera Allah Yar (PLD 2010 Quetta 21) the petitioner complained that the police raided his home on the basis of 'secret information' that it was being used as a gambling den, without a prior enquiry being carried out by a magistrate. The court ruled in favour of the petitioner that only in certain exceptional circumstances can the privacy of home be violated which is protected by Article 14 of the Constitution and the Petitioner was acquitted of charges.

In Taufiq Bajwa vs CDGK (2010 YLR 2165), the petitioner filed a case stating that his right to life under Article 9 of the Constitution had been violated by the boundary wall of a neighbouring park which was of such a height that it allowed a person to look inside his home. The court supported the petition and held that the park and wall must be reconstructed such that the petitioner's privacy is not violated. The case affirms that the courts interpret Article 9 (“right to life”) widely enough to be used to protect the right to privacy.

Examples of data breaches

In 2010, the Shah Faisal, Karachi, branch of NADRA reported a data breach that resulted in the theft of "computers and other equipment", including hard drives, according to Alertboot Endpoint Security. The data breach was low-tech, and involved a physical break-in.

In 2012, a Turkish hacker claimed to have accessed NADRA's servers as well as those of the Federal Investigation Agency (FIA) by spawning backdoors. 

In 2014, NADRA received a report from the head of the ISI concerning the possibility of data leaks through the Pakistan government's reliance on third party companies database and verification software and hardware. 

In 2015, The Intercept reported that Britain's GCHQ had hacked the Pakistan Internet Exchange in 2008, by exploiting vulnerabilities in Cisco servers. In doing so, it was able to have access to the data of millions of Pakistanis, and could reroute internet traffic towards its own servers. 

Since at least 2014, databases have been illegally sold online containing hundreds of thousands of records with names, national ID card numbers, home addresses and phone numbers of mobile phone users. It is believed that this data is used primarily by mobile marketeers to market their products. It is not clear how exactly this data is leaked, but it is speculated that it could be due to a combination of mobile service providers storing consumer data insecurely, as well as the possibility that employees with in the companies themselves are leaking the data to those willing to purchase it. It is not clear whether the government has taken any action to combat these crimes.

Identification Schemes

ID cards and databases

The registration of personal data is widespread in Pakistan, and public opinion is for the most part in favour of it. This in part due to ongoing terrorist attacks and political instability, and high profile news stories that have linked the successful tracking down of criminals, terrorists to their information being stored with the National Database & Registration Authority (NADRA).

Pakistan has one of the world’s most extensive citizen registration regimes – over 96 % of citizens reportedly have biometric ID cards.

In 2012 NADRA announced a so-called chip-based Smart NIC (SNIC), which contains its owner’s biometric photo, a computer chip, address and parental information. NADRA has said that it aims to replace all current CNICs with SNICs by 2020. A SNIC is necessary in order to open a bank account, get a new driver's licence, passport, broadband internet connection or a SIM card.

Biometric data collected by NADRA includes iris scans; fingerprints (both hands); a photograph taken at a NADRA centre, and a scan of the citizen's personal signature. Given the scale of the task, NADRA has found itself at the heart of a number of controversies regarding a lack of proper checks and balances. There have been a number of reports of corruption at NADRA centres, where the biometric verification/application process can be bypassed. Serious misidentification errors can occur and forgery is rife.

In July 2016 NADRA introduced an SMS verification service, to investigate the validity of a citizen's own CNIC, as well as of those in their "family tree", i.e. anyone in their family linked to their CNIC. Although the government has declared this to be a positive step, it has come under fire as knowledge of one CNIC is enough to find out the personal information of other family members, which in turn can put them at risk. This is especially worrying in a country where persecution of religious, ethnic and LGBT minorities is rife.

Voter registration

In August 2015, the Government of Pakistan's Election Commission coordinated with NADRA what they reported to be the first election via biometric verification of voters.

The election in a constituency in Haripur district was intended to be a pilot for future elections in other districts and nationwide. NADRA has indicated that this would be a positive means of tackling electoral fraud. There are concerns, however, that requiring biometric verification to vote may disqualify non-verified but legitimate voters from using the ballot. There is also the concern, as with pre-biometric registration, it would not tackle voter intimidation effectively, and may in some instances would make it easier to intimidate voters. This is especially a concern in districts in Pakistan where votes can still be bought by village elders or feudal landlords.

SIM card registration

Registration of personal data is widespread and enjoys a high level of popular support. Terrorist attacks have given support to the government's ongoing drive to ensure that all SIM cards are registered via biometric verification. For example, it was reported that the perpetrators of December 2014 attack on an army-run school in Peshawar in which 132 children were killed had used mobile phones with SIM cards that were registered to a woman who had no connection to any of the attackers, indicating that the SIMs had been registered fraudulently. 

SIM cards must now be registered to their user. Unlike in most countries with mandatory registration, SIM cards are also biometrically verified against the National Database and Registration Authority’s (NADRA) national database, often by fingerprint. The government plans to have all SIM cards biometrically verified. As of March 2015, 68.7 million SIMs had been biometrically verified out of 103 million SIMs in use at that time. Unfortunately, NADRA has not provided up to date numbers since. However, there have been reports of corruption as well as honest incompetence on the part of the verification system resulting in some SIMs escaping being deactivated. This number has been shrinking however, given the aggressiveness of the re-verification drive.

Policies and Sectorial Initiatives

Cybersecurity policy

Cybercrime

Encryption

Encryption in the form of Virtual Private Networks (VPNs) and encrypted messaging apps is illegal in Pakistan, ostensibly for security reasons as, according to the Pakistan Telecommunications Authority in a legal notice sent in 2011, these "conceal communication to the extent that prohibits monitoring".

If a company or individual wishes to use encryption without being penalised, a formal request must be sent to the PTA and accepted. in 2015 Blackberry and its encrypted messaging service, Blackberry Messenger (BBM) were banned and asked to leave Pakistan, as Blackberry would not hand over access to its user base and servers. Blackberry was permitted to stay, although the details of the agreement have not been made public. The popularity of messaging apps that are encrypted by default such as WhatsApp, or Apple's FaceTime (which is only for Apple products and services) and VPN services to access blocked websites, such as the formerly blocked YouTube, have made enforcement of this ban on encryption difficult to impossible to implement. According to reports, however, certain messaging and VOIP services may eventually require a license to operate in Pakistan. It is extremely difficult to see how this would be implemented. There is concern that Pakistan may emulate the United Arab Emirates and Saudi Arabia, both of which have blocked WhatsApp voice calls and FaceTime calls.

Licensing of industry

E-governance/digital agenda

Over the past two decades, the federal government has laid out several plans and initiatives to promote the use of digital technologies in government services, including:

However, the implementation of these plans and initiatives have been haphazard and unsustained due to political and other reasons. The official e-government portal, pakistan.gov.pk has been neglected in the past. The current form of the portal lists links to other government websites and pages to assist users in finding information related to government services. Even now, a large portion of those links are broken.

The quality of the websites of individual ministries and departments varies greatly depending on the enthusiasm and resources of the leadership of those departments at any given time. Most of the federal government websites do not use HTTPS/SSL, however, increasingly, those sites offering services that require users to log in to an account such as the Federal Board of Revenue's Taxpayer Facilitation Unit or the National ID card online application website are now using SSL.

The e-government services offered by the provincial governments vary in the same way. For example, the web portals of the governments of  Punjab and Khyber-Pakhtunkhwa are better maintained with up to date information and the former also uses HTTPS/SSL.

All e-government services such as filing taxes or filing a complaint with an ombudsperson require users to provide their national identity card numbers.

Health sector and e-health

Privacy International is not aware of any specific privacy issues related to the health sector and e-health in Pakistan. Please send any tips or information to: research@privacyinternational.org

Smart policing

Privacy International is not aware of any smart policing issues in Pakistan. Please send any tips or information to: research@privacyinternational.org

Transport

The National Database and Registration Authority (NADRA), the government body responsible for issuing national identity cards, also offers an e-Vehicle Management System to other government departments and the private sector to make it easier for them to identify and track the movement of vehicles using RFID chips. The services offered by NADRA this system are:

  1. The ability for government authorities to identify and track the movement of vehicles as they pass through road checkpoints;
  2. The ability to identify a vehicle for the purpose of controlling access to a secured premises through designated gates; and
  3. A way for road and highway authorities to quickly collect tolls from drivers through an electronic credit mechanism.

It is not clear if these services use NADRA's national registration database for identification and what security provisions are in place to control access to the data.

Motorway e-tags and m-tags

One of the places where this service has been deployed is on a number of motorways connecting Islamabad, Lahore and Peshawar (M-1, M-2, M-3, M-4), for the purpose of collecting tolls at toll gates. Drivers on these roads have the option of installing and RFID in their windshield which automatically deducts the toll fee from a pre-paid account each time they pass through a toll gate. Registering for this system requires drivers to provide their national identity card number.

Originally, tolls on the M-1, M-2 and M-4 were collected by the National Highways Authority (NHA) under the Ministry of Transportation using NADRA's e-tag system. However as of 2016, the tolls on all four motorways are now collected by the Frontier Works Organization, an administrative branch of the Pakistan Army, using their own "m-tag" system which also uses RFID chips.

It was also reported in February 2016 that the NHA is considering other toll payment options such as the use of mobile phone or credit cards.

Metrobus

The metrobus mass transit systems implemented by the Punjab Government in Lahore and the twin cities of Islamabad and Rawalpindi also use RFID chips to track the distance traveled by riders. Travelers have the option of purchasing either a single-use plastic RFID token for single-rides or a pre-paid RFID-base card for multiple trips. Travelers do not need to provide their national identity card number for either, and the only data needed is the traveler's first and last name in the case of the multiple-use card.

Smart cities

Privacy International is not aware of any smart city issues in Pakistan. Please send any tips or information to: research@privacyinternational.org

Migration

Privacy International is not aware of any privacy issues related to migration in Pakistan. Please send any tips or information to: research@privacyinternational.org

Emergency response

Privacy International is not aware of any privacy issues related to emergency response in Pakistan. Please send any tips or information to: research@privacyinternational.org

Humanitarian and development programmes

Privacy International is not aware of any privacy issues related to humanitarian and development programmes in Pakistan. Please send any tips or information to: research@privacyinternational.org

Social media

The government of Pakistan has sought to block Facebook pages and Twitter accounts, and obtain information on those accounts' owners. In March 2016, a Pakistani man was given a 13 year prison sentence for allegedly posting "religiously offensive material" on Facebook. Blasphemy is against the law in Pakistan and carries either the death penalty, life or an extended prison sentence. 

Beween July and December 2015, according to Facebook's Global Government Requests Report, the Pakistan government had made a total of 471 requests for account information, with 66.45 % of those requests resulting in "some data" being produced. The report period in question also introduced the number of items blocked on Facebook, as based on "legal requests from the Pakistan Telecom Authority, we restricted access to items that were alleged to violate local laws prohibiting blasphemy.”