State of Privacy Pakistan

Pakistan

Table of contents

Introduction

Acknowledgment

The State of Privacy in Pakistan is the result of an ongoing collaboration by Privacy International and the Digital Rights Foundation.

Between 2014-2016, Bytes for All contributed to previous versions of the 'Data Protection' sections of this briefing.

Key Privacy Facts

1. Constitutional privacy protections: Article 14(1) of the Constitution of the Islamic Republic of Pakistan states that "[t]he dignity of man and, subject to law, the privacy of home, shall be inviolable."

2. Data protection laws: In July 2018, the Ministry of Information Technology and Telecommunication (MoITT) presented a draft data protection bill for consultation. The legislative process is still on-going.

3. Recent scandals: Interception across Pakistani networks remains pervasive; some of it is also unlawful, according to investigative and media reports.

4. ID regime: Pakistan has one of the world’s most extensive citizen registration regimes. This is run by the National Database & Registration Authority (NADRA). NADRA was used for the elections which took place in 2018.

Right to Privacy

The constitution

The Constitution of the Islamic Republic of Pakistan enshrines the right to privacy as a fundamental right. Article 14(1) of the Constitution confirms that "[t]he dignity of man and, subject to law, the privacy of home, shall be inviolable."

As a fundamental constitutional right, the right to privacy is meant to take precedence over any other inconsistent provisions of domestic law. Article 8 of the Constitution provides that "[a]ny law, or any custom or usage having the force of law, in so far as it is inconsistent with the rights conferred [under the Constitution], shall, to the extent of such inconsistency, be void." Article 8 (5), furthermore, states that "[t]he rights conferred by this Chapter shall not be suspended except as expressly provided by the Constitution."

Yet Pakistan's constitution also includes a wide-ranging exception to the primacy of fundamental rights. The provisions of Article 8 do not apply to any law relating to the 'proper discharge' of the duties of the Armed Forces or the police. The breadth of this exception is troubling, especially given the central role that the Armed Forces in particular have played in Pakistan's domestic political landscape historically.

Regional and international conventions

Pakistan is a signatory to several international and regional instruments with privacy implications, including:

  • The International Covenant on Civil and Political Rights (signed April 2008, ratified June 2010). Article 17 of the ICCPR states that "no one shall be subject to arbitrary or unlawful interference with his privacy, family or correspondence." The ICCPR also commits Pakistan to ensuring the protection of other rights that rely on the protection of privacy, such as freedom of expression and freedom of association.
  • The Cairo Declaration on Human Rights In Islam (signed August 1990). Article 18 of the CDHRI affirms that: "a) Everyone shall have the right to live in security for himself, his religion, his dependents, his honor and his property. (b) Everyone shall have the right to privacy in the conduct of his private affairs, in his home, among his family, with regard to his property and his relationships. It is not permitted to spy on him, to place him under surveillance or to besmirch his good name. The State shall protect him from arbitrary interference. (c) A private residence is inviolable in all cases. It will not be entered without permission from its inhabitants or in any unlawful manner, nor shall it be demolished or confiscated and its dwellers evicted."
  • The Convention on the Rights of the Child (ratified November 1990). Article 16 of the CRC states that "1) No child shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home or correspondence, nor to unlawful attacks on his or her honour and reputation. 2) The child has the right to the protection of the law against such interference or attacks."

Communication Surveillance

Introduction

Pakistan’s sizeable population generates a huge amount of communications traffic. Approximately 73.36% of Pakistanis have a mobile phone subscription, according to the Pakistan Telecommunications Authority. An estimated 22.2% of the population uses the internet. Fifty operational internet providers and six mobile operators serve this demand.

Social media platforms are widely used in Pakistan. The social network Facebook reportedly had approximately 32 million Pakistani users in 2018. Twitter is estimated to have 3.1 million users. Pakistan also has a rapidly growing blogging community. Blogspot.com is ranked among the top five visited sites by Pakistanis, while the top 20 sites include Facebook, YouTube, DailyMotion, Blogger.com, Wordpress.com, Pinterest and Twitter.

Surveillance laws

A number of laws regulate communications surveillance in Pakistan. 

The Investigation for Fair Trial Act (2013)

This act allows for access to data, emails, telephone calls, and any form of computer or mobile phone-based communication, subject to a judicial warrant. However, a warrant can be requested wherever an official has ‘reasons to believe’ that a citizen is, or is ‘likely to be associated’ with, or even ‘in the process of beginning to plan’ an offence under Pakistani law.

The Prevention of Electronic Crimes Act (2016)

Introduced in the wake of the deadly December 2014 terrorist attack on a Peshawar school, the Prevention of Electronic Crimes Act (PECA) was drafted as part of the government's National Action Plan to combat terrorism. The PECA was designed to tackle cyberstalking, online harassment, forgery, blasphemy and forms of cyberterrorism. As has been analysed at length by Pakistani and foreign rights organisations including Privacy International, Digital Rights Foundation, Human Rights Watch and Amnesty International, the PECA utilises such overly broad legal language that it potentially criminalises freedom of expression, and further weakens the right to privacy of Pakistani citizens. On 11 August 2016, despite severe criticism and condemnation by Pakistani and international rights organisations and bodies, the National Assembly of Pakistan approved the PECA, making it law. 

Section 34 gives the Pakistan Telecommunications Authority the power to block or remove access to information "if it considers it necessary in the interest of the glory of Islam or the integrity, security or defence of Pakistan or any part thereof, friendly relations with foreign states, public order, decency or morality.”

Section 36 allows for "Real-time collection and recording" of data: "[i]f a Court is satisfied on the basis of information furnished by an authorised officer that there are reasonable grounds to believe that the content of any information is reasonably required for the purposes of a specific criminal investigation, the Court may order, with respect to information held by or passing through a service provider, to a designated agency as notified under the Investigation for Fair Trial Act, 2013 (l of 2013) or any other law for the time being in force having capability to collect real time information, to collect or record such information in real-time coordination with the investigation agency for provision in the prescribed manner."

Section 38 states: "Notwithstanding immunity granted under any other law for the time being in force, any person including a service provider while providing services under the terms of lawful contract or otherwise in accordance with the law or an authorized officer who has secured access to any material or data containing personal information about another person, discloses such material information to any other person, except when required by law, without the consent of the person concerned or in breach of lawful contract with the intent to cause or knowing that he is likely to cause harm, wrongful loss or gain to any person or compromise confidentiality of such material or data shall be punished with imprisonment for a term which may extend to three years or with fine which may extend to one million rupees or with both.

Provided that the burden of proof of any defense taken by an accused service provider or an authorized officer that he was acting in good faith, shall be on such a service provider or the authorized officer as the case may be."

Section 39(1) permits the sharing of “electronic communication or data or for the collection of evidence in electronic form” with any foreign government “24 x 7 network, any foreign agency or any international organisation or agency for the purposes of investigations or proceedings”.

Section 39 (2) gives the government the permit to “forward to a foreign government….any information obtained from its own investigations if it considers that the disclosure of such information might assist the other government, agency or organisation etc.”

The Monitoring and Reconciliation of Telephony Traffic Regulations (2010)

In addition to the acts listed above, section 4 of the Monitoring and Reconciliation of Telephony Traffic Regulations (2010) requires each long distance and international service provider to establish a system that allows for real-time monitoring and recording of traffic on its networks.

Data retention

Pakistani providers are required to retain communications data as a condition of their operating license. Since 2004, network providers have been required to comply with requests for interception and access to network data as a standard condition of the PTA’s award of operating licenses to phone companies.

The 2002 Electronic Transaction Ordinance (ETO) in points 5 and 6 imposes data retention requirements:

“The requirement under any law that certain document, record, information, communication or transaction be retained shall be deemed satisfied by retaining it in electronic form if :

(a) the contents of the document, record, information, communication or transaction remain accessible so as to be usable for subsequent reference;

(b) the contents and form of the document, record, information, communication or transaction are as originally generated, sent or received, or can be demonstrated to represent accurately the contents and form in which it was originally generated, sent or received; and

(c) such document, record, information, communication or transaction, if any, as enables the identification of the origin and destination of document, record, information, communication or transaction and the date and time when it was generated, sent or received, is retained.

The Prevention of Electronic Crimes Act 2016 requires judicial oversight for access to retained data. Section 29 states:

"A service provider shall, within its existing or required technical capability, retain its specified traffic data for a minimum period of one year or such period as the Authority may notify from time to time and, subject to production of a warrant issued by the court, provide that data to the investigation agency or the authorized officer whenver so required."

Surveillance actors

Security and law enforcement agencies

Since its creation in 1947, Pakistan’s armed forces, security and intelligence agencies have had a central role to play in Pakistani politics; these include three periods of military rule, the most recent from 1999 to 2008. Pakistan’s geographic location has also meant that it was a key American geopolitical partner during the Cold War, which in turn has influenced and strengthened the intelligence agencies. This relationship continues into the present day, with the onset of the global anti-terrorism effort.

The Pakistani government is engaged in a protracted conflict against armed militant groups within and outside its borders; it is a key player in the global ‘war on terror’. Communications surveillance — of phone and internet protocol (IP) traffic, domestically and internationally — and other forms such as biometric or device registration, is justified by the government as necessary to counter these internal and external threats, even as it becomes less targeted and more widespread against ordinary civilians.

Intelligence functions are dispersed across a number of government agencies that collect and/or use intercepted communications. Each branch of the armed forces has its own intelligence service conducting signals intelligence. The main agencies include:

  1. The Inter-Services Intelligence (ISI); 
  2. The Intelligence Bureau (IB);
  3. Federal Investigation Agency (FIA);
  4. Crime Investigation Department (CID);
  5. National Counter Terrorism Authority (NACTA);
  6. National Crises Management Cell (NCMC); and
  7. Military Intelligence (MI).

The Ministry of Justice is responsible for the Federal Investigation Agency and others that use intercepted communications data for criminal investigation and prosecution. Under the Ministry of Science and Technology, the Joint Intelligence Technical and Joint Intelligence X units carry out a number of surveillance research and development functions. The Intelligence Bureau, under the Prime Minister, has also used intercepted communications data.

Surveillance capabilities

IMSI Catchers

Law enforcement agencies across Pakistan widely use mobile monitoring equipment for identification and/or interception. The Pakistani government has imported many tactical communications surveillance technologies from Europe. In 2010, the German government granted German companies export licenses valued at EUR 3.9 million to export “monitoring technology and spyware software” to Pakistan, according to Privacy International*. Between 2012 and 2014, Swiss companies were granted licenses to export dual-use communications surveillance technology to Pakistan. The total value of the three exports based on the category provided was over CHF 1 million according to records obtained by Privacy International.

* Update: This briefing has been updated to remove an erroneous reference to equipment supplied by ABB to Pakistan

Internet Protocol monitoring centre

In 2013, the Inter-Services Intelligence (ISI), Pakistan’s best known intelligence agency, sought to commission a mass surveillance system to tap international undersea cables at three cable landing sites in southern Pakistan, according to documents obtained by Privacy International. The “Targeted IP Monitoring System and COE [Common Operations Environments]” would allow Pakistan to collect and analyse a significant portion of communications travelling within and through the country at a centralized command centre. 

The total intake of data every second sought by Pakistan in the proposal document would rival some of the world’s most powerful surveillance programmes, including the UK’s ‘Tempora’ and US’ ‘Upstream’ programmes. What the ISI wanted to build, according to the request for proposals, was a complete surveillance system that would capture mobile communications data, including Wi-Fi, all broadband internet traffic, and any data transmitted over 3G. According to the documents, the interception activities were to be “seamless” and “must not be detectable or visible to the subscriber”. 

Intrusion malware

In April 2013, computer forensic research by The Citizen Lab revealed the existence of a command and control server for FinFisher, an intrusion malware suite, operating within Pakistan. FinFisher is produced by Germany-based company FinFisher GmbH; prior to 2013, the FinFisher suite was sold by Anglo-German company Gamma International. The following year, documents obtained from a FinFisher server revealed support requests from an apparent Pakistani client – identification number ‘ID 32’ – dating back to 2011. In 2013, following this revelation, the Pakistani civil society group Bytes for All filed a petition in the Lahore High Court. The court ordered the PTA to look into the matter and produce a report within one month. The PTA has not yet filed their report, and attempts to gain further hearings on the issue have been unsuccessful.

Pakistan also sought to acquire intrusion malware from Hacking Team, an Italian company and rival of FinFisher. Pakistani companies attempted to contract business with Hacking Team for sale to Pakistani law enforcement or intelligence clients in March 2015, according to analysis of leaked data by the Digital Rights Foundation. Hacking Team's core business centred around their Remote Control System (RCS) software suite, which allows customers to infiltrate the computer and mobile devices of targeted individuals and install backdoors, in turn allowing for undetectable monitoring.

Lawful interception on communications networks

Pakistan has a thriving communications surveillance industry that has developed to meet the growing demand for increased levels of surveillance. Pakistani companies such as the Center for Advanced Research in Engineering and the National Radio Telecommunication Corporation of Pakistan have all developed network surveillance tools, partly in collaboration with the military. Other companies provide both interception technologies as well as facilities to monitor and analyse transmitted data.

An investigation Privacy International found seven international firms providing lawful interception equipment in Pakistan– Alcatel (France), Atis (Germany), Ericsson (Sweden), Huawei (China), Trovicor (Germany) (formerly Nokia Siemens Networks), SS8 (US) and Utimaco (Germany). The equipment, ranging from lawful interception gateways and switching equipment to monitoring centres, was provided to Pakistani networks including, PTCL, Mobilink, Ufone and others to facilitate law enforcement and intelligence agencies' access to communications data.

Two companies in particular – Trovicor, a German surveillance technology company and the company of which it was formerly a unit, Nokia Siemens Networks (NSN) – were particularly active in providing monitoring centre solutions to the Pakistani government. NSN has been a main player in the Pakistani surveillance market since the late 1990s and was one of the first companies to provide mobile (GSM) network lawful interception capacity in Pakistan. 

Packet Inspection

The same technologies that the Pakistani government uses for censorship are also used for surveillance. Censorship of online content is widespread and justified as a means to prevent the sharing of pornographic, obscene, and blasphemous material in the Islamic republic.

The Pakistani government has purchased a number of ‘packet inspection’ technologies. Pakistan Telecommunications Ltd (PTCL), Pakistan’s largest telecommunications company that also operates the Pakistan Internet Exchange has proxies in place to do “deep packet inspection” of internet traffic. The technology to conduct deep pack inspection were provided in part by US-based Blue Coat systems, according to industry sources speaking to Privacy International. Blue Coat’s “ProxySG” product acts as a gatekeeper of access to the internet and services within it, from Secure Socket Layer (SSL) encryption, to HTTPS. Packet filtering products by Netsweeper have also been installed on PTCL’s network, according to a 2013 investigation by the Citizen Lab. They have reportedly been a vital tool in the government’s censorship of the internet. 

Civil society organisations have taken legal action to protest surveillance in Pakistan. In 2012, Bolo Bhi and several bloggers and others also took the government to court against its practise of blocking websites and the plan to have a national filtering system in place, arguing that the IT Ministry and the PTA were illegally blocking and censoring access to some websites and forums that criticised the workings of the state. In 2011, civil society group Bytes for All announced it would challenge the validity of the SMS filter in court.

Surveillance oversight, checks and balances

There is currently no stringent public oversight of surveillance. Attempts to push forward such measures in the past have been unsuccessful. Checks and balances are currently in the form of provisions that request that the courts approve warrants, as well as public outcry from civil society stakeholders.

Surveillance case law

Privacy International is not aware of any specific surveillance case law in Pakistan. Please send any tips or information to: research@privacyinternational.org

Examples of surveillance

Popular support for surveillance of communications is high in Pakistan. Intermittent but devastating attacks within Pakistan’s major cities by insurgent groups, such as the 2014 Peshawar school attack by a Taliban-affiliated group, have been cited as a reason to expand surveillance in Pakistan.

Surveillance of citizens

Interception across Pakistani networks is therefore pervasive; some of it is also unlawful. A Supreme Court hearing about a case concerning phone tapping revealed that the ISI had tapped 6,523 phones in February, 6,819 in March and 6,742 in April 2015. A case was brought in 1996 following evidence that the then-Chief Justice’s phone had been tapped. No details about the procedures and process for intercepting communications have yet been publicly released.

In 2016, Senator Saleem Mandviwalla of the Pakistan People's Party, claimed that "the federal government had authorised the tapping of his phone and interception of his personal data."

Surveillance of activists and journalists is reportedly widespread. In February 2017, the Digital Rights Foundation published a report detailing the experiences of seven female journalists in Pakistan. They detailed extensive social surveillance and harassment, as well as suspected electronic surveillance. 

Attacks on Pakistani territory frequently prompt calls for more invasive surveillance capacities. For example, an assassination attempt on Khawaja Izharul Hassan, the opposition leader of the Sindh Assembly, in September 2017 prompted politicians including Senator Raza Rabbani to write to university officials urging more surveillance of students.

UK and US government surveillance

Pakistan networks have also been targeted by the UK's Government Communications Headquarters (GCHQ). In 2010, a joint unit of the US' National Security Agency (NSA) and GCHQ hacked the world’s largest producer of SIM cards, Gemalto. The breach, detailed in a secret 2010 GCHQ document, gave the surveillance agencies the potential to secretly monitor a large portion of the world’s mobile communications, including both voice and data.

GCHQ successfully identified the identifying information of tens of thousands of SIM cards in a number of countries. However, GCHQ’s automated key harvesting system failed to produce results against Pakistani networks. This is despite there being “priority targets” for the UK in Pakistan, and despite the fact that GCHQ had a store of ‘Kis’ keys from two major Pakistani providers, Mobilink and Telenor. GCHQ has also hacked into the Pakistan Internet Exchange, a common point of transfer for a significant portion of Pakistanis’ communications, as part of its Computer Network Exploitation operations, giving the spy agency “access to almost any user of the internet” inside Pakistan.

Pakistan cooperates heavily with international surveillance initiatives against its own citizens, particularly those led by the US National Security Agency (NSA). The Pakistani government is by far the largest known recipient of NSA funds.

The NSA appears to especially value its relationship with Pakistan. The NSA maintained a ‘special collection service’ at its embassy and consulates in Pakistan. In 2008, it maintained at least one server in Pakistan for its programme XKeyscore, which searches and analyzes intercepted data. Under the Boundless Informant program, the NSA collected over 97 billion pieces of intelligence globally over a 30-day period ending in March 2013. Within this, Pakistan had the highest number of intercepted DNR (dialed number recognition) and second highest number of intercepted DNI (dialed number identification).

Pakistan also featured strongly in the NSA’s Fairview program. Fairview is a mass surveillance programme designed to collect phone, internet and e-mail data in bulk from the computers and mobile telephones of foreign countries’ citizens. NSA slides published in Brazil’s O Globo show that in one month in 2012, for instance, the NSA analyzed 11.7 billion records of DNI traffic into and out of Pakistan, as well as traffic to top Pakistani domain names. 

A June 2012 NSA document shows that the NSA, through its SKYNET programme, harvests call data from Pakistani telecommunications providers (though it does not specify how) and that 55 million phone records were fed into an NSA analysis system for an analysis exercise. Known ISI agents were tracked in this experiment and an Al Jazeera journalist was misidentified as being a member of Al Qaeda.

In November 2016, a group called the Shadow Brokers released a cache of data purporting to be taken from the NSA. The cache revealed hundreds of IP addresses apparently compromised by the NSA as part of its operations. The data suggests that elements of Pakistan's internet infrastructure, including PTCL gateway exchange in Lahore, and ISPs including Paknet (which was merged into PTCL in 2007), Multinet and Micronet were compromised.

The Pakistani government’s reaction to revelations that foreign governments have engaged in mass surveillance of communications has been mixed. In 2013, Pakistani senators expressed concern after initial revelations about the scale of NSA surveillance in Pakistan, and in 2014, the Pakistani Foreign Office officially protested against the NSA’s surveillance of its left-leaning political party, the Pakistan People's Party (PPP). The Pakistani government have made few statements about the NSA’s activities in Pakistan. In contrast, civil society in and out of Pakistan reacted vehemently to the revelations.

Data Protection

Data protection laws

Personal Data Protection Bill, 2018

In 2018, the Ministry of Information Technology and Telecommunication (MoITT) presented and sought comments on a draft personal data protection bill.

The draft bill proposed by the Ministry has a number of significant shortcomings which were presented jointly by DRF and PI. These included, amongst others: the failure to include the data processing activities of public bodies and government within the ambit of the law, weak definitions of certain key terms which could lead to misinterpretation including for ‘personal data’, ‘consent’ and ‘sensitive personal data’, the absence of strong safeguards against mass surveillance, the failure to regulate international data sharing, and the inclusion of broad powers awarded to the Federal Government to make exemptions. 

The legislative process is on-going, and no comprehensive data protection law has been adopted yet. In the absence of direct data protection legislation, data privacy and protection is theoretically still regulated through provisions in the following pieces of legislation.

The Electronic Transactions Ordinance (2002)

The Electronic Transactions Ordinance (2002) does not regulate data protection directly, but it criminalises unlawful or unauthorised access to information. Section 36 of the ETO states:

"Any person who gains or attempts to gain access to any information system with or without intent to acquire the information contained therein or to gain knowledge of such information [...] shall be guilty of an offence under this Ordinance punishable with either description of a term not exceeding seven years, or fine which may extend to one million rupees, or with both."

The same law envisages the establishment of a government-appointed body to certify electronic documents, and in Section 43(2)(e) grants powers to that body to make regulations for the privacy and protection of its users. However, it appears that the government is yet to establish this certification body, let alone draft regulation to protect the privacy of its users.

The Freedom of Information Ordinance (2002)

According to section 17 of the Freedom of Information Ordinance, "Privacy and personal information", certain forms of "information is exempt if its disclosure under this ordinance would involve the invasion of the privacy of an identifiable, individual (including individuals) other than the requester."

Prevention of Electronic Crimes Act (2016)

The Prevention of Electronic Crimes Act (2016) also contains a number of sections related to data privacy. However, these are intended to grant law enforcement and other government entities access to the private data of citizens, or to restrict citizens from gaining access to government data. Sections 3, 4, 5, 6, 7 and 8 make it a crime for anyone to gain unauthorized access to any information system or data, or copying or transmission of critical infrastructure data, punishable with a prison sentence up to 3 months to seven years or a fine of up to fifty thousand to 10 million rupees.

Section 31 allows a law enforcement officer to require a person to hand over data without producing any court warrant if it is believed that it is "reasonably required" for a criminal investigation. This can be done at the discretion of the officer and needs only be brought to the notice of a court within 24 hours after the acquisition of the data. Section 32 requires telephone and Internet service providers to retain traffic data for at least one year. Law enforcement bodies can demand access to that data subject to a warrant issued by a court. Section 30 allows courts to issue a warrant to a law enforcement officer to search and seize any data that "may reasonable be required" for a criminal investigation. In cases involving the vaguely defined "cyberterrorism", the officer can search and seize the data without a warrant and notify the court within 24 hours of its seizure.

Section 32 requires that law enforcement officers carrying out a search and seizure "take all precautions" to maintain the secrecy of the seized data and not interfere with any data not related to the crime under investigation. Under Section 38, if a law enforcement officer knowingly shares seized data to any other person, it can be punished with a prison term of up to three years and a fine of up to one million rupees.

Section 35(2)(b) requires that law enforcement officers carrying out a search and seizure "take all precautions" to maintain the secrecy of the seized data and not interfere with any data not related to the crime being investigated. Under Section 38, if a law enforcement officer knowingly shares seized data to any other person, it can be punished with a prison term of up to three years and a fine of up to one million rupees (around US$ 9,500).

Section 39 permits for real-time collection and recording of information for a criminal investigation if a Court is satisfied on the basis of information furnished by an authorized officer.

Section 42 allows the government to share any data obtained from its investigation with any foreign government or international agency.

National Database and Registration Authority Ordinance, 2000

The ordinance establishing NADRA, Pakistan's database authority, states in section 4(j) that it shall be responsible for "ensuring of due security, secrecy and necessary safeguards for protection and confidentiality of data and information contained in or dealt with by the National Data warehouse at individual as well as collective level."

Electronic Data Protection Act 2005 (draft)

In 2005, the Ministry of Information Technology circulated a draft law on data protection. However, for unclear reasons it was never tabled in Parliament. It appears that this draft legislation was initially written primarily with the intention of meeting the needs of Pakistan's software industry to conduct international business, rather than to address actual privacy issues. This is clear from Section 4 of the draft law:

"4. Government activity and exemptions — (1) This Act does not apply to the processing of personal or corporate data carried out by federal, provincial or local government.

(2) The federal government, in respect of local data only, by notification in the official gazette, may exempt any public or private sector, entity or business from the operation of this Act.

The rest of the draft law is filled with similar exemptions and vague terminology.

Law enforcement access to stored data

Since 2004, network providers have been required to comply with requests for interception and access to network data as a standard condition of the PTA's award of operating licenses to telecommunications providers.

Accountability mechanisms

Habeas Data/Subject access requests

Pakistan does not have any legislation explicitly allowing an individual to request data about themselves. However, it may be possible to request this information under Freedom of Information legislation.

Freedom of Information (FOI)

The Constitution has an explicit provision for the public's right to information in Article 19A, which states:

"Every citizen shall have the right to have access to information in all matters of public importance subject to regulation and reasonable restrictions imposed by law."

The federal government is still in the process of enacting a Right to Information Act whereas three provincial governments have passed Freedom of Information laws. The provincial laws for Khyber-Pakhtunkhwa (K-P) and Punjab have received praise from experts, while the FOI laws for the federal government and Baluchistan have been found to have serious flaws. The old Freedom of Information Ordinance (2002) which was enacted by the government of General Pervez Musharraf is still in effect at the federal level. The Sindh government has recently enacted a new law called the Sindh Transparency and Right to Information Law 2016.

In 2013, the federal government drafted a new Right to Information Act that was finalised in 2014 with amendments by the Senate Standing Committee on Information and Broadcasting. The draft has received widespread praise as it incorporates many progressive elements from the K-P and Punjab laws. The Senate's Select Committee approved the draft of the bill in February 2017 while the standing committee of Senate approved the bill in May 2017. However, the government has so far not tabled the bill in the National Assembly.

Article 8 of the current federal Freedom of Information Ordinance (2002) excludes a wide range of information from public access under the law. This includes any records relating to defence and national security, and further gives the federal government the discretion to exclude any other document from the purview of the law "in public interest".

Consumer protection rules

Pakistan has consumer protection legislation for all four of its provinces and the Islamabad Capital territory. The laws establish consumer courts, to which consumers can direct complaints against defective products and misinformation by sellers.

The laws do not have any provisions explicitly to protect the privacy of consumer data held by suppliers of goods and services. However, there are some provisions that could potentially be exploited for this purpose. For example, Article 13 of the Sindh Consumer Protection Act 2015 states that a "provider of services shall be liable to a consumer for damages proximately caused by the provision of service that have caused damage." However this would seemingly require the damage from any data breach to have already occurred in order for the provider to be held accountable.

Research published by the Digital Rights Foundation in December 2016 found that Pakistan's mobile service providers were inconsistent in their provision and publication of privacy policies, and that none of the privacy policies that were available indicated an awareness of the passage of the 2016 Prevention of Electronic Crimes Act.

Data breaches: case law

There exist a few informative cases related to the right to privacy in Pakistan which may be precedent-setting.

In Ghulam Hussain vs Addition Sessions Judge, Dera Allah Yar (PLD 2010 Quetta 21), the petitioner complained that the police raided his home on the basis of 'secret information' that it was being used as a gambling den, without a prior enquiry being carried out by a magistrate. The court ruled in favour of the petitioner that only in certain exceptional circumstances can the privacy of the home be violated. The Petitioner was also acquitted of charges.

In Taufiq Bajwa vs CDGK (2010 YLR 2165), the petitioner filed a case stating that his right to life under Article 9 of the Constitution had been violated by the boundary wall of a neighbouring park which was of such a height that it allowed a person to look inside his home. The court supported the petition and held that the park and wall must be reconstructed such that the petitioner's privacy is not violated. The case affirms that the courts interpret Article 9 ("right to life") widely enough to be used to protect the right to privacy.

In M.D.Tahir v. State Bank (2004 CLC 1680), the Lahore High Court held that the practice of collecting the private information of bank holders and presenting them to tax authorities, without any allegation of wrongdoing was a violation of the right to privacy. The State Bank of Pakistan had previously issued a directive that called for the collection, without any sustainable juridical criteria, of personal information like name, address, NTN Number and NIC Numbers of individuals who have obtained ten thousand rupees as interest. The directive was struck down and it was held that "taking of private information without any allegation of wrongdoing of ordinary people is an extraordinary invasion of this fundamental right of privacy."

Examples of data breaches

In 2010, the Shah Faisal branch of NADRA in Karachi reported a data breach in the form of a theft of "computers and other equipment", including hard drives, according to Alertboot Endpoint Security. The data breach was low-tech, and involved a physical break-in.

In 2012, a Turkish hacker claimed to have accessed NADRA's servers as well as those of the Federal Investigation Agency (FIA) by spawning backdoors. In 2014, NADRA received a report from the head of the ISI concerning the possibility of data leaks through the Pakistan government's reliance on third party companies database and verification software and hardware.

In 2017, a bug in the infrastructure of the Punjab Information Technology Board was reportedly responsible for a leak of thousands of Pakistanis' personal information, including CNIC numbers, the front and back of CNIC cards, CVs and other information.

Since at least 2014, databases have been illegally sold online. These contain hundreds of thousands of records with names, national ID card numbers, home addresses and phone numbers of mobile phone users. It is believed that this data is used primarily by mobile marketers to market their products. It is not clear how exactly this data is leaked, but it is speculated that it could be due to a combination of mobile service providers storing consumer data insecurely, as well as the possibility that employees within the companies themselves are leaking the data to those willing to purchase it. It is not clear whether the government has taken any action to combat these crimes.

In April 2018, Careem, a transportation network company which is based in Dubai, made a public statement that they had identified “a cyber incident involving unauthorised access to the system we use to store data” on 14 January 2018. Data reported to have been stolen included customers’ name, email address, phone number and trip data of 14 million users.

In May 2018, an investigation published by the news website TechJuice alleged that sensitive personal data obtained from the Punjab Information Technology Board (PITB) portal was being sold publicly. The data which was reported to have been compromised included CNIC Information, NADRA Family Tree Data, Criminal Records, Rent Tentee & Hotel Visitor Information and Offline Databases of Registered Mobile Users. The leak was condemned by civil society organisations but the PITB dismissed the leak

In November 2018, the Federal Investigation Agency’s cyber-crime unit reported that 22 Pakistani banks experienced a mass skimming operation which took the details of nearly 20,000 credit and debit cards. The details were then sold and used to make fraudulent online purchases. It is unclear how much money was stolen in total but the Head of the FIA said that “a “large amount of money” had been stolen”.

Identification Schemes

ID cards and databases

The registration of personal data is widespread in Pakistan, and public opinion is for the most part in favour of it. This in part because recent terrorist attacks and ongoing political instability, and that many high profile news stories following these have attributed the security services' success tracking down criminals and terrorists to the storage of their information in National Database & Registration Authority (NADRA) databases.

Pakistan has one of the world's most extensive citizen registration regimes — over 96% of citizens reportedly have biometric ID cards.

In 2012 NADRA announced a so-called chip-based Smart NIC (SNIC) containing its owner's biometric photo, a computer chip, address and parental information. NADRA has said that it aims to replace all current CNICs with SNICs by 2020. A SNIC is necessary in order to open a bank account, get a new driver's licence, passport, broadband internet connection or a SIM card.

Biometric data collected by NADRA include iris scans, fingerprints (both hands), a photograph taken at a NADRA centre, and a scan of the citizen's personal signature. Given the scale of the task, NADRA has found itself at the heart of a number of controversies regarding the lack of proper checks and balances. There have been a number of reports of corruption at NADRA centres, where the biometric verification/application process can be bypassed. Serious misidentification errors can occur and forgery is rife.

In July 2016 NADRA introduced an SMS verification service, to investigate the validity of a citizen's own CNIC, as well as of those in their "family tree", i.e. anyone in their family linked to their CNIC. Although the government has declared this to be a positive step, it has come under fire as knowledge of one CNIC is enough to find out the personal information of other family members, which in turn can put them at risk. This is especially worrying in a country rife with persecution of religious, ethnic and LGBT minorities.

Voter registration

In August 2015, the Government of Pakistan's Election Commission coordinated with NADRA what they reported to be the first election via biometric verification of voters.

The election in a constituency in Haripur district was intended to be a pilot for future elections in other districts and nationwide. NADRA has indicated that this would be a positive means of tackling electoral fraud. There are concerns, however, that requiring biometric verification to vote may disqualify non-verified but legitimate voters from using the ballot. There is also the concern, as with pre-biometric registration, that the biometric verification exercise would not tackle voter intimidation effectively, and may in some instances would make it easier to intimidate voters. This is especially a concern in districts in Pakistan where votes can still be bought by village elders or landlords. In September 2017, the Election Commission also experimented with electronic biometric voting machines for NA-120 and NA-4 by-elections.

NADRA provided support to the Election Commission of Pakistan ahead of the 2018 election to verify unique voters via National Citizen Database. All unverified voters were removed, and they were not permitted to conduct a vote. It was reported that out of a number of 81 million voters, 36 million had been verified.

SIM card registration

The registration of personal data is widespread and enjoys a high level of popular support. Terrorist attacks have been cited by the government in its ongoing drive to ensure that all SIM cards are registered via biometric verification. For example, it was reported that the perpetrators of December 2014 attack on an army-run school in Peshawar in which 132 children were killed had used mobile phones with SIM cards that were registered to a woman who had no connection to any of the attackers, indicating that the SIMs had been registered fraudulently.

SIM cards must now be registered to their user. Unlike in most countries with mandatory registration, SIM cards are also biometrically verified against the National Database and Registration Authority's (NADRA) national database, often by fingerprint. The government plans to have all SIM cards biometrically verified. As of March 2015, 68.7 million SIMs had been biometrically verified out of 103 million SIMs in use at that time. Unfortunately, NADRA has not provided up to date numbers since. However, there have been reports of corruption as well as honest incompetence on the part of the verification system resulting in some SIMs escaping being deactivated. This number has been shrinking however, given the aggressiveness of the re-verification drive.

Policies and Sectoral Initiatives

Cybersecurity policy

The Prevention of Electronic Crimes Act (2016), though dealing with cybercrime in particular, has provisions that also concern "cyber terrorism". Section 10, "Cyber terrorism", states:

"Whoever commits or threatens to commit any of the offences under sections 6, 7, 8 or 9, where the commission or threat is with the intent to:

(a) coerce, intimidate, create a sense of fear, panic or insecurity in the Government or the public or a section of the public or community or sect or create a sense of fear or insecurity in society; or 

(b) advance inter-faith, sectarian or ethnic hatred, 

shall be punished with imprisonment of either description for a term which may extend to fourteen years or with fine which may extend to fifty million rupees or with both."

Cybercrime

The Prevention of Electronic Crimes Act (PECA) (2016) regulates cyber crime in Pakistan. The PECA establishes mechanisms by which state officers may order the retention or provision of communications data (including from operators of communications networks). While the officer is required to notify a court of these orders, the court has no role in vetting or reviewing the grounds, or of considering the necessity or proportionality of any action taken. These powers apply to communications data rather than the content of communications. Yet significant concerns remain about the bill’s implications for citizens’ privacy. Communications data allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained, relating to personal associations, patterns of behaviour and the like, as the Court of Justice of the European Union recently noted. ​Pakistani civil society groups have also been actively engaging in consultation processes around the PECA, after a version of the draft bill was leaked in early 2015.

The Federal Investigation Agency (FIA), an autonomous federal institution charged with investigating terrorism, federal crimes as well as electronic crimes. Its National Response Centre for Cyber Crimes (NR3C) was established in 2002, but it was not until the promulgation of the Prevention of Electronic Crimes Ordinance (PECO), that the agency gained greater legislative powers to investigate, prosecute and control electronic crime, report the Pakistani civil society group Bytes for All.

The Punjab Protection of Women Against Violence Act (2016) also makes a one-line mention of cybercrime as contained within the definition of "violence" that the Act criminalises.

In February 2018, the government included in the proposed budget for the fiscal year 2018-2019 the establishment of the Cyber Patrolling Unit whose creation was approved on 16 January 2018 by the Departmental Development Working Party (DDWP). The Unit is to consist of personnel of Federal Investigation Agency (FIA) who will be responsible for tackling child pornography as it has been mandated to do so by the Prevention of Electronic Crimes Act (2016). It was reported that the Unit would be integrated with the National Database and Registration Authority (NADRA) and the Pakistan Telecommunication Authority (PTA).

Encryption

Encryption in the form of Virtual Private Networks (VPNs) and encrypted messaging apps is illegal in Pakistan, ostensibly for security reasons as, according to the Pakistan Telecommunications Authority, these "conceal communication to the extent that prohibits monitoring".

If a company or individual wishes to use encryption without being penalised, a formal request must be sent to the PTA and accepted. In 2015 Blackberry and its encrypted messaging service, Blackberry Messenger (BBM) were banned and asked to leave Pakistan, as Blackberry would not hand over access to its user base and servers. Blackberry was permitted to stay, although the details of the agreement have not been made public. The popularity of messaging apps that are encrypted by default, such as WhatsApp, or Apple's FaceTime and VPN services, have made enforcement of this ban on encryption difficult to impossible to implement. According to reports, however, certain messaging and VOIP services may eventually require a license to operate in Pakistan. It is extremely difficult to see how this would be implemented. There is concern that Pakistan may emulate the United Arab Emirates and Saudi Arabia, both of which have blocked WhatsApp voice calls and FaceTime calls.

Licensing of industry

The Pakistan Telecommunication Authority (PTA) is the main regulatory and license-issuing body overseeing the internet and telecom industry in Pakistan. It also promotes the spread of internet and telecommunication services and makes recommendations on matters of policy. ​The PTA has been given authority to monitor internet traffic when required by law and has also been given responsibility, according to Section 34 of the Prevention of Electronic Crimes Act (2016), to block “objectionable” content. The PTA chairman and members are appointed by the federal government and it reports to the Ministry of Information Technology and Telecommunication, according to the Pakistan Telecommunication (Re-organization) Act (1996).

The PTA has also been given the ability to issue policy directives. An example of this is the 21 July 2011 directive that called for the banning of encryption mechanisms except on a case by case basis, provided a formal request has been made to the PTA.

Freedom House's 'Freedom on the Net' index mentions that international human rights organisations, free expression groups and experts have expressed reservations about the PTA’s governance structure, openness, and independence as a regulatory body. Freedom House cite "the repeated failure to make new appointments" to the PTA, following a number of reservations over the transparency of the appointment process.

In terms of blocking and filtering content, the authority relies primarily on maintaining a blacklist of URLs that are blocked at both the internet exchange point (IXP) through the Pakistan Internet Exchange (PIE) and by the internet service providers (ISPs). A 2013 report by the Citizen Lab revealed that PTA has been using Canadian company Netsweeper's technology for blocking and filtering online content.

Communications Service Providers

There are at least 50 operational internet service providers (ISPs) in Pakistan. These include Pakistan Telecommunication Company Ltd (PTCL). It was reported that the overall bandwidth in Pakistan ranges around 130,000 Mbits through four undersea cables – three controlled by Pakistan Telecommunication Company Ltd (PTCL) and one by Transworld Associates (TWA). As of June 2017, a new submarine cable, the AAE-1 (also called Asia-Africa-Europe-1) cable, has been servicing Pakistan. PTCL, an ISP which is partly owned by the government, also operates the Pakistan Internet Exchange (PIE) which facilitates most of the internet traffic exchange between ISPs inside and outside the country. PIE was created in 2000 to provide a single backbone for Pakistan by providing peering points for ISPs.

As of 2017, there are four cellular mobile service providers operating in Pakistan: Mobilink/Jazz/Pakistan Mobile Communications Limited (PMCL) (owned by VimpleCom Ltd), Warid (merged with Mobilink by VimpleCom in 2015), Ufone/Pak Telecom Mobile Limited (owned by Etisalat), and Zong Pakistan (owned by China Mobile Pakistan). Apart from Mobilink, the rest are owned by foreign service providers (Telenor, however, retains a 42.95 % share in VimpleCom Ltd).

A fifth provider, the Special Communication Organisation (SCO), is owned by the Government of Pakistan, and offers cellular services. In October 2017, the  National Assembly Standing Committee on Information Technology approved a proposal to allow the SCO to operate commercially and compete with the private telecom operators nationwide. The SCO previously had primarily been responsible for providing communications services in the northern Azad Jammu & Kashmir and Gilgit Baltistan regions bordering India. Describing itself as a "public sector organization working under Ministry of IT", the SCO has an unclear relationship to the Pakistan Army, with some reports describing the SCO as a subsidiary of the Pakistan Army.

Nationwide fiber-optic framework

The Pakistani government appears to be engaged in a "radical overhaul" of Pakistan’s communications network infrastructure facilitated by the Long Term Plan (LTP) for a China-Pakistan Economic Corridor (C-PEC).

According to a roadmap document covering the period 2013-2015 seen by Dawn, a critical component of the partnership between the two countries is a new, upgraded fibre optic cable network which connects Pakistan directly with China via central Asia. The revelation about the proposed network raised security concerns that internet traffic could potentially be monitored by China.

E-governance/digital agenda

Over the past two decades, the federal government has laid out several plans and initiatives to promote the use of digital technologies in government services, including:

However, the implementation of these plans and initiatives has been haphazard and unsustained due to political and other reasons. The official e-government portal, pakistan.gov.pk has been neglected in the past. The current form of the portal lists links to other government websites and pages to assist users in finding information related to government services. A large portion of those links are broken.

The quality of the websites of individual ministries and departments varies greatly depending on the enthusiasm and resources of the leadership of those departments at any given time. Most of the federal government websites do not use HTTPS/SSL, however, increasingly, those sites offering services that require users to log in to an account such as the Federal Board of Revenue's Taxpayer Facilitation Unit or the National ID card online application website are now using SSL.

The e-government services offered by the provincial governments vary in the same way. For example, the web portals of the governments of Punjab and Khyber-Pakhtunkhwa are better maintained with up to date information and the former also uses secure data protocol HTTPS/SSL.

All e-government services such as filing taxes or filing a complaint with an ombudsperson require users to provide their national identity card numbers.

Health sector and e-health

Privacy International is not aware of any specific privacy issues related to the health sector and e-health in Pakistan. Please send any tips or information to: research@privacyinternational.org

Smart policing

The Punjab government introduced "Hotel Eye Software" to link 500 hotels and guest houses with the database of Criminal Record Office. Information of all guests staying at the hotels and guest houses will automatically will be sent to the database to identify criminals. Other cities of the province will also be brought in the scope of this project. [See also section on 'Smart cities' below']

Transport

The National Database and Registration Authority (NADRA), the government body responsible for issuing national identity cards, also offers an e-Vehicle Management System to other government departments and the private sector to make it easier for them to identify and track the movement of vehicles using RFID chips. The services offered by this system are:

  1. The ability for government authorities to identify and track the movement of vehicles as they pass through road checkpoints;
  2. The ability to identify a vehicle for the purpose of controlling access to a secured premises through designated gates; and
  3. A way for road and highway authorities to quickly collect tolls from drivers through an electronic credit mechanism.

It is not clear if these services use NADRA's national registration database for identification and what security provisions are in place to control access to the data.

Motorway e-tags and m-tags

One of the places where this service has been deployed is on a number of motorways connecting Islamabad, Lahore and Peshawar (M-1, M-2, M-3, M-4). Drivers on these roads have the option of installing and RFID in their windshield which automatically deducts the toll fee from a pre-paid account each time they pass through a toll gate. Registering for this system requires drivers to provide their national identity card number.

Originally, tolls on the M-1, M-2 and M-4 were collected by the National Highways Authority (NHA) under the Ministry of Transportation using NADRA's e-tag system. However, since 2016, the tolls on all four motorways are collected by the Frontier Works Organization, an administrative branch of the Pakistan Army, using their own "m-tag" system that also uses RFID chips.

It was also reported in February 2016 that the NHA is considering other toll payment options such as the use of mobile phone or credit cards.

Metrobus

The metrobus mass transit systems implemented by the Punjab Government in Lahore, the twin cities of Islamabad and Rawalpindi and Multan also use RFID chips to track the distance traveled by riders. Travelers have the option of purchasing either a single-use plastic RFID token for single-rides or a pre-paid RFID-base card for multiple trips. Travelers do not need to provide their national identity card number for either, and the only data needed is the traveler's first and last name in the case of the multiple-use card.

Ride-sharing apps

Various ride-sharing apps are being used in Pakistan. The main two are Careem, a company based in Dubai, United Arab Emirates, with operations in around 50 cities in the Middles East, South Asti and Africa, and Uber, a USA-based company with operation in 570 cities worldwide.

A detailed study published in January 2019 by Digital Rights Foundation on the practices of Uber and Careem in the country, highlighted the need for better complaints mechanisms and security procedures, which are particularly necessary from a gender perspective and the specific impacts that such policies have over women. They also found that both companies’ privacy policies lacked basic guarantees such as data breach disclosures and contain unspecified data sharing provisions, among other flaws.

Smart cities

The federal government, through National Database and Registration Authority (NADRA) and Chinese company Huawei has implemented the country's first ever smart city project, the Punjab Safe City project, in Islamabad and Lahore in 2016. Islamabad would receive 2,000 high-powered CCTV cameras enabled with Intelligent Video Surveillance technology, while the number of cameras for Lahore would be 8,000. The technology has facial recognition capabilities, and the network is integrated with NADRA's central database of the citizens containing other biometric data.

The Sindh government has also announced a Safe City Project for the country's financial hub and largest city Karachi. The Khyber-Pakhtunkhwa government has also been implementing a Safe City Project in Peshawar city. The Baluchistan government has also announced to implement a Safe City Project in Quetta and Gwadar.

Migration

In August 2017, the Ministry of State and Frontier Regions, and Afghan Commissionerate in collaboration with Afghan government Ministry of Refugees and Repatriations and the United Nations High Commissioner for Refugees (UNHCR) started registration of Afghan refugees across Pakistan. NADRA registered 2.8 million Afghan refugees and issued cards to 1.6 million of these. Around 840,000 refugees were repatriated to Afghanistan from Pakistan.

Emergency response

Privacy International is not aware of any privacy issues related to emergency response in Pakistan. Please send any tips or information to: research@privacyinternational.org

Humanitarian and development programmes

During military operations in tribal areas, the Federally Administered Tribal Areas (FATA) Disaster Management Authority in support of NADRA launched a campaign to verify citizens' identities to access emergency recovery support. Verification was subject to clarification by NADRA's citizen data and biometric verification. A Livelihood Support Grant and Child Wellness Grant have been established to help temporary displaced persons of FATA.

Social media

The government periodically launches crackdowns against social media. In May 2017, Interior Minister Chaudhry Nisar Ali Khan stated that anti-army content on social media would not be tolerated. The Federal Investigation Agency (FIA) has summoned several social media activists and questioned them. Some of them have also been charged under defamation clauses of PECA and Penal Code of Pakistan.

Blasphemy

Blasphemy is illegal in Pakistan; this is frequently given as a justification for increased online surveillance.

Anti-terrorism court in Pakistan sentenced a 30-year-old man, Taimore Raza, to death in June 2017 for publishing blasphemous content on social media. In another case, a Christian was sentenced with life imprisonment in September 2017 for sending blasphemous text messages. Another anti-terrorism court indicted four suspects for committing blasphemy on social media.

The government of Pakistan has sought to block Facebook pages and Twitter accounts, and obtain information on those accounts' owners. In March 2016, a Pakistani man was given a 13 year prison sentence for allegedly posting "religiously offensive material" on Facebook. Blasphemy carries either the death penalty, life or an extended prison sentence.

Between July and December 2016, according to Facebook's Global Government Requests Report, the Pakistan government had made a total of 1,002 requests for account information, with 67.56% of those requests resulting in "some data" being produced. Facebook also restricted access to 6 items of content "alleged to violate local laws prohibiting blasphemy and condemnation of the country's independence".