State of Privacy Pakistan

January 2018

by Privacy International and Bytes for All

Table of contents

Introduction

Right to Privacy

Data Protection

Identification Schemes

Policies and Sectoral Initiatives

Introduction

Acknowledgment

The State of Privacy in Pakistan is the result of an ongoing collaboration by Privacy International and Bytes for All.

Key Privacy Facts

1. Constitutional privacy protections: Article 14(1) of the Constitution of the Islamic Republic of Pakistan states that "[t]he dignity of man and, subject to law, the privacy of home, shall be inviolable."

2. Data protection laws: Pakistan does not at present have direct data protection legislation.

3. Data protection agency: Pakistan does not at present have a data protection authority.

4. Recent scandals: Interception across Pakistani networks is pervasive; some of it is also unlawful, according to investigative and media reports.

5. ID regime: Pakistan has one of the world's most extensive citizen registration regimes. This is run by the National Database & Registration Authority (NADRA).

Right to Privacy

The constitution

The Constitution of the Islamic Republic of Pakistan enshrines the right to privacy as a fundamental right. Article 14(1) of the Constitution confirms that "[t]he dignity of man and, subject to law, the privacy of home, shall be inviolable."

As a fundamental constitutional right, the right to privacy is meant to take precedence over any other inconsistent provisions of domestic law. Article 8 of the Constitution provides that "[a]ny law, or any custom or usage having the force of law, in so far as it is inconsistent with the rights conferred [under the Constitution], shall, to the extent of such inconsistency, be void." Article 8 (5), furthermore, states that "[t]he rights conferred by this Chapter shall not be suspended except as expressly provided by the Constitution."

Yet Pakistan's constitution also includes a wide-ranging exception to the primacy of fundamental rights. The provisions of Article 8 do not apply to any law relating to the 'proper discharge' of the duties of the Armed Forces or the police. The breadth of this exception is troubling, especially given the central role that the Armed Forces in particular have played in Pakistan's domestic political landscape historically.

Regional and international conventions

Pakistan is a signatory to several international and regional instruments with privacy implications, including:

The International Covenant on Civil and Political Rights (signed April 2008, ratified June 2010). Article 17 of the ICCPR states that "no one shall be subject to arbitrary or unlawful interference with his privacy, family or correspondence." The ICCPR also commits Pakistan to ensuring the protection of other rights that rely on the protection of privacy, such as freedom of expression and freedom of association.

The Cairo Declaration on Human Rights In Islam (signed August 1990). Article 18 of the CDHRI affirms that: "a) Everyone shall have the right to live in security for himself, his religion, his dependents, his honor and his property. (b) Everyone shall have the right to privacy in the conduct of his private affairs, in his home, among his family, with regard to his property and his relationships. It is not permitted to spy on him, to place him under surveillance or to besmirch his good name.

The State shall protect him from arbitrary interference. (c) A private residence is inviolable in all cases. It will not be entered without permission from its inhabitants or in any unlawful manner, nor shall it be demolished or confiscated and its dwellers evicted."

The Convention on the Rights of the Child (ratified November 1990). Article 16 of the CRC states that "1) No child shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home or correspondence, nor to unlawful attacks on his or her honour and reputation. 2) The child has the right to the protection of the law against such interference or attacks."

Communication Surveillance

Introduction

Surveillance laws

Surveillance actors

Surveillance capabilities

Surveillance oversight, checks and balances

Surveillance case law

Examples of surveillance

Data Protection

Data protection laws

Pakistan does not at present have direct data protection legislation. As noted above, the Constitution limits the individual's protection of privacy in cases related to the "proper discharge" of the duties of the Armed Forces or the police.

In the absence of direct data protection legislation, data privacy and protection is theoretically regulated through provisions in the following pieces of legislation.

The Electronic Transactions Ordinance (2002)

The Electronic Transactions Ordinance (2002) does not regulate data protection directly, but it criminalises unlawful or unauthorised access to information. Section 36 of the ETO states:

"Any person who gains or attempts to gain access to any information system with or without intent to acquire the information contained therein or to gain knowledge of such information [...] shall be guilty of an offence under this Ordinance punishable with either description of a term not exceeding seven years, or fine which may extend to one million rupees, or with both."

The same law envisages the establishment of a government-appointed body to certify electronic documents, and in Section 43(2)(e) grants powers to that body to make regulations for the privacy and protection of its users. However, it appears that the government is yet to establish this certification body, let alone draft regulation to protect the privacy of its users.

The Freedom of Information Ordinance (2002)

According to section 17 of the Freedom of Information Ordinance, "Privacy and personal information", certain forms of "information is exempt if its disclosure under this ordinance would involve the invasion of the privacy of an identifiable, individual (including individuals) other than the requester."

Prevention of Electronic Crimes Act (2016)

The Prevention of Electronic Crimes Act (2016) also contains a number of sections related to data privacy. However, these are intended to grant law enforcement and other government entities access to the private data of citizens, or to restrict citizens from gaining access to government data. Sections 3, 4, 5, 6, 7 and 8 make it a crime for anyone to gain unauthorized access to any information system or data, or copying or transmission of critical infrastructure data, punishable with a prison sentence up to 3 months to seven years or a fine of up to fifty thousand to 10 million rupees.

Section 31 allows a law enforcement officer to require a person to hand over data without producing any court warrant if it is believed that it is "reasonably required" for a criminal investigation. This can be done at the discretion of the officer and needs only be brought to the notice of a court within 24 hours after the acquisition of the data. Section 32 requires telephone and Internet service providers to retain

traffic data for at least one year. Law enforcement bodies can demand access to that data subject to a warrant issued by a court. Section 30 allows courts to issue a warrant to a law enforcement officer to search and seize any data that "may reasonable be required" for a criminal investigation. In cases involving the vaguely defined "cyberterrorism", the officer can search and seize the data without a warrant and notify the court within 24 hours of its seizure.

Section 32 requires that law enforcement officers carrying out a search and seizure "take all precautions" to maintain the secrecy of the seized data and not interfere with any data not related to the crime under investigation. Under Section 38, if a law enforcement officer knowingly shares seized data to any other person, it can be punished with a prison term of up to three years and a fine of up to one million rupees.

Section 35(2)(b) requires that law enforcement officers carrying out a search and seizure "take all precautions" to maintain the secrecy of the seized data and not interfere with any data not related to the crime being investigated. Under Section 38, if a law enforcement officer knowingly shares seized data to any other person, it can be punished with a prison term of up to three years and a fine of up to one million rupees (around US$ 9,500).

Section 39 permits for real-time collection and recording of information for a criminal investigation if a Court is satisfied on the basis of information furnished by an authorized officer.

Section 42 allows the government to share any data obtained from its investigation with any foreign government or international agency.

National Database and Registration Authority Ordinance, 2000

The ordinance establishing NADRA, Pakistan's database authority, states in section 4(j) that it shall be responsible for "ensuring of due security, secrecy and necessary safeguards for protection and confidentiality of data and information contained in or dealt with by the National Data warehouse at individual as well as collective level."

Electronic Data Protection Act 2005 (draft)

In 2005, the Ministry of Information Technology circulated a draft law on data protection. However, for unclear reasons it was never tabled in Parliament. It appears that this draft legislation was initially written primarily with the intention of meeting the needs of Pakistan's software industry to conduct international business, rather than to address actual privacy issues. This is clear from Section 4 of the draft law:

"4. Government activity and exemptions — (1) This Act does not apply to the processing of personal or corporate data carried out by federal, provincial or local government.

(2) The federal government, in respect of local data only, by notification in the official gazette, may exempt any public or private sector, entity or business from the operation of this Act.

The rest of the draft law is filled with similar exemptions and vague terminology.

Law enforcement access to stored data

Since 2004, network providers have been required to comply with requests for interception and access to network data as a standard condition of the PTA's award of operating licenses to telecommunications providers.

Accountability mechanisms

Habeas Data/Subject access requests

Pakistan does not have any legislation explicitly allowing an individual to request data about themselves. However, it may be possible to request this information under Freedom of Information legislation.

Freedom of Information (FOI)

The Constitution has an explicit provision for the public's right to information in Article 19A, which states:

"Every citizen shall have the right to have access to information in all matters of public importance subject to regulation and reasonable restrictions imposed by law."

The federal government is still in the process of enacting a Right to Information Actwhereas three provincial governments have passed Freedom of Information laws. The provincial laws for Khyber-Pakhtunkhwa (K-P) and Punjab have received praise from experts, while the FOI laws for the federal government and Baluchistan have been found to have serious flaws. The old Freedom of Information Ordinance (2002) which was enacted by the government of General Pervez Musharraf is still in effect at the federal level. The Sindh government has recently enacted a new law called the Sindh Transparency and Right to Information Law 2016.

In 2013, the federal government drafted a new Right to Information Act that was finalised in 2014 with amendments by the Senate Standing Committee on Information and Broadcasting. The draft has received widespread praise as it incorporates many progressive elements from the K-P and Punjab laws. The Senate's Select Committee approved the draft of the bill in February 2017 while the standing committee of Senate approved the bill in May 2017. However, the government has so far not tabled the bill in the National Assembly.

Article 8 of the current federal Freedom of Information Ordinance (2002) excludes a wide range of information from public access under the law. This includes any records relating to defence and national security, and further gives the federal government the discretion to exclude any other document from the purview of the law "in public interest".

Consumer protection rules

Pakistan has consumer protection legislation for all four of its provinces and the Islamabad Capital territory. The laws establish consumer courts, to which consumers can direct complaints against defective products and misinformation by sellers.

The laws do not have any provisions explicitly to protect the privacy of consumer data held by suppliers of goods and services. However, there are some provisions that could potentially be exploited for this purpose. For example, Article 13 of the Sindh Consumer Protection

Act 2015 states that a "provider of services shall be liable to a consumer for damages proximately caused by the provision of service that have caused damage." However this would seemingly require the damage from any data breach to have already occurred in order for the provider to be held accountable.

Research published by the Digital Rights Foundation in December 2016 found that Pakistan's mobile service providers were inconsistent in their provision and publication of privacy policies, and that none of the privacy policies that were available indicated an awareness of the passage of the 2016 Prevention of Electronic Crimes Act.

Data breaches: case law

There exist a few informative cases related to the right to privacy in Pakistan which may be precedent-setting.

In Ghulam Hussain vs Addition Sessions Judge, Dera Allah Yar (PLD 2010 Quetta 21), the petitioner complained that the police raided his home on the basis of 'secret information' that it was being used as a gambling den, without a prior enquiry being carried out by a magistrate. The court ruled in favour of the petitioner that only in certain exceptional circumstances can the privacy of the home be violated. The Petitioner was also acquitted of charges.

In Taufiq Bajwa vs CDGK (2010 YLR 2165), the petitioner filed a case stating that his right to life under Article 9 of the Constitution had been violated by the boundary wall of a neighbouring park which was of such a height that it allowed a person to look inside his home. The court supported the petition and held that the park and wall must be reconstructed such that the petitioner's privacy is not violated. The case affirms that the courts interpret Article 9 ("right to life") widely enough to be used to protect the right to privacy.

In M.D.Tahir v. State Bank (2004 CLC 1680), the Lahore High Court held that the practice of collecting the private information of bank holders and presenting them to tax authorities, without any allegation of wrongdoing was a violation of the right to privacy. The State Bank of Pakistan had previously issued a directive that called for the

collection, without any sustainable juridical criteria, of personal information like name, address, NTN Number and NIC Numbers of individuals who have obtained ten thousand rupees as interest. The directive was struck down and it was held that "taking of private information without any allegation of wrongdoing of ordinary people is an extraordinary invasion of this fundamental right of privacy."

Examples of data breaches

In 2010, the Shah Faisal branch of NADRA in Karachi reported a data breach in the form of a theft of "computers and other equipment", including hard drives, according to Alertboot Endpoint Security. The data breach was low-tech, and involved a physical break-in.

In 2012, a Turkish hacker claimed to have accessed NADRA's servers as well as those of the Federal Investigation Agency (FIA) by spawning backdoors. In 2014, NADRA received a report from the head of the ISI concerning the possibility of data leaks through the Pakistan government's reliance on third party companies database and verification software and hardware.

In 2017, a bug in the infrastructure of the Punjab Information Technology Board was reportedly responsible for a leak of thousands of Pakistanis' personal information, including CNIC numbers, the front and back of CNIC cards, CVs and other information.

Since at least 2014, databases have been illegally sold online. These contain hundreds of thousands of records with names, national ID card numbers, home addresses and phone numbers of mobile phone users. It is believed that this data is used primarily by mobile marketers to market their products. It is not clear how exactly this data is leaked, but it is speculated that it could be due to a combination of mobile service providers storing consumer data insecurely, as well as the possibility that employees within the companies themselves are leaking the data to those willing to purchase it. It is not clear whether the government has taken any action to combat these crimes.

Identification Schemes

ID cards and databases

The registration of personal data is widespread in Pakistan, and public opinion is for the most part in favour of it. This in part because recent terrorist attacks and ongoing political instability, and that many high profile news stories following these have attributed the security services' success tracking down criminals and terrorists to the storage of their information in National Database & Registration Authority (NADRA) databases.

Pakistan has one of the world's most extensive citizen registration regimes — over 96% of citizens reportedly have biometric ID cards.

In 2012 NADRA announced a so-called chip-based Smart NIC (SNIC) containing its owner's biometric photo, a computer chip, address and parental information. NADRA has said that it aims to replace all current CNICs with SNICs by 2020. A SNIC is necessary in order to open a bank account, get a new driver's licence, passport, broadband internet connection or a SIM card.

Biometric data collected by NADRA include iris scans, fingerprints (both hands), a photograph taken at a NADRA centre, and a scan of the citizen's personal signature. Given the scale of the task, NADRA has found itself at the heart of a number of controversies regarding the lack of proper checks and balances. There have been a number of reports of corruption at NADRA centres, where the biometric verification/application process can be bypassed. Serious misidentification errors can occur and forgery is rife.

In July 2016 NADRA introduced an SMS verification service, to investigate the validity of a citizen's own CNIC, as well as of those in their "family tree", i.e. anyone in their family linked to their CNIC. Although the government has declared this to be a positive step, it has come under fire as knowledge of one CNIC is enough to find out the personal information of other family members, which in turn can put them at risk. This is especially worrying in a country rife with persecution of religious, ethnic and LGBT minorities.

Voter registration

In August 2015, the Government of Pakistan's Election Commission coordinated with NADRA what they reported to be the first election via biometric verification of voters.

The election in a constituency in Haripur district was intended to be a pilot for future elections in other districts and nationwide. NADRA has indicated that this would be a positive means of tackling electoral fraud. There are concerns, however, that requiring biometric verification to vote may disqualify non-verified but legitimate voters from using the ballot. There is also the concern, as with pre-biometric registration, that the biometric verification exercise would not tackle voter intimidation effectively, and may in some instances would make it easier to intimidate voters. This is especially a concern in districts in Pakistan where votes can still be bought by village elders or landlords. In September 2017, the Election Commission also experimented with electronic biometric voting machines for NA-120 and NA-4 by-elections.

SIM card registration

The registration of personal data is widespread and enjoys a high level of popular support. Terrorist attacks have been cited by the government in its ongoing drive to ensure that all SIM cards are registered via biometric verification. For example, it was reported that the perpetrators of December 2014 attack on an army-run school in Peshawar in which 132 children were killed had used mobile phones with SIM cards that were registered to a woman who had no connection to any of the attackers, indicating that the SIMs had been registered fraudulently.

SIM cards must now be registered to their user. Unlike in most countries with mandatory registration, SIM cards are also biometrically verified against the National Database and Registration Authority's (NADRA) national database, often by fingerprint. The government plans to have all SIM cards biometrically verified. As of March 2015, 68.7 million SIMs had been biometrically verified out of 103 million SIMs in use at that time. Unfortunately, NADRA has not

provided up to date numbers since. However, there have been reports of corruption as well as honest incompetence on the part of the verification system resulting in some SIMs escaping being deactivated. This number has been shrinking however, given the aggressiveness of the re-verification drive.

Policies and Sectoral Initiatives

Cybersecurity policy

Cybercrime

Encryption

Encryption in the form of Virtual Private Networks (VPNs) and encrypted messaging apps is illegal in Pakistan, ostensibly for security reasons as, according to the Pakistan Telecommunications Authority, these "conceal communication to the extent that prohibits monitoring".

If a company or individual wishes to use encryption without being penalised, a formal request must be sent to the PTA and accepted. In 2015 Blackberry and its encrypted messaging service, Blackberry Messenger (BBM) were banned and asked to leave Pakistan, as Blackberry would not hand over access to its user base and servers. Blackberry was permitted to stay, although the details of the agreement have not been made public. The popularity of messaging apps that are encrypted by default, such as WhatsApp, or Apple's FaceTime and VPN services, have made enforcement of this ban on encryption difficult to impossible to implement. According to reports, however, certain messaging and VOIP services may eventually require a license to operate in Pakistan. It is extremely difficult to see how this would be implemented. There is concern that Pakistan may emulate the United Arab Emirates and Saudi Arabia, both of which have blocked WhatsApp voice calls and FaceTime calls.

Licensing of industry

E-governance/digital agenda

Over the past two decades, the federal government has laid out several plans and initiatives to promote the use of digital technologies in government services, including:

the National IT Policy and Action Plan of 2000;

the Electronic Government Directorate of 2002;

the promulgation of the Electronic Transaction Ordinance in 2002, to facilitate the use of electronic documents for official purposes;

the E-Government Strategy and 5-Year Plan for the Federal Government, published in 2005;

the National Information Technology Board, created in 2014 by merging the Electronic Government Directorate and the Pakistan Computer Bureau;

the announcement in 2014 that an e-government master plan is being formulated;

the announcement of the E-office initiative in 2015; and

the announcement that Pakistan joined the Open Governance Partnership (OGP) in December 2016, work on National Action Plan still in progress. However, the implementation of these plans and initiatives has been haphazard and unsustained due to political and other reasons. The official e-government portal, pakistan.gov.pk has been neglected in the past. The current form of the portal lists links to other government websites and pages to assist users in finding information related to government services. A large portion of those links are broken.

The quality of the websites of individual ministries and departments varies greatly depending on the enthusiasm and resources of the leadership of those departments at any given time. Most of the federal government websites do not use HTTPS/SSL, however, increasingly, those sites offering services that require users to log in to an account such as the Federal Board of Revenue's Taxpayer Facilitation Unit or the National ID card online application website are now using SSL.

The e-government services offered by the provincial governments vary in the same way. For example, the web portals of the governments of Punjab and Khyber-Pakhtunkhwa are better maintained with up to date information and the former also uses secure data protocol HTTPS/SSL.

All e-government services such as filing taxes or filing a complaint with an ombudsperson require users to provide their national identity card numbers.

Health sector and e-health

Privacy International is not aware of any specific privacy issues related to the health sector and e-health in Pakistan. Please send any tips or information to: research@privacyinternational.org

Smart policing

The Punjab government introduced "Hotel Eye Software" to link 500 hotels and guest houses with the database of Criminal Record Office. Information of all guests staying at the hotels and guest houses will automatically will be sent to the database to identify criminals. Other cities of the province will also be brought in the scope of this project.

Transport

The National Database and Registration Authority (NADRA), the government body responsible for issuing national identity cards, also offers an e-Vehicle Management System to other government departments and the private sector to make it easier for them to identify and track the movement of vehicles using RFID chips. The services offered by this system are:

1. The ability for government authorities to identify and track the movement of vehicles as they pass through road checkpoints;

2. The ability to identify a vehicle for the purpose of controlling access to a secured premises through designated gates; and

3. A way for road and highway authorities to quickly collect tolls from drivers through an electronic credit mechanism.

It is not clear if these services use NADRA's national registration database for identification and what security provisions are in place to control access to the data.

Motorway e-tags and m-tags

One of the places where this service has been deployed is on a number of motorways connecting Islamabad, Lahore and Peshawar (M-1, M-2, M-3, M-4). Drivers on these roads have the option of installing and RFID in their windshield which automatically deducts the toll fee from a pre-paid account each time they pass through a toll gate. Registering for this system requires drivers to provide their national identity card number.

Originally, tolls on the M-1, M-2 and M-4 were collected by the National Highways Authority (NHA) under the Ministry of Transportation using NADRA's e-tag system. However, since 2016, the tolls on all four motorways are collected by the Frontier Works Organization, an administrative branch of the Pakistan Army, using their own "m-tag" system that also uses RFID chips.

It was also reported in February 2016 that the NHA is considering other toll payment options such as the use of mobile phone or credit cards.

Metrobus

The metrobus mass transit systems implemented by the Punjab Government in Lahore, the twin cities of Islamabad and Rawalpindi and Multan also use RFID chipsto track the distance traveled by riders. Travelers have the option of purchasing either a single-use plastic RFID token for single-rides or a pre-paid RFID-base card for multiple trips. Travelers do not need to provide their national identity card number for either, and the only data needed is the traveler's first and last name in the case of the multiple-use card.

Smart cities

The federal government, through National Database and Registration Authority (NADRA) and Chinese company Huawei has implemented the country's first ever smart city project, the Punjab Safe City

project, in Islamabad and Lahore in 2016. Islamabad would receive 2,000 high-powered CCTV cameras enabled with Intelligent Video Surveillance technology, while the number of cameras for Lahore would be 8,000. The technology has facial recognition capabilities, and the network is integrated with NADRA's central database of the citizens containing other biometric data.

The Sindh government has also announced a Safe City Project for the country's financial hub and largest city Karachi. The Khyber-Pakhtunkhwa government has also been implementing a Safe City Project in Peshawar city. The Baluchistan government has also announced to implement a Safe City Project in Quetta and Gwadar.

Migration

In August 2017, the Ministry of State and Frontier Regions, and Afghan Commissionerate in collaboration with Afghan government Ministry of Refugees and Repatriations and the United Nations High Commissioner for Refugees (UNHCR) started registration of Afghan refugees across Pakistan. NADRA registered 2.8 million Afghan refugees and issued cards to 1.6 million of these. Around 840,000 refugees were repatriated to Afghanistan from Pakistan.

Emergency response

Privacy International is not aware of any privacy issues related to emergency response in Pakistan. Please send any tips or information to: research@privacyinternational.org

Humanitarian and development programmes

During military operations in tribal areas, the Federally Administered Tribal Areas (FATA) Disaster Management Authority in support of NADRA launched a campaign to verify citizens' identities to access emergency recovery support. Verification was subject to clarification by NADRA's citizen data and biometric verification. A Livelihood Support Grant and Child Wellness Grant have been established to help temporary displaced persons of FATA.

Social media

The government periodically launches crackdowns against social media. In May 2017, Interior Minister Chaudhry Nisar Ali Khan stated that anti-army content on social media would not be tolerated. The Federal Investigation Agency (FIA) has summoned several social media activists and questioned them. Some of them have also been charged under defamation clauses of PECA and Penal Code of Pakistan.

Blasphemy

Blasphemy is illegal in Pakistan; this is frequently given as a justification for increased online surveillance.

Anti-terrorism court in Pakistan sentenced a 30-year-old man, Taimore Raza, to death in June 2017 for publishing blasphemous content on social media. In another case, a Christian was sentenced with life imprisonment in September 2017 for sending blasphemous text messages. Another anti-terrorism court indicted four suspects for committing blasphemy on social media.

The government of Pakistan has sought to block Facebook pages and Twitter accounts, and obtain information on those accounts' owners. In March 2016, a Pakistani man was given a 13 year prison sentence for allegedly posting"religiously offensive material" on Facebook. Blasphemy carries either the death penalty, life or an extended prison sentence.

Between July and December 2016, according to Facebook's Global Government Requests Report, the Pakistan government had made a total of 1,002 requests for account information, with 67.56% of those requests resulting in "some data" being produced. Facebook also restricted access to 6 items of content "alleged to violate local laws prohibiting blasphemy and condemnation of the country's independence".

Location / Region / Locale Pakistan

Programme Building the Global Privacy Movement

Resource Type State of Privacy

Type of Intervention Research

Partner Bytes for All