Digital Pakistan without digital security?

Pakistan’s track record on data protection seems to be getting worse. For some time, rumors of identity data theft have been circulating online. Apparently, some websites and mobile apps are giving away user identity (a person’s name, CNIC number, and address) upon the website visitor inserting a mobile phone number. Now it seems that those rumors are true, as BR Research verified the scheme of things in the case of one such website.

This sort of malicious activity has been going on for a while. Over at YouTube, dozens of videos are available that “educate” viewers in Urdu on how to access personal information of just about anyone by simply using a mobile phone number, and in some cases a CNIC number. These videos, some of which date as far back as 2017, have racked up hundreds of thousands of views online. Most of the links advertised in these videos are masked under seemingly scrupulous websites. A few websites are blocked in Pakistan, but they can be accessed directly through VPN (virtual private network).

Sources tell BR Research that stolen identity data keep cropping up online from time and time. While the origin(s) of leaks is far from certain, it is clear that data breaches concern two major data collectors: NADRA (which holds CNIC database) and telecom companies (which have mobile number database). What complicates the situation is the linkage of NADRA’s and telcos’ databases with other government departments and financial institutions. This data “sharing” boomeranged in 2018 when the Punjab IT Board’s (PITB) internal citizen database was reportedly compromised and ended up being bought and sold online.

There is also this speculation that large-scale identity data leaks had started happening in the wake of the massive, government-mandated exercise of biometric verification of mobile phone Sims back in 2014 and 2015. It has been previously reported that telcos’ internal controls failed to stop unscrupulous individuals within their ranks from accessing and selling identity data. Such unethical practices are also suspected in the banking sector, where it is not difficult for rogue employees to compile, leak or sell data of high net worth individuals.

It is possible that such activities are taking place from multiple sources. However, the authorities, especially those who collect such data in the first place or oversee companies that collect such data, need to seriously investigate the issue rather than playing whack-a-mole. Instead of undertaking piecemeal crackdown, they must crack open the source(s) of such leaks, explain how it all happened, and then hold the culprits accountable in plain view. It is troubling in the extreme that potentially millions of users’ private, offline identity information has ended up online. The consequences can range from mild harassment to identity theft, especially for women and other vulnerable demographics.

Meanwhile, the situation is an emotional gut-punch for those who have seen their personal information posted on dark corners of the web. Under the Constitution’s Article 14(1), citizens have a right to dignity and privacy. However, the affected people don’t really have a legal recourse. The Prevention of Electronic Crimes Act (2016) deals with “identity theft” but not with personal “data protection” per se. In other words, there is legal recourse only after stolen or leaked data has been used to commit frauds and other crimes.

Meanwhile, the Personal Data Protection Bill (2018) is still stuck in draft-legislation mode. This bill needs to be improved as there is criticism that it doesn’t go far enough to hold government authorities responsible if the citizens’ data is leaked or stolen from their end. While this whole scenario has obvious implications for the citizens’ right to privacy, a weak regulatory regime also hinders the ability of global e-commerce platforms to operate in Pakistan.

Globally, the EU’s General Data Protection Regulations (GDPR) and California’s digital privacy law offer a proactive template for other countries to improve their data protection regimes. These laws ensure that the tech and telecom companies are held accountable for their practices when it comes to collection, storage, usage, and sharing of personal user data. Next door, India is modeling its data protection regulations on the lines of GDPR.

It is a good idea to follow global best practices and try to avoid the hazards associated with digital products and platforms. Over time, Pakistani companies may be required to raise their data protection practices to the level of EU’s GDPR if they are to continue doing business with that region. In short, if data protection rules are vital for individual privacy today, very soon even the economy may start depending on it.

The previous government’s Digital Pakistan Policy (2017) had included a proposal for a data protection law to safeguard online privacy and personal data. Under the current government, the recently-formulated Digital Pakistan strategy does not include “digital security” among its key pillars. Can Pakistan really have a digital future in circumstances where it is open season on confidential personal information? It is high time to put citizens at ease by bringing in a strong regulatory framework on data protection.