Without data protection & privacy laws, Internet can be misused
The ministry of information technology and telecommunication has published a deeply misguided notification announcing new rules to “protect” citizens against “online harm”. The rules are an egregious violation of fundamental human rights, including freedom of speech and the right to the Internet. For a government that has made much show of its digital mindset and cashed in on highly publicised initiatives for a “Digital Pakistan”, this move is in direct violation of all it claims to stand for.
Considering how backward the country otherwise is vis-a-vis the fourth industrial revolution, Pakistan has been remarkably adept at harnessing digital technologies for surveillance and psychological warfare. In previous op-eds, I have discussed the systematic use of human and bot-run accounts on social media for surveillance and harassment, as well as the exploitation — often by the state — of data footprints users leave online.
The citizen “protection” rules are the most recent in a long chain of events that illustrate how the state is expanding its surveillance apparatus. The inception of Pakistan’s e-surveillance programme can be traced back to the evolution of Nadra into a national registry and centralised database of all citizens.
Under the pretence of promoting security and access to services, Nadra has relentlessly crept deeper into our lives. The CNIC number is now linked to nearly everything we do, from banking services and purchasing activity, to SIM cards and travel, providing the state a holistic view of our lives.
The launch of the FBR-Nadra portal last year was a reminder that the state has no qualms in using the data it has collected as an intimidation tactic. To log into the portal, I first had to pay an application fee to access my own data. In addition to several other data points, the portal displays an account of my travel history and mobile phone billing history. My profile also states that “additional information is being collected”. There is no guidance on what this information is, why it must be collected, and how I can control my data.
This data has been collected without our informed consent. “Informed” is the operative word as, even when we agree to share our data, there is no way of knowing who it will eventually be shared with and what use it will be put to. Moreover, the word “consent” loses its meaning where non-compliance means exclusion from critical services. The portal is a failure as a solution to Pakistan’s tax collection problems. Its only achievement so far is as a shock-and-awe tactic instilling fear in a citizenry that has no right to privacy.
The Safe Cities project is an extension of this massive surveillance infrastructure. The Nadra website boasts the installation of “intelligent video surveillance” through which “the population and their activities are monitored”. The Safe Cities video footage integrates with Nadra’s database, allowing for facial recognition. The HEC is now implementing a version of this on campuses all over the country, through the Smart and Safe Campus projects.
The use of biometrics is also expanding, with fingerprints collection and facial and iris recognition technologies. In addition to their use by Nadra, financial inclusion and social protection programmes including BISP make use of biometrics for verification of beneficiaries. While there is a case to be made for the use of identification technologies to enable citizens to access social services, this must go hand-in-hand with strong legal frameworks for data protection and privacy.
The recent case of BISP fraud and the removal of “undeserving beneficiaries” from the database will serve as yet another justification for collecting more and more data. Citizens will continue to be treated with suspicion and reduced to data points, as they give up their right to privacy in attempts to prove their innocence and worthiness to avail basic rights.
For the vulnerable and poor who may have more immediate needs, many believe that privacy is not a concern; it is thought to be a “first world problem”. Research conducted by CGAP in India and Kenya has shown that the poor are particularly vulnerable to “lax data policies” and, contrary to popular belief, value their privacy and are willing to pay a premium to preserve it.
The citizen protection rules also show that the government is continuing on the misguided path of data localisation — demanding that social media companies store Pakistani users’ data in servers located in-country. Considering Pakistan’s track record with data protection and cybersecurity, this is alarming. In addition to surveillance and misuse of data by the state, reported data breaches such as the NSA accessing Nadra records are enough to believe that Pakistani authorities cannot be trusted with our data.
Data protection and privacy laws must be a cornerstone of the Digital Pakistan policy. Without a strong regulatory framework and legal protection, Pakistan’s citizens are, at best, excluded from the benefits of the Internet and, at worst, at serious risk of violation of their fundamental rights.
The Digital Pakistan initiative, launched by Prime Minister Imran Khan amidst much pomp and show, recognises the Internet as “a fundamental right” and promises “to ensure every Pakistani has access to the Internet”. However, moves such as the citizen protection rules make the initiative appear as a publicity campaign rather than a genuine attempt to harness the democratising power of the Internet for the good of the Pakistani people.
The protagonist of the Digital Pakistan initiative, Ms Tania Aidrus, with her experience at leading technology institutions, should be advising IT policymakers against such misguided policy changes. It is hoped she will help develop a more strategic and meaningful vision of how digitisation can empower the people of Pakistan rather than be used as a weapon against them.