AGL 38.20 Increased By ▲ 0.21 (0.55%)
AIRLINK 211.50 Decreased By ▼ -4.03 (-1.87%)
BOP 9.48 Decreased By ▼ -0.32 (-3.27%)
CNERGY 6.52 Decreased By ▼ -0.27 (-3.98%)
DCL 9.00 Decreased By ▼ -0.17 (-1.85%)
DFML 38.23 Decreased By ▼ -0.73 (-1.87%)
DGKC 96.86 Decreased By ▼ -3.39 (-3.38%)
FCCL 36.55 Decreased By ▼ -0.15 (-0.41%)
FFBL 88.94 No Change ▼ 0.00 (0%)
FFL 14.98 Increased By ▲ 0.49 (3.38%)
HUBC 131.00 Decreased By ▼ -3.13 (-2.33%)
HUMNL 13.44 Decreased By ▼ -0.19 (-1.39%)
KEL 5.51 Decreased By ▼ -0.18 (-3.16%)
KOSM 6.87 Decreased By ▼ -0.45 (-6.15%)
MLCF 44.90 Decreased By ▼ -0.97 (-2.11%)
NBP 59.34 Decreased By ▼ -1.94 (-3.17%)
OGDC 230.00 Decreased By ▼ -2.59 (-1.11%)
PAEL 39.20 Decreased By ▼ -1.53 (-3.76%)
PIBTL 8.38 Decreased By ▼ -0.20 (-2.33%)
PPL 200.00 Decreased By ▼ -3.34 (-1.64%)
PRL 39.10 Decreased By ▼ -1.71 (-4.19%)
PTC 27.00 Decreased By ▼ -1.31 (-4.63%)
SEARL 103.32 Decreased By ▼ -5.19 (-4.78%)
TELE 8.40 Decreased By ▼ -0.34 (-3.89%)
TOMCL 35.35 Decreased By ▼ -0.48 (-1.34%)
TPLP 13.46 Decreased By ▼ -0.38 (-2.75%)
TREET 25.30 Increased By ▲ 0.92 (3.77%)
TRG 64.50 Increased By ▲ 3.35 (5.48%)
UNITY 34.90 Increased By ▲ 0.06 (0.17%)
WTL 1.77 Increased By ▲ 0.05 (2.91%)
BR100 12,110 Decreased By -137 (-1.12%)
BR30 37,723 Decreased By -662.1 (-1.72%)
KSE100 112,415 Decreased By -1509.6 (-1.33%)
KSE30 35,508 Decreased By -535.7 (-1.49%)
BR Research

Digital Pakistan without digital security?

Pakistan’s track record on data protection seems to be getting worse. For some time, rumors of identity data theft h
Published March 5, 2020

Pakistan’s track record on data protection seems to be getting worse. For some time, rumors of identity data theft have been circulating online. Apparently, some websites and mobile apps are giving away user identity (a person’s name, CNIC number, and address) upon the website visitor inserting a mobile phone number. Now it seems that those rumors are true, as BR Research verified the scheme of things in the case of one such website.

This sort of malicious activity has been going on for a while. Over at YouTube, dozens of videos are available that “educate” viewers in Urdu on how to access personal information of just about anyone by simply using a mobile phone number, and in some cases a CNIC number. These videos, some of which date as far back as 2017, have racked up hundreds of thousands of views online. Most of the links advertised in these videos are masked under seemingly scrupulous websites. A few websites are blocked in Pakistan, but they can be accessed directly through VPN (virtual private network).

Sources tell BR Research that stolen identity data keep cropping up online from time and time. While the origin(s) of leaks is far from certain, it is clear that data breaches concern two major data collectors: NADRA (which holds CNIC database) and telecom companies (which have mobile number database). What complicates the situation is the linkage of NADRA’s and telcos’ databases with other government departments and financial institutions. This data “sharing” boomeranged in 2018 when the Punjab IT Board’s (PITB) internal citizen database was reportedly compromised and ended up being bought and sold online.

There is also this speculation that large-scale identity data leaks had started happening in the wake of the massive, government-mandated exercise of biometric verification of mobile phone Sims back in 2014 and 2015. It has been previously reported that telcos’ internal controls failed to stop unscrupulous individuals within their ranks from accessing and selling identity data. Such unethical practices are also suspected in the banking sector, where it is not difficult for rogue employees to compile, leak or sell data of high net worth individuals.

It is possible that such activities are taking place from multiple sources. However, the authorities, especially those who collect such data in the first place or oversee companies that collect such data, need to seriously investigate the issue rather than playing whack-a-mole. Instead of undertaking piecemeal crackdown, they must crack open the source(s) of such leaks, explain how it all happened, and then hold the culprits accountable in plain view. It is troubling in the extreme that potentially millions of users’ private, offline identity information has ended up online. The consequences can range from mild harassment to identity theft, especially for women and other vulnerable demographics.

Meanwhile, the situation is an emotional gut-punch for those who have seen their personal information posted on dark corners of the web. Under the Constitution’s Article 14(1), citizens have a right to dignity and privacy. However, the affected people don’t really have a legal recourse. The Prevention of Electronic Crimes Act (2016) deals with “identity theft” but not with personal “data protection” per se. In other words, there is legal recourse only after stolen or leaked data has been used to commit frauds and other crimes.

Meanwhile, the Personal Data Protection Bill (2018) is still stuck in draft-legislation mode. This bill needs to be improved as there is criticism that it doesn’t go far enough to hold government authorities responsible if the citizens’ data is leaked or stolen from their end. While this whole scenario has obvious implications for the citizens’ right to privacy, a weak regulatory regime also hinders the ability of global e-commerce platforms to operate in Pakistan.

Globally, the EU’s General Data Protection Regulations (GDPR) and California’s digital privacy law offer a proactive template for other countries to improve their data protection regimes. These laws ensure that the tech and telecom companies are held accountable for their practices when it comes to collection, storage, usage, and sharing of personal user data. Next door, India is modeling its data protection regulations on the lines of GDPR.

It is a good idea to follow global best practices and try to avoid the hazards associated with digital products and platforms. Over time, Pakistani companies may be required to raise their data protection practices to the level of EU’s GDPR if they are to continue doing business with that region. In short, if data protection rules are vital for individual privacy today, very soon even the economy may start depending on it.

The previous government’s Digital Pakistan Policy (2017) had included a proposal for a data protection law to safeguard online privacy and personal data. Under the current government, the recently-formulated Digital Pakistan strategy does not include “digital security” among its key pillars. Can Pakistan really have a digital future in circumstances where it is open season on confidential personal information? It is high time to put citizens at ease by bringing in a strong regulatory framework on data protection.

Comments

Comments are closed.