Pakistan government’s alleged leaking of citizens’ private data is unacceptable

Islamabad, (June 18, 2017): A recent Wikileaks revelation has reinforced our longstanding concerns about insufficient data protection mechanisms available for safekeeping of Pakistani citizens’ private data. According to the leak, the Pakistani government has facilitated an alarming amount of Pakistani citizens’ data to be taken away from National Database Regulatory Authority (NADRA) servers due to potentially faulty data security measures. 

According to WikiLeaks’ cable from 2009, the former government leadership during a visit to the United States Embassy in Islamabad offered Pakistan’s entire citizen biometric database to the United States government. As a result, United Kingdom and US set up a consultancy firm ‘International Identity Services’ as a front, which was then commissioned as consultants for NADRA to steal its national identification database of millions of Pakistani citizens. 

Recent leaks further highlight our long held concerns about lack of stringent and watertight security guarantees, and oversight and transparency mechanisms afforded both in law and procedures to NADRA’s critical data infrastructure. 

 It is pertinent to note that Bytes for All, Pakistan has already filed 11 Right to Information (RTI) requests with NADRA in September 2016, to which NADRA is yet to provide us any information, despite the case now being under process with the Federal Ombudsman for nearly six months. 

In some of the RTIs, NADRA was asked to provide its data protection policies; Standard Operating Procedures (SOPs) which determine personnel and partner access to citizen biometric database at any given point in the data cycle; number of data centers and data servers which house Pakistan’s citizen identification database; location of these servers both inside and outside of Pakistan; details of parties which have access to these servers; details of whether these systems were designed in-house or procured externally along with their import licenses; etc. 

In the absence of a Privacy Commission in Pakistan, the citizen biometric database continues to stand vulnerable to constant threats. To further aggravate this, there exists weak precedent of accountability of NADRA as a public body. Considering that NADRA is yet to furnish its data protection policies in response to our RTI requests, it appears that the body may not have such policies in place to begin with.
 

Expressing grave concern over the continued insecurity of the NADRA database, and the continued unaccountability of its data sharing practices, we mobilize this opportunity to call for an urgent investigation of the repeated data breaches within NADRA including a legal trial of those involved in facilitating such breaches.

Furthermore, we urge the government to work towards setting up of an independent and well-resourced Privacy Commission in order to ensure constant oversight, transparency and implementation of strong safeguards to protect citizens’ data. 

_______

1. https://tribune.com.pk/story/1429538/wikileaks-tweets-reminder-us-uk-sto...

2. http://rtirequests.pk/subject-of-rti-request-national-database-and-regis...

3. https://www.dawn.com/news/1290534

--END--

About Bytes for All, Pakistan:

Bytes for All (B4A), Pakistan is a human rights organization and a network of Information and Communication Technology (ICT) professionals and practitioners. It experiments and organizes debate on the relevance of ICTs for sustainable development and strengthening social justice movements in the country. Its mission is “ICTs for development, democracy and social justice”. www.bytesforall.pk