A recent Wikileaks revelation has reinforced the longstanding concerns of Bytes for All about insufficient data protection mechanisms available for safekeeping of Pakistani citizens' private data.
This statement was originally published on bytesforall.pk on 18 June 2017.
A recent Wikileaks revelation has reinforced our longstanding concerns about insufficient data protection mechanisms available for safekeeping of Pakistani citizens’ private data. According to the leak, the Pakistani government has facilitated an alarming amount of Pakistani citizens’ data to be taken away from National Database & Registration Authority (NADRA) servers due to potentially faulty data security measures.
According to WikiLeaks’ cable from 2009, the former government leadership during a visit to the United States Embassy in Islamabad offered Pakistan’s entire citizen biometric database to the United States government. As a result, United Kingdom and the U.S. set up a consultancy firm “International Identity Services” as a front, which was then commissioned as consultants for NADRA to steal its national identification database of millions of Pakistani citizens.
Recent leaks further highlight our long held concerns about lack of stringent and watertight security guarantees, and oversight and transparency mechanisms afforded both in law and procedures to NADRA’s critical data infrastructure.
It is pertinent to note that Bytes for All, Pakistan has already filed 11 Right to Information (RTI) requests with NADRA in September 2016, to which NADRA has yet to provide us any information, despite the case now being under process with the Federal Ombudsman for nearly six months.
In some of the RTIs, NADRA was asked to provide its data protection policies; Standard Operating Procedures (SOPs) which determine personnel and partner access to the citizen biometric database at any given point in the data cycle; the number of data centers and data servers which house Pakistan’s citizen identification database; the location of these servers both inside and outside of Pakistan; details of parties which have access to these servers; details of whether these systems were designed in-house or procured externally along with their import licenses; etc.
In the absence of a Privacy Commission in Pakistan, the citizen biometric database continues to be vulnerable to constant threats. To further aggravate this, there exists a weak precedent of accountability of NADRA as a public body. Considering that NADRA has yet to furnish its data protection policies in response to our RTI requests, it appears that the body may not have such policies in place to begin with.
Expressing grave concern over the continued insecurity of the NADRA database, and the continued unaccountability of its data sharing practices, we mobilize with this opportunity to call for an urgent investigation of the repeated data breaches within NADRA, including a legal trial of those involved in facilitating such breaches.
Furthermore, we urge the government to work towards setting up of an independent and well-resourced Privacy Commission in order to ensure constant oversight, transparency and implementation of strong safeguards to protect citizens’ data.
