Is Nadra keeping your biometric data safe?
Pakistan maintains one of the world’s largest centralised citizen databases, which continues to expand at an unprecedented rate. This mammoth task sounds impressive, but it also raises concerns about the vulnerability of our data.
There is no denying the database’s utility. Multi-layered digitisation of big data can offer guarantees for greater transparency. Indeed, in the best-case scenario, sophisticated mobilisation of big data can refine the state’s service delivery mechanisms.
The Benazir Income Support Programme (BISP), for instance, is one biometric transition success story in Pakistan.
The BISP’s increasing automation reflects how biometric verification of credentials acknowledges the non-static, dynamic nature of data. The programme facilitates nearly 5.3 million women in accessing welfare support through real-time thumbprint recognition.
On the other end, insufficient legal safeguards to curb abuse of surveillance knowledge by law-enforcement agencies (LEAs) raises red flags.
These concerns are not unfounded considering the exceedingly vigilant security regime under which rights defenders, citizen activists, and journalists operate in Pakistan’s data territory.
Given the size of biometrically-contained human records in the National Database and Registration Authority (Nadra) repository and the extent to which data-sharing occurs across, between, and beyond government agencies and LEAs, the scale of this vulnerability is likely to be huge.
Read: CNIC re-verification hit by major technical snag
With Computerised National Identification Cards (CNICs) as testaments of having our consolidated biometric data stored with principally a single entity; and with an inevitably recurrent use of this CNIC and of biometrically-registered SIM cards while conducting our daily consumer mobility and monetary interactions, the ideals of free movement and of unmonitored human communication for the citizens, are breached in their fundamental.
It can be rationally imagined that only when surveillance on communications is regulated exhaustively and when limitations on the jurisdiction of this surveillance are very thoroughly defined – which is possible when there are efficient legal protections accessible to all citizens indiscriminately – the privacy of citizens and the democratic guarantees that their personal data are not exploited, will not be threatened.
The desperate need for biometric data management
The simple fact is that biometric data management is yet to mature.
Accidental data leakage, forgery with identification documents leading to identification theft and duplication, and inaccuracies in the handling of even legitimate documents, are insecurities of scale and have incredible damaging externalities.
Risks associated with these externalities become more profound in the intricate dynamics — including a refugee management crisis, an overwhelming population, and a climate of intense censorship — of countries like Pakistan.
These challenges are exacerbated when infrastructure and staff competencies in the use of biometric technology are not adequate and thorough.
Explore: Afghan refugees’ children can’t get CNICs: Nisar
Opportunities which biometric data amassment has to offer, merit a pragmatic acknowledgement of existing structural and legal voids which prevent the prioritisation of the protection of individual privacy, and which continue to generate pressing questions on the efficacy of this technology for public development and responsive governance.
Mass-scale surveillance and the law
In Pakistan, the space for an autonomous Privacy Commission gains prominence to respond to the critical need for the examination of an exceptionally large surveillance data.
This need grows further in the scenario where the government is investing heavily in mass-scale digital surveillance of its citizens and visitors through projects like the Punjab Safe Cities Project (PSCP).
The PSCP will reportedly have more than 8,000 cameras installed across its premises, and is now being extended to include Rawalpindi, Multan, Gujranwala, and Faisalabad.
Similarly, the Islamabad Safe City Project (ISCP) gives LEAs sweeping intrusive powers through 24 hours of intensively-networked, real-time virtual monitoring with around 1,800 high definition Huawei CCTV cameras worth over Rs13 billlion installed in the capital city and connected to Nadra’s centralised biometric repository.
As shared by ISCP project director Dr Tahir Akram with Dawn, the project’s command centre will be able to “monitor every car coming out of any residential sector in Islamabad”.
Read: Operators to spend more on Sim verification drive
This arrangement between safe city projects and Nadra affords the kind of arbitrariness to data handlers that pervasively encroaches on the civil freedom of sociopolitically vulnerable sections of the citizenry, to claim anonymity.
It therefore becomes important to question what guarantees are being supplied for the protection of this surveillance data during its retention with Nadra, and what extent of this retention carries involvement of Huawei’s equipment.
Prevention of Electronic Crimes Act, 2016 and the way forward
The recently-enacted Prevention of Electronic Crimes Act (PECA, 2016) further legitimises the demand for independent data protection authorities and an increased jurisdiction of the National Commission for Human Rights as also outlined in the 2015 Charter of Demands jointly prepared by digital rights organisations Bytes for All, Pakistan, and Media Matters for Democracy.
Simultaneously, it is crucially significant that the data-handling and investigative capacities of FIA’s National Response Centre for Cyber Crimes, are rapidly evaluated and optimised. This will ensure that PECA is enforced keeping in view the local dynamics where the government has still not rolled out enough campaigns for the purpose of educating the cyberspace occupiers in the country about the legal implications of this law on their cyber rights and responsibilities.
A glaring void currently exists between the extensive criminalisation of the Internet landscape that PECA’s enactment has mobilised into law and the public’s nascent information and comprehension of the intricacies of its legalities.
Equally concerning is that PECA’s language contains considerable opportunity for the subjectivity of the investigating regulator to claim a determinant jurisdiction.
Explore: The state bytes back: Internet surveillance in Pakistan
In the backdrop of Pakistan’s dictatorial history with digital censorship and the political exploitation of the blasphemy law, to invest potentially unmonitored authority in a regulatory body, will make the ambiance of cyber expression only more precarious.
To refer to PECA as ‘archaic’ is no exaggeration.
In its quite expansive coverage and criminalisation of cyber activism, it criminalises the act of whistleblowing. It also makes highly controversial way for a warrantless collection of one’s personal digital data and its reproduction to Pakistan’s foreign cooperation partners.
With now a fiercer surveillance regime in place, Pakistan currently experiences one of the world’s most desperate urgencies to ensure the presence and preparedness of an assertive oversight and transparency regime.
In terms of transparency, it is expected of the federal and provincial governments to educate the public on the use of their Right to Information for greater documentation on surveillance practices, to be brought into the public domain.
Shaheera Jalil Albasit is a youth policy researcher and practitioner, currently working with a human rights and advocacy organisation Bytes for All. She is the founder of youth-led project The Open Discussion Forum (TODF) and has previously represented the project at the UN's First Global Forum on Youth Policies in Azerbaijan.
The views expressed by this writer and commenters below do not necessarily reflect the views and policies of the Dawn Media Group.