A RECENT order by the Islamabad High Court (IHC) in the audio leaks case now establishes on record what was surmised all along: no warrant has ever been sought under the Investigation for Fair Trial Act, 2013, for surveillance. This is important because it goes to the heart of lawmaking in an environment where draconian laws are routinely enacted and overbroad powers are written into them for the executive with the ruse of judicial oversight presented as an adequate safeguard. The executive overreaches and no ‘safeguard’ in the law prevents it from doing so in practice, absent a rule of law environment and any enforcement of existing checks in the law and Constitution.

Here’s a law that was presented as a check on the executive’s surveillance powers. Surveillance of citizens is the norm and the existence of a legal framework to check this practice has proven to be wholly ineffective. The fact that no warrant has been obtained in 11 years, points to a culture of impunity where the executive, in all these years, has felt brazen enough to carry out surveillance and not fulfil legal requirements — because who is going to hold them to account for it?

Who allows the executive to get away with excesses if not the judiciary? Courts are not in the habit of holding the executive to account — there are very few exceptions — especially when it’s about access to citizens’ data and devices for ‘investigation’ or ‘national security’.

Everyone rides on the assumption that the executive must and can conduct surveillance or access data. Lawful or not, this practice has been normalised. When was the last time that a warrant for search and seizure, disclosure of content data or court permission for real-time collection and recording of data under the Prevention of Electronic Crimes Act, 2016, was sought? Yet, the seizing of devices, accessing data on them and admission of such ‘evidence’ in court is a common practice. The doctrine of necessity mostly prevails. Requirements in the law for warrants, due process, reasoned orders, are ignored as though these are mere asides. Why then would the executive feel compelled to abide by checks which the judiciary itself does not enforce?

Various filtering and surveillance technology has been purchased and put to use in Pakistan.

But even if warrants are sought, can they check technology which monitors in real-time and at scale? Such is the insidious nature of technology, once procured and operationalised, how exactly will warrants and judicial oversight apply? Who is checking on a minute-by-minute basis, who is being surveilled, to what degree and what end? What capacity do courts have to understand the tech involved and its implications on privacy? What on-paper guardrails can possibly extend to such technology?

The ‘Lawful’ Intercept Management System, which is rightly referred to as a surveillance centre in the IHC order, is not shocking because everyone knows this is happening. Back in 2013, in a hearing before the Sindh High Court, a lawyer representing a telco insisted before the bench that systems had been deployed and data was handed over to the government, so why did they block their services?

But who uses an open line to speak if they can avoid it? SMSes are obsolete for day-to-day communication and, for the most part, serve primarily as a junk folder for spam advertisements. So how are calls and messages through encrypted channels being monitored and recorded? Is it by targeting devices of individuals or more broad based? Through what methods?

The real question here is what is happening with encrypted data. The order notes: “To the extent that any encrypted material (created through use of mobile apps, etc.) forms part of the consumer data, the encrypted material is also shared with the monitoring centre at the Surveillance Centre. The Lawful Intercept Management System does not provide automated means to decrypt such encrypted data. But requests for decryption can be made to the relevant company that owns the social media application.”

But it’s the company route that the state has also sought to circumvent by procuring and deploying technology to access, monitor and decrypt data. They want direct access and these aims are also reflected in proposed legislation — ironically — the Personal Data Protection Bill.

Over the years, various filtering and surveillance technology has been purchased and put to use in Pakistan. In 2012, a tender was floated to procure a national URL filtering system. Ultimately this was shelved, but these aspirations were not. In 2013, Citizen Lab reports revealed the presence of Netsweeper and FinFisher in Pakistan. In 2019, Sandvine’s deep packet inspection technology was deployed. This year, press conferences by the caretaker set-up mentioned upgrading of web-monitoring systems. A mere Google search throws up various procurement documents on the Pakistan Telecommunication Authority’s website. In recent weeks, there has been much speculation around a firewall that seemingly has been installed — allegedly with help from China. Pakistan has long aspired to take the China route in terms of information control and monitoring of society.

What has come up in relation to the firewall is its ability with respect to encrypted content because such filtering is not limited to content but veers into the sphere of data privacy. Decrypting or breaking encryption from the outside would mean breaking through transport layer security which is not limited to certain data or platforms, but everything flowing through the network making it insecure and affecting secure transactions whether entering passwords or banking information.

Several questions arise. What is happening to encrypted data flowing through Pakistan’s networks, at what scale and through which tech tools? With whom does the legal authority to procure invasive technology lie — if at all — to monitor and decrypt data: through which legal instrument? Is what is ‘legal’ also constitutional or right?

The writer is a co-founder of Bolo Bhi, an advocacy forum for digital rights.

Published in Dawn, July 6th, 2024