Pakistani telecoms' murky policies put users' privacy at risk: report
The Digital Rights Foundation (DRF) on Friday released Telecoms Privacy & Data Protection Policies in Pakistan, a study that focuses on the privacy policies of major cellular telecommunications companies operating in in the country.
For the study, DRF developed scorecards rating the privacy and data protection policies of Mobilink, Telenor Pakistan, Ufone, Warid and Zong.
Key concern areas
After examining Mobilink's privacy policies, DRF found indications of the possible extent of customer data collected by Pakistani cellular companies.
"[Mobilink's] transparency [on data collection], while laudable, also highlights the amount of information that is possibly gathered by telecommunications firms as [a] whole in Pakistan, and that which needs to be protected by stringent data protection legislation," the DRF noted
"In addition to basic personal information – name, Computerised National Identity Card (CNIC) number, address, telephone number, email address, profession or occupation ...the policy goes further.
"'Usage', 'Traffic' and 'Location data' are also collected by Mobilink — however, the terms 'Usage' and 'Traffic Data' have not been given any definitions within the policy," the DRF noted.
If Mobilink's definition of 'location data' is any indicator, subscribers should take note.
The DRF found that Mobilink keeps an eye on 'the websites you visit and the online searches you perform', and 'the date, time and length of the calls and messages you send or receive through our network, and your general location at the time these calls and messages take place.'
Although telecom companies are generally more forthcoming about their usage of collected data for marketing, promotional and research uses, it is not clear which government department or investigative body can access the data held by telecommunication companies, who it can be passed on to and under what circumstances, the DRF noted.
This was true for all the telecom companies examined.
Summary
According to the DRF's rankings, Mobilink and Warid scored better than other telecom companies based on the availability and level of detail in their policies.
Telenor and Zong, on the other hand, scored poorly because of the lack of information they revealed and communicated to customers.
"Telenor Pakistan’s lack of a clear and detailed privacy policy specifically dealing with cellular telecoms data was made more glaring by the detailed measures undertaken by its parent company, Telenor Group," it added.
"As with Telenor, the availability of clearly laid-out and readily available privacy policies for websites in other territories where Zong’s parent company operates makes the absence of Pakistan-specific privacy policies that much more glaring and a matter of concern," the DRF noted.
Ufone ranked in the middle of these two groups, but the researchers said they still find the company's policies needing improvement and further elaboration.
Overall, the study also found inconsistencies with regard to the public availability of privacy policies, as well as an apparent lack of proper updates and oversight by the companies being studied.
None of the privacy policies that were available indicated an awareness of the passage of the 2016 Prevention of Electronic Crimes Act, the report noted.
It is very important that telecom users stay vigilant and make their companies accountable to standards of privacy and data protection, DRF says.
“It is the right of customers to know what their rights [are] not just in relation to the state, but also in relation to private companies, service providers and social media platforms,” Nighat Dad, the founder and executive director of DRF, noted in a press release accompanying the report.
According to the Pakistan Telecommunication Authority, there are approximately 135 million subscribers to cellular services in Pakistan, out of which nearly 35 million subscribe to mobile internet packages
This subscriber base is shared between a handful of companies, many of which are in turn owned — either wholly or via shares — by foreign stakeholders.
Digital Rights Foundation is a research and advocacy based NGO that works around issues of surveillance, privacy, internet governance and online harassment.