The surveillance system keeping tabs on millions
• PTA-mandated Lawful Intercept Management System can retrieve data of any consumer, eavesdrop on voice calls and read SMSes
• Rights defenders concerned by revelations about system, its far-reaching implications
ISLAMABAD: Telecom companies operating in Pakistan are running a mass surveillance system which “enables interception of data and records of telecom customers” without any regulatory mechanism or legal procedures, on the orders of the Pakistan Telecommunication Authority (PTA).
This information came to light in an order of the Islamabad High Court in a case pertaining to the surveillance of citizens whose private phone conversations were recorded and subsequently released to social media. In the run-up to Feb 8 polls, several audio clips, including ex-PM Imran Khan’s and his spouse’s, were leaked on social media, prompting them to go to court.
According to the judgement, authored by Justice Babar Sattar, the court was told that telecom companies had been asked to “finance, import, and install” the Lawful Intercept Management System (LIMS) at a designated place (referred to as ‘surveillance centre’) for the use of designated agencies. The identity of these agencies, however, was not revealed to the court.
“From the surveillance centre, a designated agency initiates a track and trace request through the click of a button, in relation to any SIM or IMEI number or MSISBN identity belonging to a consumer… the request goes through the LIMS in an automated manner, which system is then connected with the network of telecom licensees.
“And without any human intervention, details of the SMS, call data reports and metadata are reported through a server into a monitoring centre established at the surveillance centre,” the order said, adding that through another server, the entire content of communication between the consumers undertaken through the network of the telecom licensee, including audio and video content and web page records, are shared with the monitoring centre,“ the judgement noted.
Likewise, the court was informed that the data of any consumer could be surveilled and retrieved, voice calls heard and reheard and SMSes read. According to the court order, telecom licensees are under an obligation to ensure that up to 2pc of their entire consumer base can be surveilled through LIMS.
“…a mass surveillance system through which 2pc of all telecom consumers in Pakistan can be surveyed without any judicial or executive oversight… A rough estimation reflects that at any given time over 4 million citizens…can be surveilled…,” the judgement noted.
‘Mass surveillance system’
Dawn reached out to several digital rights experts in light of these revelations who appeared concerned about the harmful impact of an unregulated mass surveillance system. “I don’t think this kind of information was available to anyone that to what extent digital surveillance was going on,” said Nighat Dad while speaking to Dawn about the extent of the surveillance.
“There are some instances when surveillance can be allowed, but it has to meet a certain threshold for these criteria — legitimate aim, necessity and proportionality, transparency, and oversight — and LIMS violates all of this,” she said, adding that strict enforcement of the Fair Trial Act was needed for such an action.
Haroon Baloch, who works at Bytes for All, described LIMS as “a mass surveillance system that sets for the state agencies a panoptic lens over the citizens to monitor and track their movements by means of digital interception for unlimited time frame”.
He said LIMS could monitor traffic data travelling through telecommunication networks which is unencrypted, such as IP addresses, websites accessed, and browsing history. It can also be used to listen/read through the content data which is unencrypted, such as mobile calls, SMS, MMS, or any communication application data which doesn’t offer end-to-end encryption of the content data, he warned.
Tech and digital rights journalist Ramsha Jahangir was particularly alarmed by the secrecy surrounding this “unlawful” invasive system. She expressed concerns over its ability to “collect encrypted data (such as WhatsApp messages) and request tech companies to decrypt content”. However, it’s unlikely the companies would comply with such a request in the absence of a court order, she added.
Lawful surveillance
Sadaf Khan, co-founder at the Media Matters for Democracy (mmfd), said the Investigation for Fair Trial Act 2013 and the Prevention of Electronics Crime Act (Peca) 2016 were the two main legal instruments that defined the legal procedures for initiating live surveillance.
“…what is common in both Investigation for Fair Trail Act and Peca, is that the investigation authority can only initiate such an action after getting judicial permission… such surveillance can’t go on for an unlimited period of time …,” she said in response a question about mechanisms available for digital surveillance.
She said if surveillance was carried out under LIMS then it was done without due legal procedures.
“The ICT [police] has submitted that instead of asking for a warrant for surveillance under provisions of the Fair Trial Act, they simply asked for data under section 94 of CrPC. This is absolutely a stretch legally because as far as I understand Section 94 should apply to data/documents that are already there, not create the space for active surveillance,” she added.
Ms Khan added that having this system in place “does create security risk — think of how Nadra’s data was leaked, FBR’s data was leaked, Safe City’s data was leaked — it has been proven time and again that our institutes have security gaps that allow for the misuse of such systems”.
She, however, added that there was “really nothing in place that would deem the existence of this system illegal — we do not have a data protection law”.
Even then, this system has a lot of offline implications, particularly for journalists, rights defenders, and marginalised groups, said Haroon Baloch, adding that the system allowed the “security agencies to track their movements online and go after them”. He demanded judicial and parliamentary oversight mechanisms to hold government and telecommunication companies accountable and seek answers about the necessity and proportionality of mass surveillance for an unlimited timeframe.
Likewise, Nighat Dad, who also serves on Meta’s Oversight Board, called for the accountability of telecom companies, saying that they had failed their consumers and citizens for the sake of business, not only violating international obligations under UN principles, but also Pakistan’s Constitution.
“It is mindboggling to me how telcos in Pakistan do not feel the need to be transparent towards their own consumers. Any aggrieved party, who can be their consumer, can take these companies to court for violation of their right to privacy under Article 14 of the Constitution.” She, however, believed the disclosure of a mass surveillance system was “good for public interest information and it will help citizens to push for stringent privacy protection for their data and hold respective actors accountable”.
Published in Dawn, July 2nd, 2024