Existing laws on cyber security need a rethink to fight against crimes involving identity theft
Numerous data breaches have taken place in Pakistan in recent years, which point towards the need for the country to rethink its cyber security strategy in the fight against identity theft. Pakistan needs to place the development of robust data protection and cyber crime laws at the centre of a broader cyber security strategy that brings the rights of citizens to the forefront.
Human rights defenders have long argued that cyber security frameworks must always include data protection laws to prevent breach and misuse of citizens’ confidential data.
Privacy is no longer interpreted from a “data security” standpoint. It has co-evolved with the advancement in information and communication technologies and is now a key focus in the debate on government-held centralised and digitised databases. National identity cards schemes such as NADRA and India’s Aadhar Card, which is the world’s largest centralised citizens’ database, illustrate the potential large-scale and long-term privacy implications inherent in such systems.
Leaks of government-held databases also remain the biggest contributor to identity theft-related crimes in Pakistan.
A record increase has been witnessed in data leaks from the NADRA, largely owing to the integration of their centralised database with vulnerable e-government mobile apps and other public bodies. Despite that, the state has failed to legislate on the question of personal data protection and have generally excluded it from the cyber security legal landscape.
With that in mind, we must realise the vulnerabilities in our identity architecture, which is based on a single identity system or CNIC and the privacy implications that accompany it, especially when they result in the loss of critical amounts of confidential data — to foreign agencies and non-state actors — which can then be used to misappropriate identities or create synthetic ones.
Punjab Information Technology Board’s (PITB) alleged data leak in 2018 is estimated to have constituted the largest breach of personal data in Pakistan’s history. It allegedly compromised personal data of millions of citizens resulting in an alarming increase in identity-theft crimes. No disclosure of the breach was ever made to those affected and nothing was done to ‘de-identify’ them by allotting them new CNIC numbers or cards. The stolen data is still being sold over WhatsApp and Facebook by groups of criminals for as low as $1-2.
Privacy is no longer interpreted from a “data security” standpoint. It has co-evolved with the advancement in information and communication technologies and is now a key focus in the debate on government-held centralised and digitised databases.
Despite the provisions contained in the NADRA Ordinance (2000) on “ensuring security, secrecy and necessary safeguards for protection and confidentiality of data …. at individual as well as collective level” and criminal penalties for “breaching the security or secrecy of data”, no efforts were made by the NADRA to stop the dissemination of the stolen data nor has it filed any complaint to initiate criminal proceedings against the perpetrators. This leaves the victims with no protection at all.
Recently, a mobile phone app and a website called Pakistan SIM tracker surfaced online. They are synchronised to a database (created as a result of a leak) which contains confidential details of CNIC holders and can be used to access SIM card users’ names, addresses and other CNIC details by just typing in their mobile numbers.
Another cause of concern is the abuse of state-led mass monitoring and data collection of citizens through initiatives like the Punjab Safe Cities Authority (PSCA), which are equipped with invasive modern technology including CCTV cameras integrated with NADRA’s citizens’ database and are extremely susceptible to abuse. Recently images of couples in their personal vehicles were leaked online, identifying them and their vehicles through their registration numbers. Despite that, no action was taken by the PSCA to ensure that this does not happen again. The victims did not initiate any action against them either as the damage was already done. Besides, victims hardly ever initiate proceedings against authorities for breach of privacy, particularly due to the absence of clear laws, awareness around them and the view the general populace holds of the state of the efficacy of judicial processes.
The above examples illustrate how the onus of ensuring that robust security mechanisms are in place to mitigate the risks of cyber attacks lies with data controllers, handlers and processors.
The Prevention of Electronic Crimes Act 2016 (PECA), to an extent, touches upon a similar theme albeit strictly in the context of identity-theft related cyber crimes.
Although not defined under the PECA, a generally accepted definition of identity theft entails criminal acts where the perpetrator misappropriates and uses another person’s identity or parts of their identity to create a synthetic identity to commit further crimes.
The Personal Data Protection Bill, which has been drafted by the Ministry of Information Technology, is a welcome step, as a concept. However, it is also a futile exercise in that it does not safeguard our personal and sensitive personal data against breaches by public bodies, including the NADRA.
The bill contains wide loopholes for data controllers in the form of exemptions, for instance, by allowing data subjects to opt-out of the consent requirement through contractual terms which can easily be used by both public and private bodies to exclude large amounts of data from the protections provided by the bill.
Further, the exception to not notify data subjects in case the breach is “unlikely to result in risk to the rights and freedoms of natural persons” is extremely vague and allows data controllers to make subjective decisions and bypass accountability.
This means that even if the Personal Data Protection Bill becomes law at any given time, breaches committed by public bodies like the ones mentioned above would not be followed by victims to hold them accountable for such blatant privacy violations.
Most of the identity theft-related crimes can be linked to the multitude of data leaks associated with government bodies over the years. This is precisely why they must be brought under the ambit of law.