All Posts in Human Rights & Technology

April 21, 2015 - Comments Off on New Cybercrime Bill Threatens the Rights to Privacy and Free Expression in Pakistan

New Cybercrime Bill Threatens the Rights to Privacy and Free Expression in Pakistan

ARTICLE 19 and Digital Rights Foundation Pakistan have serious concerns about measures contained in Pakistan’s proposed Prevention of Electronic Crimes Bill (‘PEC Bill’). The Bill contains a number of provisions that, if implemented, would violate the rights to freedom of expression and privacy. We urge members of the Senate of Pakistan to reject the Bill and call on the Pakistani parliament to ensure that any new cybercrime legislation is fully compliant with international human rights standards.

In our joint legal analysis, ARTICLE 19 and Digital Rights Foundation Pakistan address the following concerns:

  1. Power to manage intelligence and issue directions for removal or blocking of access of any intelligence through any information system

  2. Overbroad offences against misuse of computers and lack of public interest defence

  3. Glorification of an offence and hate speech

  4. Overly broad cyber-terrorism offence

  5. Offences against dignity of natural persons

  6. Offences against modesty or a natural person and minor

  7. Cyberstalking

  8. Spoofing

  9. Criminalising the production, distribution and use of encryption tools

Read more information, including our recommendations, in the PDF below:

Pakistan Cyber Crime Joint Analysis

 

September 10, 2014 - Comments Off on Turkey with its 29 Tweeters Still Behind the Bars Makes IGF ’14 Quite an Ironic Event

Turkey with its 29 Tweeters Still Behind the Bars Makes IGF ’14 Quite an Ironic Event

As we close off the Internet Governance Forum 2014 here at Istanbul and as I leave for Lahore, I can’t help but feel that this year's IGF kept on with its tradition of being a "talk-house" since past few years, creating no tangible actions. Sponsored by the United Nations, IGF hosted some 3,000 government, corporate, and civil society leaders and representatives making it a perfect venue for talking about difficult challenges, moving forward and making decisions. The event is organized every year to help shape the future of the Internet, however, it feels as if this reunion every year is drifting away from the actual problems concerning the people of the Internet especially in the authoritarian countries.

IGF certainly retains its singular prestigious place for highlighting challenges in an open-ended consultative process, enabling civil society and individuals voice their perspectives and concerns during the conference. However, it was felt throughout the civil society community that government officials weren’t keen on engaging in the dialogue discussing serious concerns about unfortunate events that have happened in their respective countries.

Being hosted in Turkey, it was an important place to discuss internet governance where government officials could have set a precedent for digital governance elsewhere. Turkey’s prosecution of 29 Twitter users has been a global example for the repressive regimes. Government prosecuted these tweeters who are being tried in Izmir facing up to three years in jail for posting critical tweets during last year’s protests. This case was charged by the Turkish officials as the one to “incite the public to break the law”. It is this stark hypocritical stance of the government to host one of the most important internet governance events in the country all the while censoring and harming freedom of speech online domestically.

To talk about repressive regimes’ ruthless behavior towards human rights activists and the hush by the government officials at the IGF, a group of civil society members and individuals hosted another conference during the IGF week. Titled as Internet Ungovernance Forum, the conference was organized to demand a free, secure, and open internet with fundamental freedoms, openness and net neutrality. Proving to be a vivid example of the increasing lack of empathy on the IGF forum, this group of Turkish activists weren't allowed to attend the conference. Ungovernance Forum's stakeholders believed that due to the representation of various governments that “don’t deserve” representation at a forum like IGF, ungovernance forum is designed to talk about the most important issues, create a space to raise voices of civil society members and common people, and then solve these problems while working towards a path for action.

Participants at this year's IGF also felt an evident gender gap especially during the opening ceremony. Freedom House presented this statement about the lack of gender equality at IGF 2014:

The 2014 IGF included numerous workshops on topics of human rights, including freedom of expression, gender, privacy, and access. Yet the value of this enterprise is undermined when governments can use the IGF to promote themselves, but civil society groups are forbidden by the ad hominem principle from criticizing them. Likewise, gender equality cannot genuinely be discussed when the vast majority of individuals at high-level meetings, delivering speeches, and participating on workshop panels are men. Access also cannot be addressed when remote participation fails to adequately provide two-way discussion from those who cannot attend in person. The IGF should include these voices not only to promote multistakeholderism and inclusion, but also to improve the quality of discussion and the prospects for solutions.

Active participation of civil society members and individuals in the Ungovernance Forum shows sheer disappointment that was felt in the fraternity having attended the IGF in Turkey which failed to acknowledge its own domestic internet governance challenges. While we may dream of creating better future for Internet and its citizens, it is of the utmost importance to talk about the most pressing issues when it comes to online freedom of dissidents and common people. Failure of the host country by ignoring hard questions put up by the journalists only undermines the importance of freedom of speech online. Unless repressive regimes aren’t ready to talk about their internal issues and lack of empathy towards their own citizens, it is only but ironic to see such states having an incredible part in the future of the Internet. God forbid how oppressive and censored that future is to be.

 

August 22, 2014 - Comments Off on Pakistan is a FinFisher customer, leak confirms

Pakistan is a FinFisher customer, leak confirms

In the first week of this month, someone hacked into the servers of FinFisher, the notorious surveillance software maker, which was reported to have two command and control servers inside Pakistan last year. The hackers got hold of whatever they could find on the server and leaked it as a torrent. The 40Gb torrent contains the entire FinFisher support portal including the correspondence between customers and the company staff. It also contains all the software that the company sells as well as the accompanying documentation and release material.

finfisher-pakistan-home

What is FinFisher?

FinFisher is a company that sells a host of surveillance and monitoring software to government departments. The primary software, FinSpy, is used to remotely access and control the computers or mobile phones belonging to the people being spied on. The company offers several methods to install FinSpy, which range from a simple USB that can infect a computer to directly attaching the trojan with legitimate files when they are being downloaded through installing a kit at the ISP. The whole FinFisher toolset is designed to give the people buying these software access to emails, web browsing history, and any other activity performed by the “targets.”

Is Pakistan a FinFisher customer?

Apparently, yes. A University of Toronto based research group called Citizen Lab released a report last year identifying two FinFisher command and control servers on the PTCL network. But this recent leak gives us a more complete and conclusive picture. The leaked support portal tells us that someone from Pakistan in fact licensed three software from FinFisher for a period of three years. The systems Citizen Lab identified were probably the computers hosting the FinSpy server program and were merely using a PTCL DSL connection. PTCL, the company, we think was not involved. If not PTCL, then who? It could be anyone but since FinFisher only sells these software to government agencies, it was most likely one of the many intelligence agencies operating within the Pakistani government.

In one of the “critical” support ticket that we have extracted from the FinFisher support portal, someone identifies their name (retracted in this article) and location (Pakistan) and complains that their problems are not being addressed through Skype (which we presume was the primary way FinFisher provided help to the customers). FinFisher database identifies the said customer with the username 0DF6972B and ID 32.

finfisher-pakistan-location

What was purchased?

After that clue, we looked further into the purchase history of Customer 32 and their correspondence with FinFisher staff and found out that they have licensed not one but three software from the spy software maker. The primary software, FinSpy, is used to target people who “change location, use encrypted and anonymous communication channels and reside in foreign countries.” After FinSpy is installed on a computer or a mobile phone, it can be—according to the product brochure—“remotely controlled and accessed as soon as it is connected to the internet/network.”

In addition to FinSpy, Customer 32 also purchased another software called FinIntrusionKit to hack into hotel, airport, and other wifi networks to catch “close-by WLAN devices and records traffic and passwords”, extract “user names and passwords (even for TLS/SSL encrypted sessions),” and “captures SSL encrypted data like webmail, video portals, online banking and more.” The third software is a tool to infect USB devices so that whoever plugs them becomes a target of surveillance.

finfisher-pakistan-licenses

How does Pakistan FinFish?

From the support tickets filed by Customer 32, we also get to know that whoever in Pakistan purchased FinFisher used it, for instance, to infect harmless MS office documents, particularly PowerPoint files and sent them to people they wanted to spy on. The simple act of opening the infected files led their computer being put into constant surveillance including emails, chats, and other activity.

finfisher-pakistan-powerpoint

Customer 32 also used FinFisher to covertly steal files from the “target” computers. All the files of those who were targeted were readily available but Customer 32 wanted more, as outlined in another support ticket: “the agent be able to select files to download even when the target is offline and whenever the target comes online, those selected files may be downloaded without the interaction required from user.”

finfisher-pakistan-more

While we know that FinFisher is deployed in Pakistan, some questions remain to be answered. As citizens of a democratic state, it is our right to know who is using these surveillance software in Pakistan, how much budget is being spent on these licenses, and what laws and regulations are being followed for deploying these software.

Update [Sep 15, 2014]: How much did it cost?

WikiLeaks today released a list of countries who bought software from FinFisher and the associated cost that was paid. The cost was calculated using a price list they found inside an excel file. Pakistan, as per the revealed price list, paid €432120 (or 57 million Pakistani rupees) for the three software that were purchased.

---
From our earlier coverage:
» Global Coalition Of NGOs Call To Investigate & Disable FinFisher's Espionage Equipment in Pakistan
» FinFisher Commercializing Digital Spying – How You can be a Victim?

July 18, 2014 - Comments Off on UN Report Calls Mass Surveillance a Violation of Human Right to Privacy

UN Report Calls Mass Surveillance a Violation of Human Right to Privacy

In an important step towards establishing international consensus on the right to privacy in the technological age that we live in, United Nations High Commissioner for Human Rights on Wednesday issued a report calling bulk collection of private data and mass surveillance against the international law.

The report was prepared in response to the UN General Assembly resolution adopted during its 68th session in December 2013. The resolution, introduced by Brazil and Germany, specifically noted that the practices of bulk collection of private data and mass digital surveillance may be in violation of the Article 12 of Universal Declaration of Human Right and the Article 17 of the International Covenant on Civil and Political Rights:

"No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks."

The resolution had called upon all the UN member states "to respect and protect the right to privacy, including in the context of digital communication" and had requested the United Nations High Commissioner for Human Rights to submit a report to be considered by the General Assembly during the next session.

The very existence of a mass surveillance program constitute an interference with privacy, the High Commissioner notes, and asks the governments to make sure such actions are neither arbitrary nor unlawful.

The report employes clear language in condemning collection of private digital data and observes that the "collection and retention of communications data amounts to an interference with privacy" regardless of the excuse that the data might be used later.

It dismisses the idea that the collection of metadata about a communication, in contrast to the communication itself, is not a violation of privacy. The metadata, it says, "may give an insight into an individual’s behaviour, social relationships, private preferences and identity that go beyond even that conveyed by accessing the content of a private communication."

It also cautions that the companies who supply mass surveillance technology to states which are known to use the information in violation to human rights risk "being complicit in or otherwise involved with human rights abuses,"

Considering that Pakistan has been known to have deployed Netsweeper and Narus products, which have reportedly been used by other repressive regimes for censorship and surveillance, on its network, Digital Rights Foundation (DRF) welcomes the report and hopes that the government of Pakistan, as a member UN state, would pay attention to the observations made in the report.

July 13, 2014 - Comments Off on Why exactly is ‘Protection of Pakistan Act’ problematic?

Why exactly is ‘Protection of Pakistan Act’ problematic?

Signed today into law by President Mamnoon Hussain, Protection of Pakistan Act is an extremely repressive law giving unquestionable powers to armed and police forces. Human Rights Watch (HRW) and the civil society of Pakistan has aggressively opposed the bill for curbing fundamental constitutional and human rights.

Several provisions of PPA, 2014 are problematic along with a number of vaguely defined terms that can be misused by Law Enforcement Agencies (LEAs). As the powerful elite of the country has most of the police loyalties with the legal system already in a shambles, PPA gives “green light for abusing suspects”, as put by HRW.

The new law doubles the maximum sentence for terrorism offences to 20 years and permits security forces to shoot suspects on sight. The scheduled offences are not only non-bailable but keep the burden of proof on the detainee who will be considered guilty unless proven otherwise.

The provisions of Protection of Pakistan Act 2014 also give safe-outs to police officers of BPS-15 grade or higher on the basis of good faith which can create huge troubles in the country where police is hardly trusted by the citizens.

Here are the details on why exactly the civil society opposes Protection of Pakistan Act and what are the problematic provisions. Please share the details widely among your circle to better inform your friends and families about this law which will remain in effect for two years and can have huge repercussions for a common citizen, bloggers, and especially dissidents.

protection of pakistan act 2014

ppa 2014

protection of pakistan act 2014

January 02, 2014 - Comments Off on "Unseen War" – Screening of a Short Film on Drones by Tactical Tech

"Unseen War" – Screening of a Short Film on Drones by Tactical Tech

“Unseen War” Tactical Tech’s film Screening on 11th January, 2014

Venue: Crystal Ball B, Marriott hotel, Islamabad

Date: 15:00 - 17:00 11th January, 2014

Digital Rights Foundation is pleased to invite you to a special screening of “Unseen War” on 11th January, 3:00 pm to 5:00 pm at the Crystal Ball B, Marriott Hotel at Cyber Secure Pakistan 2014.

“Unseen War” is one of the films from the series of Tactical Tech’s project of short films “Exposing the Invisible”. This short film changes the angle slightly and explores the physical, moral and political invisibility of US drone strikes in Pakistan.

Team of Exposing the Invisible speaks to journalists, activists and experts inside and outside of Pakistan about the consequences of the strikes in the tribal FATA region, why they are possible, and how we can make the issue more visible using data and visualization tactics.

The screening of the film will be followed by a panel discussion on the cases shown in the film; how activism is transforming in Pakistan, and how it effects us.

 

Moderator: Usama Khilji

Panelists:

  • Marek Tuszynski - Tactical Technology Collective (Skype)
  • Abdullah Saad – Technology expert
  • Ammar Jafferi – Chairman PISA
  • Taha Siddqui – Freelance journalist
  • Shahzad Akbar – Reprieve UK

 

DRF and PISA look forward to your participation in making this screening a success!

For more, join our Facebook event page or visit the website.

September 22, 2013 - Comments Off on Call for Participation: Digital Security Workshop in Lahore

Call for Participation: Digital Security Workshop in Lahore

 

Digital Rights Foundation is pleased to announce a day long digital security training being organized in partnership with Shirkat Gah and Bolobhi. Journalists, bloggers, writers, human rights defenders and students in Lahore are invited to apply for this workshop. The training sessions will be conducted on Thursday, September 26, 2013.

This workshop aims at equipping the participants with the skills and techniques necessary for staying safe online. One of the purposes of this training is to enable the participants carry out similar workshops within their organizations and share the experience gained through their networks.

If you meet the eligibility criteria and would like to participate in this training, please submit a statement of interest along with a brief bio outlining your work to nighat@digitalrightsfoundation.pk. In the statement of purpose, demonstrate your interest by clarifying how the experience gained through this training program will help you in pursuing your goals personally and professionally. You may also indicate how this program relates to your future aspirations regarding digital security.

Further information regarding the event will be shared with the selected participants. The applicants must send their applications by September 24th, 2013. Late submissions will not be considered.

August 14, 2013 - Comments Off on Call For Participation: Digital Security Workshop In Peshawar

Call For Participation: Digital Security Workshop In Peshawar

Digital Rights Foundation (DRF), Bolo Bhi and Aware Girls are happy to announce a one day Training of Trainers on Digital Security and Privacy for Women Human Rights Defenders, Activists, journalists and young bloggers of Peshawar on 20th August 2013.

The main goal of this TOT is to increase the number of women defenders, activists, journalists and bloggers who are well-informed and confident enough on digital security to carry out trainings themselves within their own organisations and communities.

We would like to invite all members of the Women Human Rights Organizations, Civil society, journalists, bloggers to submit short profiles for consideration for this training. We will only be able to accommodate a maximum of 30 participants from Peshawar (final decision sits with the organising committee).

Shortlisted participants will be sent the details about the venue of the training. The deadline to apply is 17th August.

All interested candidates should send an expression of interest outlining how they meet the required criteria, how they will carry further trainings and why they are interested to nighat@digitalrightsfoundation.pk.

 

Please note that as organizations focused on your privacy rights we discourage participants to send us extra information i.e strictly no CVs. Please practice discretion when sharing your personal information online. Share a brief bio relevant to your work only along with contact information that can enable us to contact you for updates. All data received will be discarded on the 18th August. We will not use your contact information for anything other than contacting you for this workshop specifically. 


May 09, 2013 - Comments Off on FinFisher Commercializing Digital Spying – How You can be a Victim?

FinFisher Commercializing Digital Spying – How You can be a Victim?

- Shaikh Rafia

FinFisher is surveillance software by Gamma International UK Ltd marketing the surveillance solutions to government security officials through exploiting security lapses in anti-virus programs. It is basically a spyware suite designed to allow someone to spy on a computer or mobile device. Described by the company as "Governmental IT Intrusion and Remote Monitoring Solutions”, FinFisher has its command and control servers installed in around 36 countries globally, according to a report and analysis by Citizen Lab. Pakistan is one of those countries, and Pakistan Telecommunication Company Ltd (PTCL) owns the network where FinFisher server is found.

The FinSpy malware – tool of FinFisher intrusion kit – was often injected in the potential victims’ machines by sending them malicious email. In the analysis, Citizen Lab found that email addresses which were used to send these emails were on the names of some popular journalist names (in the case of Bahraini activists) and the email shared attachments which looked pertaining to the Bahraini turmoil. On opening the attachments, jpeg files were saved on the victim’s computers which were actually executable files. This sort of access gives the attacker clandestine remote access to the victimized machine with data harvesting and exfiltration capabilities. Commonly, someone tricks you into clicking a file - a picture, word document, etc – which actually hides the FinSpy file and silently affects your machine without you or the Anti-Virus program installed in your machine detecting it.

Citizen Lab found that the data like Skype audio calls, chats, key logger and passwords was accessible to the attacker. FinFisher can even secretly use the microphone or webcam in your computer or Read more