Archives for April 2018

April 24, 2018 - Comments Off on Statement: DRF expresses concerns over the security breach of Careem’s servers

Statement: DRF expresses concerns over the security breach of Careem’s servers

Digital Rights Foundation expresses serious concerns over the breach of servers of one of the most used ride-hailing services in Pakistan, Careem. It was announced in the company’s official statement on April 23 that its servers were breached on January 14, 2018 and since then it has been investigating the matter. According to the statement, the private and sensitive information of its millions of customers and drivers were stolen, which included their names, contact numbers, email addresses, passwords and trip data. According to the company, however, credit card and financial details were not affected.

This breach is particularly worrisome because Careem, as a ride-sharing application, amassed a huge amount critical and personally identifiable information of its users. Information compromised in the breach, i.e. names, phone numbers and trip data, can help identify individuals but also their whereabouts given trip patterns. This data, once revealed, has the potential to put lives in danger.

While we commend their effort of being transparent, the incident points at the larger issue of weak data protection protocols and putting people’s sensitive information and, in grim situations, their lives at risk. Moreover, in the light of many physical attacks on the drivers of the ride-sharing apps in the past couple of months in Pakistan, this incident further endangers life and property of the people using these services for an honest living or for safe commuting.

This particular breach of Careem’s security protocols raises a lot of queries and concerns that their statement failed to answer. First and foremost, why did it take four months to report the incident to the public. Although the blog states that they took their time to investigate into the details of the breach due to the complex nature of the incident, but the fact remains - millions of Careem’s customers and drivers were using their compromised accounts while there data was compromised. Customers were kept in the dark and had no mechanism of holding the company accountable.

Secondly, the statement fails to mention the number of customers that were affected by this breach. Careem is used by over 14 million users around the world, and the silence of this important aspect could signify that all of the users were influenced.

Furthermore, it is the right of the customers to have full transparency of the incident and the statement leaves several questions unanswered. Important questions like who was behind the hack, what happened to the stolen data, where is it stored, what measures has Careem taken to ensure the security of the stolen data, whether Careem takes responsibility of any unforeseen incident that the misuse of this data may ensue, and what actions has it taken to warrant strong security of customer information in the future.

Careem’s silence for four months and inadequate justification of the data breach is indicative of the fact that tech companies operate without being held accountable under any laws in the countries where they operate. Furthermore, in the absence of a data protection legislation that DRF has been advocating for since last year, incidents like this put Pakistani customers at risk and at the mercy of hackers who can use this stolen information against them without any legal repercussions.

It would be remiss not to point out that the business model for several tech companies has been to amass personal data and monetize it for profit-making. Companies, such as Careem, need to be more transparent regarding what data is collected, its storage and its ultimate use; and at the same time reorient its approach towards data. A larger critique of these practices and their human rights implications is in order.

April 11, 2018 - Comments Off on Statement: DRF condemns Google’s alliance with Pentagon

Statement: DRF condemns Google’s alliance with Pentagon

google-data-trends-analytics-ss-1920

Digital Rights Foundation (DRF) strictly condemns the involvement of technology giant Google with the US Department of Defense’s (DoD) Project Maven, an initiative that intends to deploy machine learning for military purposes, particularly in terms of using artificial intelligence to interpret video imagery which will potentially be used to improve the targeting of drone strikes.

This recent development, in the highest echelons of technology, has been unsettling for us as a digital rights organization situated in a region that has been at the epicenter of military operations by the United States, particularly drone strikes. DRF would like to register its concerns and alarm regarding the far-reaching ramifications of the proposal.

Here is what we know so far:

  1. Employees of Google, numbering in thousands (3000+) have drafted and signed a letter in protest of their employer’s collaboration with the State Department in Project Maven to help increase the existing technology’s efficacy in terms of video imagery and drone strike targeting. “We believe that Google should not be involved in the business of war”, the employees’ letter stated.
  2. The outcry is motivated by the employees’ resistance to the idea of Google allocating resources to the DoD for military surveillance and the potential ethical implication of such involvement. The news, broken by Gizmodo’s article on the 3rd of March, 2018 notes that this pilot project which was not previously reported, was the subject of much debate after being shared on an internal mailing list.
  3. The letter, addressed to the CEO, Sundar Pichai, demands a reassurance from the company by asking it to extricate itself from this allegiance with the Pentagon - the Headquarters of DoD - and for the implementation of a policy which promises that it will not “ever build warfare technology”.

This state of affairs is alarming for a multitude of reasons, the most crucial of which is the possible trend that this could give rise to in terms of overlapping roles being played by organisations that deal in mass data collection to operate and streamline their products in collaboration with state apparatus. The prime concern here is that a behemoth such as Google is used and trusted by billions every single day for business and leisure. Given its influence and role in the daily lives of people all around the world, and the fact that the fate of the data we all hand over to it is hitherto unknown, there will be serious doubts about how it is used. In the aftermath of the Cambridge Analytica scandal, this is a worrisome development especially since no official word has come from Google denouncing data leaks and providing reassurance as to the privacy of users.

Secondly, it should be noted that such projects carry the potential to cause physical harm to humans and/or give rise to geopolitical instability, so Google and the individuals working at the company should be extremely cautious about working with any military agency, especially given the notorious history of conquest that the US armed force enjoys. The consequences of such projects are not only difficult to mitigate but even predict. Moreover, they cannot assume that the DoD has fully assessed the risks involved in the Project before going ahead with it further. It is important to highlight that in the past, drone strikes have been inaccurate and have resulted in the loss of innocent lives, therefore creating a sense of fear within the general population of the targeted area. Indeed the sharpening of the military’s ‘lethality’ has been termed as a goal by the US defense secretary, Jim Mattis, a worrying indicator of the mindset in place. Thus, the onus is on Google as well to fully analyze the consequences and if this new technology is used by the US armed forces, then Google bears the ethical responsibility for the casualties.

Thirdly, since many of the details of Project Maven have not been made public, it is uncertain if Google has asked an independently constituted ethics board to veto or raise concerns regarding any aspects of the program. Any project review process should not only be independent and transparent but should also be made public, and without independent oversight, such a project runs a real risk of harm.

Lastly, as a country on the receiving end of drone surveillance and attacks, this does not bode well for Pakistan. These strikes have targeted the most vulnerable areas of Pakistan, particularly the politically marginalized FATA. As per a report published by the Bureau of Investigative Journalism, a UK-based not-for-profit organization, the strikes have killed between 424 to 966 civilians between 2004 and 2016. For a country not actively at war and for its citizens who did not have the ability or even get the chance to defend themselves before being killed by orders issued from thousand of miles away, this is a cruel mockery of the sovereignty of our boundaries. The alliance of Google with what is essentially a perpetration of ‘war crimes’ within the bounds of our nation, comes across as a breach of DRF’s beliefs in democratic participation. Drone strikes have in the past, however, repeatedly undermined democratic processes and denied decision-making powers to Pakistani citizens. The very concept of foreign surveillance within the territory of Pakistan and its airspace is unsettling.

The US government officials claim that the drone strikes are accurate and rarely harm innocent lives in the area but the reported number of civilian lives lost due to these attacks suggests otherwise. It has also been reported that in Pakistan where drone strikes take place, parents have taken their children out of school to protect them from possible strikes. Such are the lives of civilians living in these affected areas where they cannot even enjoy something as basic as roaming around in the streets without fearing for their lives.

Despite the high number of civilian casualties and criticism that the program lacks transparency, the US Government has repeatedly defended the strikes. While they claim that drone strikes are accurate and rarely harm civilians, strikes can kill or injure anyone in the area, even if they are only meant to kill a targeted individual. Many victims have come forward and shared their harrowing stories of when a drone strike changed their lives. One of the victims of a drone attack reported that 11 of his family members were killed, despite having no links with the Taliban. A member of a local pro-government peace committee was also killed, along with his three sons and a nephew, due to wrongly targeting their house, instead of where the militants resided. These are just two out of the many examples where civilians were killed in the name of collateral damage. Unfortunately, there is no accountability, at least in Pakistan, the death tolls are never confirmed and the strikes, whether successful or not, are never publicly acknowledged by the US government. The psychological impact of drone surveillance, when combined with the civilian casualties during strikes, leads to significant negative strategic costs that need to be incorporated into the assessment of the project by not only the US government but all the relevant stakeholders involved in aiding this project, including Google.

Although it is commendable that Google employees are debating the project internally and voicing their dissent, however there are other stakeholders involved as well--the citizens of countries who are on the receiving end of US surveillance and drone strikes. We strongly urge Google to reconsider the decision to collaborate with the DoD, considering the cost, hefty ethical stakes and safety risks involved.

April 10, 2018 - Comments Off on DRF Submits Recommendations to OHCHR on Right to Privacy in the Digital Age

DRF Submits Recommendations to OHCHR on Right to Privacy in the Digital Age

In response to the Office of the High Commissioner of the UN’s Human Rights (OHCHR)’s call for inputs to its report on the right to privacy in the digital age, the Digital Rights Foundation penned down its recommendations and observations.

The prime concerns highlighted by DRF were the state of affairs in Pakistan with regards to the country’s treatment of its citizens’ data privacy and the kind of digital protection it affords us in what is an increasingly technology-reliant age.

A major share of the blame for Pakistan being ‘not free’ for a consecutive 6 years in a row as per the Freedom on the Net Reports, an indicator of a country’s internet culture, goes towards the kind of legislation that has been enacted in recent years. Case in point here would be the somewhat draconian Prevention of Electronic Crimes Act (PECA) 2016, a double-edged sword that was introduced in 2016 and works to curtail certain freedoms, most importantly the freedom of expression and right to privacy, by making them punishable by law. Ss. 33 and 34, for example, afford the government in tandem with the law enforcement agencies to acquire and retain data and communication vis-à-vis a court-issued warrant for a time period that though quantified can be elongated upon the arising of special circumstances.

The key focus of this report remained on highlighting the issues with our policy-making instruments and the goals that they appear to wish to achieve which appears far-removed from instilling a sense of security in the general populace.

In terms of Pakistan’s legal framework housing encryption and data protection legislation, a sad confirmation that our report provides is that we have no active legal protection from being barred from using encryption software or VPNs to browse the Web. In fact, a legal notice issued by the Pakistan Telecommunication Authority to all internet service providers (ISPs) circa 2011 ordered any usage of or access to VPNs requested by the companies’ customers, to be reported to the Authority. This not only fosters a culture of deep mistrust in the internet-accessing population of the country but also contributes to international indicators such as Freedom House’s annual reports rating Pakistan as one of the worst domains for its internet users.

DRF has lobbied with much persistence in the last year to bring this issue to the forefront and for it to form the headline of national debate so that this engagement may lead to policy and lawmakers to legislate on the matter. The Open Government Partnership (OGP) that DRF is a part of has also helped to relay our concerns to the relevant authorities as well as the policy brief that we have issued to concerned government departments regarding possible data protection law that can be enacted by the Parliament.

Another pertinent concern is the state-backed monitoring that has been known to target journalists, human rights defenders and women at large under, ostensibly, the ambit of the National Action Plan that was launched established by the Government of Pakistan in January 2015 to crack down on terrorism. The potential for misuse and abuse of authority is manifold and is a cause of great concern amongst the civil society.

This monitoring can be aided greatly in this day and age by social media platforms who have almost unhindered access to a lot of data that is voluntarily provided and also to the kind of data we do not know we are giving away, every day with every post like or share or every app that we download on our information systems.

An extension of this concept is the kind of targeted monitoring that is centered on minorities and certain genders. Also the lack of privacy and protection that can result in data breaches is a serious issue particularly in our corner of the world owing to the overwhelmingly patriarchal norms that are almost set in stone here and are the reason for the great disparity between the sexes in terms of education, opportunities and basic lifestyle. This is the same mindset that would react to a young woman’s data breach with threats to life rather than just being a mere inconvenience and is a very important reason why the necessary laws need to be put in place.

The report itself covers a wider range of inputs that we have directed to the Office of the High Commissioner of the UN’s Human Rights division and is available here.

April 06, 2018 - Comments Off on Man Convicted in the First Judgement under the Prevention of Electronic Crimes Act (PECA)

Man Convicted in the First Judgement under the Prevention of Electronic Crimes Act (PECA)

In an important decision, a Judicial Magistrate, Muhammad Amtiaz Bajwa of the District Courts, Lahore has convicted an offender under the Prevention of Electronic Crimes Act, 2016 (PECA) [see judgement here]. Digital Rights Foundation has been advocating on the need for sound jurisprudence on issues of online harassment and cyber crimes in general.

This has come about as a result of a criminal case filed, under sections 20, 21 and 24 of PECA as well as section 420 of the Pakistan Penal Code (PPC), with the Cyber Crime Circle FIA by the complainant whose wife became the victim of cyber harassment at the hands of the convict. As per the judgement obtained by DRF from the relevant court, which is available for public perusal underneath, the charges against the accused include disseminating compromising pictures and videos of the victim through Whatsapp messages and fake email addresses for the purpose of blackmailing her.

Following forensic analysis on three separate email addresses and three mobile numbers, Muhammad Usman who is an Assistant Director Investigation of the Cyber Crime Circle, deposed that he was associated with this case as the Technical Expert and had found data in the phone corresponding to that shared via the email addresses and submitted a 38-page report following. This and other testimonies by Prosecution Witnesses (PW) went on to strengthen the case against the accused leading to a judgement under the following sections:-

S.20 Offences against dignity of a natural person.--- (1) Whoever intentionally and publicly exhibits or displays or transmits any information through any information system which he knows to be false, and intimidates or harms the reputation or privacy of a natural person shall be punished with imprisonment for term which may extend to three years or with fine, which may be extended to one million rupees or with both.Cyber Crime FIR

S.21 Offences against modesty of a natural person or minor.--- (1) Whoever intentionally and publicly exhibits or displays or transmits any information which,
(a) Superimposes a photograph of the face of a natural person over any sexually explicit image or video.

s.24 Cyber stalking
(1) A person commits the offence of cyber stalking who, with the intent to coerce or intimidate or harass any person, uses information system, information system network, the lnternet, website, electronic mail or any other similar means of communication to
(a) follow a person or contacts or attempts to contact such person to foster personal interaction repeatedly despite a clear indication of disinterest by such person;

SENTENCE:

The learned Magistrate awarded:

- 2 years imprisonment and a fine of  Rs. 200,000 under s.20 of PECA
- 2 years imprisonment and a fine of Rs. 300,000 under s.21 of PECA
- 2 years imprisonment and a fine of Rs. 200,000 under s.24 of PECA

Additionally, and an amount of Rs. 10,00,000/-  was awarded in as compensation for damaging the social/private life of the victim as envisaged under s.45 (Order for payment of compensation) of PECA.

In describing the nature of the crime in this case, the learned judge posited that the defendant in the case betrayed the trust of the victim in this case and a “flagrant intrusion into privacy” was undertaken by him. What dissuades this from being a judgement that is seminal in nature, is that it primarily focuses on the veracity and verification of the evidence produced by the prosecution, rather than the nature of the crime. The judgment, though an encouraging development, does not lay down any substantial tests or legal principles regarding online harassment, unlike judgements in other jurisdictions. For instance the judgment in United States v Drew explored the specific facts and situation at length and laid down substantive ground for any future cases of a similar nature to be decided under.

Interestingly, when deciding on the quantum of punishment, the judge does take into account the fact that “cyber crimes are new to society” and while ignorance of the law is not a defence, there is an onus on the “Government to educate the people in respect to the new cyber crimes”, this is a welcome suggestion however veers more towards policy-making than fleshing our case law.

Another noteworthy aspect about this judgment is the fact that section 45 was used to award compensation to the victim for damage to “social/private life of the victim”. This is a healthy development as the judge recognised the toll that online harassment can take on mental, physical and social well being of victims, and employed the law to acknowledge that impact.

Digital Rights Foundation will continue to monitor these judgments and developments in legal jurisprudence around online harassment. Our hope is that a gender-sensitive approach will be taken to espouse legal principles that look towards the future in developing robust case law around cyber crime laws.

Authored by Zainab Durrani and Shmyla Khan

April 05, 2018 - Comments Off on March 2018: Women’s March in Pakistan and the continuum of misogyny in online spaces

March 2018: Women’s March in Pakistan and the continuum of misogyny in online spaces

Man convicted in the first judgement under the Prevention of Electronic Crimes Act (PECA)

In an important decision, a Judicial Magistrate, Muhammad Amtiaz Bajwa of the District Courts, Lahore has convicted an offender under the Prevention of Electronic Crimes Act, 2016 (PECA). Digital Rights Foundation has been advocating on the need for sound jurisprudence on issues of online harassment and cyber crimes in general. See the summary of the judgement by Zainab Durrani and Shmyla Khan here.

Aurat March backlash and the Continuum of misogyny from the street to Facebook Pages

Aurat March

We, at the Cyber Harassment Helpline, have seen a lot of cases of misogyny and gendered harassment of women in online spaces. However, after the deluge of complaints immediately in wake and directly related to the Aurat March, we saw a different kind of harassment take hold of online spaces. Several pages have been identified to us by complainants that have engaged in a concerted campaign to target those who attended the Aurat March, especially the women photographed with signs and posters. Women have been receiving death and rape threats, with their faces broadcast on social media. Read the blog by Hyra Basit here.

Cambridge Analytica and How to Secure Your Data

1_R8G3z6ghi3oF3PTOmIusIg

This weekend news broke that a data breach of 50 million Facebook profiles was used by the data analytics firm, Cambridge Analytica, to assist the Donald Trump campaign. The news is worrisome for several reasons, and it speaks to a problem that digital rights and privacy advocates have been advocating against for years--the need for stronger user data protections and accountability for social media companies. Read the blog by Shmyla Khan and Hamza Irshad here.

Nighat Dad speaks at TEDxLuziraPrison in Kampala, Uganda

TEDx-e1420747968843

Nighat Dad spoke at the TEDx organised in Luzira Prison in Kampala, Uganda. The event was attended by around 3000 inmates. Nighat spoke to the audience about how in the world with technological advancement, digital rights are as important for the people as their offline rights are and these rights should be seen collectively and equally. Nighat’s intervention was based on her own experiences as a woman from a conservative family who was barred from accessing the world in its entirety due to various influences rooted in patriarchal notions of the society. She emphasised that public spaces, both online and offline, are as much of women as anyone else’s, and acquiring these right shouldn’t be a struggle but should be granted by default.

Digital Rights Foundation receives I Am The Change (IATC) 2017 Award

Nighat Dad at IATC

Digital Rights Foundation receives the I Am The Change (IATC) 2017 Award by the Engro Foundation in the category of Social Development. IATC looks to empower organizations to make a large and sustainable impact in the social sector of Pakistan by aiding institutions that have joined forces in a relentless pursuit of shaping a better tomorrow, as they strive for change through long-term investments in the two areas of Social Development (in the case of Not-for-profit Organizations) and Social Enterprise.

At the awards ceremony that took place in Islamabad, Nighat Dad addressed the audience thanking Engro Foundation to acknowledge the efforts of civil society in protecting people's right to access the digital spaces. She added, "This award is not just for DRF but for all those people who believed in us and supported us all these years, for those women who took the abuse, fought against it, and came out stronger than ever. This award is for all those resilient people who are fighting their own battles and are defying the odds, and are telling the world that they can’t be confined anymore and that they are their own person and the world belongs to them as much as it belongs to anyone else."

Online Safety for Women and Children - A Session in collaboration with PK-NIC

Session with PK-NIC-01

Digital Rights Foundation and PKNIC collaborated for an awareness event that explored different issues of online safety, women’s rights online and digital rights. The event opened with a digital security training by the DRF team, followed by a presentation on sexual harassment in the workplace. The event concluded with a virtual lecture by Zahid Jamil on the cyber crime law. The event was attended by 35 participants.

PCSW: Power of Social Media, Digital Rights & Cyber Harassment

DRF conducted a session on Power of Social Media, Digital Rights and Cyber Harassment at the Punjab Commission on the Status of Women on the 7th of March. The session was part of 3 day Women Leadership Training with women degree colleges in all the districts of Punjab. The session had 136 women who shared their queries and concerns regarding cyber harassment and also discussed the avenues that the internet has to offer them.

Our Right to Safe Spaces Online - Iqra University, Karachi

This slideshow requires JavaScript.

DRF organised a session on data protection and privacy with the students of Iqra University, Karachi on March 29, 2018. The session focused on raising awareness around the laws and rights pertaining to data protection in specific and digital rights in general, while concluding the session with laws and tools to counter online harassment and how students can contribute in establishing “Hamara Internet” - an internet that is safe for everyone to access.

Digital Rights Foundation was at the Internet Freedom Festival 2018

IFF 2018

Digital Rights Foundation attended the 5th Annual Internet Freedom Festival held on March 5 through March 9, 2018 in Valencia, Spain. The festival addresses the issues pertaining to digital rights from around the world and seeks to formulate solutions as a community towards safe and inclusive online spaces. Here's the details of the panels that DRF hosted and was part of - a blog by Hyra Basit.

Review: NACTA introduces app “Chaukas” to counter hate speech

Chaukas 1

In a bid to fight hate speech and encourage civil society to step up and curb its spread, the National Counter Terrorism Authority (NACTA) has created an app by the name of Chaukas. Zainab Durrani reviews the app for Digital Rights Foundation here.

DRF hosts a booth at Face Music Mela, Islamabad

This slideshow requires JavaScript.

The Cyber Harassment Helpline set up a booth on the campaign no means no at the Face Music Mela on the 24th and 25th of March in Islamabad. 500 people showed up at the booth to discuss their concerns on harassment and abuse in detail with our team.

The Judiciary and People's Political Rights - A Seminar organised by Human Rights Commission of Pakistan (HRCP)

The Seminar “THE JUDICIARY AND PEOPLE’S POLITICAL RIGHTS” which was held on Saturday the 10th of March at HRCP’s Dorab Patel Auditorium housed a crowd of approximately 60+ people and was moderated by lawyer and activist Asad Jamal and Salima Hashmi of the HRCP and called to speak members of the civil society and various authorities on the legal landscape and constitutional history of the country. Amongst them were Maryam Khan, an academic, eminent lawyer, Salman Akram Raja, (Ret) Justice Tariq Mehmood and the Dean of LUMS Law School, Dr.Martin Lau.

It commenced with a few opening remarks in remembrance of Asma Jahangir and her illustrious legacy by her daughter by Sulema Jahangir and moved on to discuss the legality and problematic nature of the Supreme Court’s 21st February, 2018 decision (the SC moved to disqualify former premier Nawaz Sharif from heading his political party, PML-N by striking out s.203 of the Election Act which allowed disqualified parliamentarians to be party leaders) and the tendency to make decisions as best suited the Court in terms of making a point, instead of what suited the interests of legal precedent and state, a contention argued by both Mr. Raja and Ms. Khan.