Archives for May 2018

May 28, 2018 - Comments Off on DRF condemns yet another breach of NADRA database and demands strong data protection legislation

DRF condemns yet another breach of NADRA database and demands strong data protection legislation

The National Database and Registration Authority (NADRA) of Pakistan held the record for being the largest database of citizens’ biometric information the world over, until recently overtaken by India with its Aadhaar card programme. Such stature meant that it enjoys control over a mass amount of information, the kind whose confidentiality is crucial to every person it belongs to, and was duty-bound to protect from prying eyes and predators. Instead, as demonstrated in an infographic available on the Digital Rights Foundation’s (DRF) website, there have been a staggering number of instances of mismanagement of personal data that can be traced back to the Authority, the most recent of which is a reported breach into Punjab Information Technology Board (PITB) that has resulted in the loss of a critical amount of confidential data, access to which was granted by NADRA and which is being sold over the internet for as low as Rs.100 (equivalent to almost $1). This hit, which is as recent as May 2018 is yet another forced intrusion into our private lives at the hands of hackers, however the reason our personal data has been so easily plucked is the abysmal state of affairs is our data protection policies, or lack thereof.

At the time of publication, Pakistan does not have any data privacy legislation enacted. This is a precarious condition given the monumental amount of data that flows through the internet -- through the applications we install and use, and allow our internet service providers (ISPs) and applications themselves to use -- and is stored on the servers. As per a report published by DRF titled ‘Privacy and Data Protection Policies of Telecom Companies in Pakistan’, the measures in place by telecommunication companies to protect our data leaves a lot to be desired and little to no redress is available if any untoward situation arises.

The incident that we are reporting is unfortunately not the first of its kind and is indicative of the fact that cyber security is not a priority of our government institutions, as can be elicited from the following instances;

  • In 2002, NADRA chairman Saleem Ahmed Moeen admitted that about 300,000 NICs that were issued by NADRA carried errors. 
  • In 2011, NADRA employees were accused of preparing fake identification cards for employees of Bahria Town housing authority.

Instances of data sharing, apart from the accounts of unprofessional behaviour by NADRA officials, are also being quoted, for example, the sharing of data with a private company awarded the contract for issuance of National Smart Card Foreigner Identity Pakistan (NICOP) and Pakistan Origin Card (POC) in the UK and Europe. What is worrisome here is just the basic notion of our data being shared with private companies and multiple government departments, as the greater the spread and avenues of access to NADRA’s database, the higher the chances of a leak or misuse of the information.  Also in the news in 2014 was the Coordination Director of Chairman NADRA for leaking out all the messages of the government and strategy of NADRA to PTI and the media. Just these cases in themselves are illustrative enough to show the negligence present across the board at an institution as crucial as NADRA. A top-to-bottom revision of how the Authority operates, its standard operating procedures (SOPs), security and confidentiality-ensuring methods needs to be undertaken.

Further proof of the gravity of the situation is embodied in the recent spate of data breaches that have occurred at NADRA and PITB in the past year. This most recent development occurred in May of 2018, when NADRA handed over access to citizens’ data to the PITB for digitization and has resulted in the aforementioned data being pawned online and on social media platforms for chump change.

As per details available via ProPakistani : ‘… the data breach occurred when NADRA gave access of its servers to Punjab Information Technology Board (PITB), which wanted to digitize citizens’ data by linking CNICs with every other department, including but not limited to education, health, police and land registry.’

Just nine months ago another catastrophe was reported by ProPakistani when PITB’s technical settings allowed for anyone with basic computer navigation skills to access the Computerised National Identity Card (CNIC) numbers, photographic copies of the front and backs of CNI cards and scanned copies of educational degrees amongst other data, on an unregistered scale. It was written off as a technical glitch that was later fixed, however this intrusion into the privacy of civilians brings attention to the vulnerability of national database carriers in protecting sensitive and private information.

According to a source that has worked extensively with NADRA, the official position is that no NADRA database was breached, but that it was in fact the access provided to PITB and its team that resulted in any data leak that may have occurred. They added that NADRA extends its database to banks and telecommunication companies on a need basis, the inference being that no leaks or breaches have occurred on those occasions. The source also expressed concern over the lack of data protection laws in place and when asked if there was any redress available for those civilians whose data had been made public, responded in the negative but pitched that the process of ‘de-identification’ should be introduced wherein on the basis of a breach an individual can request NADRA to de-identify them and allot them a new national identification number and card. It was also highlighted that during the previous general elections, NADRA provided the Election Commission of Pakistan (ECP) with printed voter lists, which complete with CNIC number, name, address and photos was a breach of security of the voters, in itself.

Our data is being accessed by authorised personnel of several government departments, however we have seen that this authority that they have been entrusted with is being misused to sell user data to citizens through WhatsApp and Facebook groups and Twitter accounts. Accountability is a key aim that should be implemented by the government as such worrisome breaches cannot go unnoticed and require a prompt response. Another key aim would be to question is, why access to such sensitive information is provided so nonchalantly where seemingly everyone attached to a certain institution or department can gain access. Special focus should also be fixated on the Punjab Safe Cities Authority (PSCA) and its projects which employ surveillance as one of its methods to be able to improve the law and order situation in Punjab’s biggest cities through the use of technology. The potential for misuse or problematic leaks here is substantial and is only exacerbated by the lack of data protection legislation in the country.  Likewise, access to the data collected by PCSA and security of the servers employed by them is crucial given that it is potentially putting people at risk while they are constantly surveilled. The importance of transparency in these processes cannot be stressed enough given the delicate nature of the whole setup. The public, the people whose very data is at stake here, have a right to know not only how their data is collected, stored and used but also when it is compromised. It is essential that this information be relayed through official channels so that its veracity is not doubted, as much of the information and messages being forwarded on social media platforms cannot be trusted. Ownership must be taken by the state institutions and resultantly, accountability must be demonstrated for the people to see.

The need of the hour, as expressed by DRF time and time again, is to enact a comprehensive and effective data protection law that will serve the purpose of protecting the society’s best interests and one that not only chalks out how to best safeguard our data but also polices the institutions that have access to it.

Author: Zainab Durrani

May 18, 2018 - Comments Off on Nighat Dad makes it to TED Global

Nighat Dad makes it to TED Global

Nighat Dad speaks at TEDGlobal 2017

Nighat Dad speaks at TEDGlobal 2017

“Imagine waking up to a stranger - sometimes multiple strangers - questioning your right to existence for something that you wrote online”, Nighat Dad - a celebrated digital rights activist and lawyer from Pakistan starts her talk at a global stage of TED in August 2017 with an anecdote relatable across borders. The talk can be found here:

Pakistanis are finally being recognised globally for extraordinary work that they have been occupied with for years - the work that was overshadowed by a lot of issues that suppressed the image of this otherwise remarkable country that is full of potential. Nighat is one of those remarkable people who, along with her team of phenomenal people, is making Pakistan proud across the world. With many accolades already in her bag, Nighat shared her story at TEDGlobal in Arusha, Tanzania where she was welcomed by people from various backgrounds who came to listen to her talk, and were in awe when she finished talking.

Nighat’s story is not one of its kind, in fact, it’s a story of every woman - young and old - who was brave enough to mark her existence in the online world; a world that is known to be cruel and yet is believed to be harmless for its virtual nature. Her struggles were just a window to what women have to face everyday, things that are harrowing and can’t be put in words.

Cyber harassment is not a new term anymore. The victim knows it, the harassers know it, the bystanders know it, those who support either party know it. Yet the experiences are questioned, challenged, and ridiculed everyday. Nighat and her team oppose these questions and challenges to support the victims, and this is also when the Digital Rights Foundation was founded out of passion and sheer motive of helping others in the digital realm.

Cyber harassment leads to deadly outcomes and keeps women from accessing the internet, essentially, knowledge - is what Nighat reiterated in her TED talk. While it can be challenged that cyber harassment only affects women, but the fact that women are most vulnerable to online violence can’t be contested. The gendered nature of online abuse was also what kept Nighat from accessing technology because her family imposed restrictions on her that didn’t imply on the male members of her family. The cruel notion of “technology is the root of all evil” is still alive in this part of the world, and is heavily used to restrict women from accessing the pool of knowledge that the internet holds - furthering the oppression that has been going on for centuries. Digital Rights Foundation is challenging this notion, and calling for the harassers to be blamed for their actions, and not the technology. We are advocating for women’s right to access without barriers.

While Pakistan is the home to some remarkable individuals who are known and respected across the world, including Malala Yousafzai, Dr. Abdus Salam, Sharmeen Obaid Chinoy to name a few. But this doesn’t take away the fact that it is also a nation where women are left to die outside their house for answering a phone call, where women are killed in the name of honour for expressing their opinions online, where women are murdered to marry someone they like, because this is how polarised Pakistan is.

Nighat emphasised that because of the strong hold of conservative mindsets in her family, she wasn’t allowed to own a phone until she was married, and even after she got married, this mobile phone became a tool to surveil on her by her ex-husband. She refused to be subjected by the abuse that was projected on her, as a result she was abandoned along with her then-6-month-old son. It could either be the end of all worlds, or it would pave way for her to be the guiding light for many such women who choose to stand up for themselves, or those who have no one to stand by. She chose the latter.

Since then, DRF has been supporting women by providing avenues for them where they can seek help. The laws that grant all citizens right to access the information didn’t extend their legality in the case of women. Why is it that women have to fight for their rights when they were actually born with them? Why is it that the rights that women were born with aren’t given to them by default? Why is it that it’s always men - fathers, brothers, husbands - who choose what rights a woman will be granted, making the laws irrelevant?

The establishment of the Cyber Harassment Helpline - first of its kind in Pakistan and in the region - was done in hopes to extend the fact that women have equal right to access the internet as much as anyone in the society and no one can have the easy way out for making it unsafe for them. By actively lobbying for safe internet access for women, DRF is extending the idea that the internet is not owned by anyone and yet belongs to everyone.

Nighat puts it aptly in her TED talk, “Safe access to the internet is the access to knowledge, and knowledge is freedom.”

Author: Hija Kamran

While you are here...

Because DRF is still a very small organisation, we seek support from our friends and supporters beyond borders. If you’d like to extend your help to our cause, spread the word about our work through your platforms
Reach out to us at

May 18, 2018 - Comments Off on DRF at RightsCon Toronto 2018

DRF at RightsCon Toronto 2018


Digital Rights Foundation is at the largest digital rights gathering RightsCon 2018, this time happening in Toronto. The conference brings together human rights advocates, activists, lawmakers, academics, and allies of digital rights to discuss the most pressing issues concerning the people of the world in technological age.

The team of DRF is highlighting the gendered nature of these issues at the conference, along with many other problems that need the attention of the global community.

Here's where to find Hyra Basit and Nighat Dad - team members of DRF - if you are at the RightsCon! [PDF]

May 11, 2018 - Comments Off on First Conviction Under Pakistan’s Cybercrime Act – DRF in April 2018

First Conviction Under Pakistan’s Cybercrime Act – DRF in April 2018

Man Convicted in the First Judgement under the Prevention of Electronic Crimes Act (PECA)


In an important decision, a Judicial Magistrate, Muhammad Amtiaz Bajwa of the District Courts, Lahore has convicted an offender under the Prevention of Electronic Crimes Act, 2016 (PECA) [see judgement here]. Digital Rights Foundation has been advocating on the need for sound jurisprudence on issues of online harassment and cyber crimes in general. Read more...

DRF Submits Recommendations to OHCHR on Right to Privacy in the Digital Age


In response to the Office of the High Commissioner of the UN’s Human Rights (OHCHR)’s call for inputs to its report on the right to privacy in the digital age, the Digital Rights Foundation penned down its recommendations and observations.

The prime concerns highlighted by DRF were the state of affairs in Pakistan with regards to the country’s treatment of its citizens’ data privacy and the kind of digital protection it affords us in what is an increasingly technology-reliant age. Read more...

Workshop: Digital Rights in Asia | University of Sydney, April 12-13, 2018


Digital Rights Foundation took forward in an academic workshop with experts in internet law and policy from around Asia. Representing Pakistan, DRF spoke about its activism, work in protecting freedom of expression and gender perspective that it offers to digital rights.

DRF expresses concerns over the security breach of Careem’s servers


Digital Rights Foundation expresses serious concerns over the breach of servers of one of the most used ride-hailing services in Pakistan, Careem. It was announced in the company’s official statement on April 23 that its servers were breached on January 14, 2018 and since then it has been investigating the matter. In the absence of a data protection legislation that DRF has been advocating for since last year, incidents like this put Pakistani customers at risk and at the mercy of hackers who can use this stolen information against them without any legal repercussions. Read more...

DRF condemns Google’s alliance with Pentagon


Digital Rights Foundation (DRF) strictly condemns the involvement of technology giant Google with the US Department of Defense’s (DoD) Project Maven, an initiative that intends to deploy machine learning for military purposes, particularly in terms of using artificial intelligence to interpret video imagery which will potentially be used to improve the targeting of drone strikes. We strongly urge Google to reconsider the decision to collaborate with the DoD, considering the cost, hefty ethical stakes and safety risks involved. Read more...

#MoneyAndMovement - Count Me In! Consortium, Kenya

Nighat Dad was in Kenya on April 11-13, 2018 to attend the Count me In! (CMI!) Consortium organised in partnership with Urgent Action Fund-Africa, Association for Women's Rights in Development (AWID-Canada), Crea (India), Just Associates (JASS, USA) and led by Mama Cash (The Netherlands). The meeting brings together activists and funders to strategise the future of feminist movements globally.

DRF hosted a Digital Security Clinic at the consortium to help people with their digital security questions and needs.

This slideshow requires JavaScript.

Open Government Partnership Network Meeting - Bellagio, Italy

OGP Network Italy

DRF participated in the OGP Champions Network Meeting, "Building an Opening Government Chapmions Network", on April 25, 2018 in Bellagio, Italy - attended by 30 world-class political leaders, civil society heads, and thought leaders all working toward smarter & more ambitious open government reforms.

Hamara Internet: Our Right To Safe Online Spaces - Quetta

Quetta HI

DRF with the help of our partners FNF held an awareness raising session on data protection and privacy in BUITEM’s University, Quetta on the 25th of April 2018. Students discussed in detail about their concept of privacy and the implications it has in real life if there is a possible breach in it. 105 students attended the session.

Online Safe Spaces for Journalists at University of Peshawar

University of Peshawar session

DRF held a session at University of Peshawar with students of Journalism and Mass Communication on April 25, 2018. Around 70 students attended the awareness raising session where they were encouraged to keep themselves secure online. In the second half of the session they were given digital security training and were also provided with CDs which included security toolkits and a guidebook on digital security.

Workshop for Lawyers on Digital Rights

Workshop for lawyers on digital rights

A workshop was held for Lawyers in Peshawar on April 26, 2018, focusing on creating awareness about the legal landscape that governs digital platforms. A comprehensive training session, complemented by specifically designed toolkits, was given to lawyers to guide them on how they can make online spaces safe for themselves by adopting various tools and resources available to them.

Workshop for Journalists on Digital Rights

Workshop for journalists on Digital Rights

A workshop was held for Journalists in Peshawar on April 27, 2018, focusing on raising awareness regarding making online spaces safe for them, considering the sensitive nature of their field. The deliberations also allowed participants to discuss the underpinnings of their role in digital advocacy. They were also given security training to protect themselves from harassment and threat online.

Digital Youth Summit - Peshawar


DRF set up a booth to raise awareness regarding the cyber harassment helpline at the Digital Youth Summit in Peshawar on April 27th and 28th, 2018. The Summit had individuals from the tech industry come in and discuss the implications of the online world on the offline world with us. Around 350 to 400 individuals visited the booth and were given DRF merchandise.

Understanding Harassment - a discussion with policy and legal experts

Understanding Harassment

DRF’s team member, Shmyla Khan, participated in a panel discussion at the Lahore High Court organized by LEARN on April 28th, 2018. The panel consisted of notable figures such as sociologist Rubina Saigol, educators like Mariam Saeed, Salma Muzaffar from PCSW and lawyers such as Dania Mukhtar and Asad Jamal.

The discussion was rich and sought to discuss legal loopholes that discourage women from coming forward and what a law on sexual harassment should look like.

Hamara Internet: Our Right to Safe Spaces Online - University of Management and Technology in Lahore


DRF held a Hamara Internet session at UMT with female students of the law school to discussion online harassment, digital rights and the tools that women have in place to protect themselves in online spaces on April 30th, 2018.

May 04, 2018 - Comments Off on Statement: DRF expresses concerns over the ban on the messaging app Telegram in Pakistan

Statement: DRF expresses concerns over the ban on the messaging app Telegram in Pakistan


We at the Digital Rights Foundation (DRF) are extremely concerned regarding the ban on the social media messaging application, Telegram, by the Pakistan Telecommunication Authority (PTA). We are issuing a statement to express our concerns about this ban which curtails the right to communicate in a secure and safe manner.

As per Pakistan Telecommunication Company Limited’s (PTCL) official twitter account, it was confirmed on the 9th of November last year that Telegram had been banned as per PTA’s instructions. This notification was restricted to PTCL’s own network. However multiple attempts by other users as well as our team have led to the confirmation of the fact that the ban is effective across networks.

The need to implement policy that would bar access to a messaging platform similar to WhatsApp is befuddling and seemingly arbitrary.

We believe that such a decision hinders citizen's freedom of expression, which is a base and fundamental right as per Article 19 of our Constitution. It is a fundamental right recognized in countries the world over and was also recognized by ours through ratification of international treaties.

The cloud-based instant messaging service is a close second to WhatsApp in terms of popularity, however it has endearing features of its own, including its secret chat option and ability to send up to 1.5 GB worth of files, that prompts its usage. The security features of the app are its biggest selling point and in today’s world of information leaks and data hacks, it provides something we all desire, no matter what our station in life: some semblance of privacy. Such an avenue for communication without intrusion should definitely remain available to all those who choose to use it.  In any case, whether there is an alternate available or not, this blocking off of access is unconscionable, especially in light of the fact that no official notification was made public and neither was any reason provided.

Curtailing access to information is a violation of the civilians’ rights and basic expectations of a democracy. DRF demands the government authorities to provide justification on why was the app blocked and work towards ensuring transparency in such process.