Archives for May 2020

May 30, 2020 - Comments Off on Digital Rights Foundation is Gravely Concerned with the Violations of Privacy & Condemns Moral Policing in Uzma Khan case

Digital Rights Foundation is Gravely Concerned with the Violations of Privacy & Condemns Moral Policing in Uzma Khan case

image soon

It is no secret that the internet is not a safe place for women, much like most spaces in society. Tools and technologies are repeatedly weaponised to harass, shame and silence women, recreating oppressions and patriarchal power structures that have enacted violence on women’s body and freedoms for centuries.

Earlier this week, Uzma Khan’s video of her terrified and being bullied in her own home was leaked without her consent and in clear violation of her privacy, it set off character assassinations and slut-shaming that is common in cases where women assert their bodily autonomy outside the bounds of marriage. Women’s sexuality is heavily controlled through penal laws and moral policing that seeks to negate their consent and autonomy. Women stepping outside traditional gender roles or the respectability of the family unit are shamed for their choices, and the video was an example of technology-enabled moral policing. Subsequently, as videos of the attack emerged on social media, promoting outrage from some on the blatant use of power to punish a woman for moral transgressions, but also voyeuristic viewings from those baying for entertainment. The manner in which women’s presence and bodies are objectified and consumed online often obscures the larger structural issues and power dynamics at play in cases, an exercise that even well-wishers often wilfully participate in.

Privacy has traditionally been used as a concept to confine to their homes and insulate violence within the family from accountability—the concept of “chaar devari”, the privacy of the women of the family, has been weaponised to keep women within the domestic sphere and invisibilise violence within the home. Feminist interventions on the right to privacy however centre it as a means of safety and preserving individual human dignity, as a shield to protect the vulnerable against powerful institutions and individuals. Uzma’s right to privacy within her home, over her videos and personal information is crucial, particularly in a case where the power dynamics are stacked up against her. The fact that after the filing of the FIR, Uzma’s personal details, such as her home address, were put on the internet and widely disseminated reminds us of the dangers of doxxing that played a part in the horrific murder of Qaneel Balochi. The disregard for Uzma’s privacy—opening up her persona life for public consumption—is extremely troubling and dangerous.

We call on the law enforcement bodies to demonstrate their independence and fairness by following through on the registered FIR and taking steps to ensure that the inquiry and subsequent case is fair and transparent. Furthermore, we believe that protection should be provided to Uzma and her family with due regard to their privacy. At the same time, we also recognise the limitations of the law and the justice system in providing restorative justice for the loss suffered. Additionally, the law is often instrumentalized to serve the interests of capitalist-patriarchal order, reproducing the status quo through coerced compromises and police malpractice.

May 30, 2020 - Comments Off on COVID-19 GOV PK: The Tech to Battle Coronavirus

COVID-19 GOV PK: The Tech to Battle Coronavirus

As COVID-19 has spread across Pakistan, questions have been raised about how the Government will tackle the spread of the virus. Across the globe we have seen different approaches to this, varying from comparatively relaxed to extremely stringent.

A popular global approach to health surveillance has been contact tracing[1], followed by surveillance and testing. Contact tracing is an old public health technique which tracks an infected person by tracing the places they visited and the people they met. In order to stem the spread of the virus, all those who came into contact with the infected person are then tracked down, informed of their contact and told to self isolate, or are immediately tested for the virus. This process goes on with each new case and is supposed to help ‘map’ the virus as it spreads. In some countries, mobile applications have been launched to track the virus and help people see ‘where’ the virus is.

These apps act as a way for governments to warn the public about cases nearby, and also allow people to report themselves as patients, so as to keep the cycle of contact tracing going. While such extensive mapping may be helpful for tracking the disease on the macro level, these apps present on the flip-side, major privacy concerns.

Take for example this detailed account of South Korea’s Patient #10422:

Before being diagnosed, patient #10422 visited the Hanaro supermarket in Yangjae township on March 23 from 11:32 p.m. to 12:30 a.m. The patient was accompanied by their spouse, both wearing masks and using their own car for transportation. On March 27, the pair visited the Yangjae flower market from 4:52 p.m. to 5:18 p.m., again wearing masks. They then had dinner at the Brooklyn The Burger Joint at Shinsegae Centum Mall from 6:42 p.m. to 7:10 p.m. This detailed record can be found, publicly available, on many government websites, and is a testament to the extensive contact tracing carried out by Korean authorities.[2]

The minutiae of this account goes to show the extent to which data is being collected and observed.

In many instances, the state response has been immediate and comprehensive which hints at the presence of such tech and mechanisms being in place before the pandemic swept the globe, as is apparent from Pakistani PM Imran Khan’s statement: "It (system for tracking and tracing) was originally used against terrorism, but now it is has come in useful against



coronavirus."[1]  This necessitates the inclusion of a detailed data protection and destruction policy to accompany the launch of such apps which mandate the destruction of the data once the health-related utility is over.

At home, our concerns begin from the knowledge that the government of Pakistan is implementing a policy of mapping that involves tracking citizens and their movements. Internationally, there has been debate about the efficacy of contact tracing, however, at the same time, some countries have seen success with this policy. In the context of Pakistan, unfortunately, these measures are accompanied by a lack of trust between the State and citizens. Multiple instances[2] of citizens' data being leaked from one of the biggest national biometric databases in the world, i.e. the Nadra database, has created a faith deficit. Instances of CNIC and family registration certificates (FRC) information being sold online for as low as $1-2 a piece due to a data leak at a provincial level and possibly national level cement this belief.

The “COVID-19 Gov PK” app, released by the National Information Technology Board (NITB) and the Ministry of National Health Services, has been available for use since early April and has been downloaded with an unsurprising frequency given the alarm among the masses, with a rough estimate of more than 500,000 installations at the time of writing.

The very limited privacy policy (found below) states that it is ‘adhering to social, moral, ethical values, and privacy’ while providing no details of the same and referring to no framework under whose jurisdiction these values are defined and the same goes for the element of privacy.

Given that the app seeks permission for geolocation data of the device it is being used on, and personal medical and geographical data of the user, the policy included within the app is not sufficient or clear on exactly how this data is being processed and who has access to it.



A rapid evidence review published by the Ada Lovelace Institute in the UK sets out, amongst other measures, the proposal for the formation ‘of a new Group of Advisors on Technology in Emergencies (GATE) to oversee the development and testing of any proposed digital tracing application.[1]

We at DRF submit the same and ask that a GATE advisory be created to oversee the development, rollout and implementation of fair and citizen rights-protective technologies to combat the pandemic in Pakistan and that a proviso be extended from the outset as to the limitations, especially in terms of time-frame, be allotted and notified with every new tech measure the governments, both Federal and provincial, take to combat the pandemic.

As more and more of offline life has moved online, the increased activity has subsequently led to more complaints of online harassment and crimes. In light of this, there is no reference to heightened concerns regarding the ‘security’ of the app and the personal data being saved. In a White Paper, titled ‘Decentralized Privacy-Preserving Proximity Tracking’ (D3PT), experts in the field highlighted that centralised databases made about patients are at a higher risk of being attacked and leaked than decentralised ones. The white paper makes the case for a decentralized database since it offers a more stringent security policy and quicker response to any attempted data breaches. A centralized system requires a phone to upload all its contact information onto a central database, similar to what the UK is doing currently. In contrast, decentralized systems cross reference a device’s contact information without uploading it to a central database. This is similar to how the European Union has implemented contact tracing. If intelligent decisions are not made about how this data is saved, attackers can access personal information, malicious actors can target patients and in some cases lead to discriminatory practices being adopted. Already we have seen this happening in Balochistan where COVID-19 positive patients’ medical data was leaked[2] to reveal their identities which is not only a massive privacy breach on its own but is only made more complicated by the social stigma attached to corona patients.

The White Paper talks about how the transmission of data works in such apps. Most COVID 19 tracking apps have a feature called the ‘Radius Map’ that tells the user if their immediate surroundings have had a reported case of the novel coronavirus. It does this by using bluetooth signals that bounce off of other users of similar apps. Because of this, specific locations of patients can be pinpointed to the average user. The White Paper highlights this as a privacy concern. Additionally, they also highlight the fact that these signals can be manipulated by hackers to create false alerts of nearby COVID 19 patients, spreading panic in an already volatile situation.

More worryingly, the government app does not rely solely on Bluetooth technology but also makes use of location data which makes it more invasive by a significant degree. These concerns are not helped by the fact that the app does not even meet the standards set by tech giants like Apple and Google, who have collaborated together to develop the APIs for coronavirus app development and have released a detailed set of documentation on exposure notification, its framework and cryptography to promote ‘privacy-promoting contact tracing’.

We submit that the Government of Pakistan share detailed SOPs regarding the COVID 19 app launched by them. These should detail their privacy policy in full, addressing data retention and destruction through a clear and unambiguous sunset clause. Also, we maintain that the Government should share with the public as to who exactly has access to this database and strict guidelines regarding data sharing. While we appreciate that this is an unprecedented situation, the Government still must act in a manner that best protects its citizens' data and their right to privacy, a right enshrined in the country’s Constitution of Pakistan. This, to us, includes the maintenance of the right to opt-in in terms of app usage for everyone, even government employees or essential and frontline workers.

The requirement of immunity certificates must also not be made a condition on which citizens’ mobility and access to benefits rests. These immunity certificates are a focus of debate at the moment with several European nations considering issuing ‘passports’ which allow the holder (a recovered COVID-19 patient) access to a social life but also to civil liberties like the freedom of association and movement. These measures have the potential for unprecedented surveillance and control over public life and cannot be made a prerequisite for exercising fundamental and inalienable constitutional rights.

While we understand the imperatives of the public health emergency, it is important that the State establish some boundaries and limitations to their policy, to ensure their citizens have tangible reasons to place their trust and data with them. The current privacy policy contained within the app itself is inadequate to address these queries and cannot be supplemented given the absence of any data protection legislation in Pakistan. We demand also that the apps that are developed to aid the healthcare emergency be open source[3]. This would not only promote transparency but give a tangible boost to the faith placed in the government’s initiatives for its citizens.

The principle of proportionality is required here, in terms of the strength and effect of the measures being employed. Technology is an asset in these times, however we demand that the increasing centrality of technology be done in a safe, transparent and just manner.



[3] Open Source refers to software whose source code is readily available online can also be audited by digital security experts for security standards etc.

May 20, 2020 - Comments Off on Evidence of Twitter, Periscope and Zoom restrictions in Pakistan

Evidence of Twitter, Periscope and Zoom restrictions in Pakistan

Network data from the NetBlocks internet observatory confirm that Twitter, Periscope and Zoom were restricted on multiple internet providers in Pakistan on the evening of Sunday 17 May 2020, commencing approximately 18:30 UTC and lasting over an hour. This report produced in partnership with the Digital Rights Foundation presents findings on the schedule events.

It is shown that the Zoom restrictions appear technically unrelated to international issues that affected call quality earlier in the day. Further, it is shown that Twitter, Twitter’s image and video servers, Twitter’s streaming platform Periscope and the Zoom videoconferencing website share the same timeline of disruption, consistent with previous documented social media platform disruptions in Pakistan.

Sunday’s incident matches the characteristics of previous documented restrictions applied on grounds of national security or to prevent unrest such as the Pakistan’s November 2017 social media blackout.

What happened on Sunday?

Late on Sunday 17 May 2020, users across Pakistan started reporting inability accessing the Twitter social media platform and Zoom videoconferencing service.

Users were able to regain access using VPN tools which circumvent national censorship or filtering mechanisms. During this period the #TwitterDown hashtag trended in Pakistan.

A real-time incident alert was issued by NetBlocks presenting initial findings which are developed and examined further in the present report:

The bulk of reports from Pakistan describe a loss of access to affected services. Other reports from Pakistan describe the “throttling” or slowing of Twitter. NetBlocks data indicate that backend image and video servers were specifically unavailable during the disruption period, corroborating these reports.

How does this relate to international outages?

Zoom experienced technical issues earlier on Sunday affecting certain types of meetings on the service for a limited subset of users. The company issued an update at 15:43 UTC confirming that the problem was resolved, hours prior to the onset of social media disruptions in Pakistan.

No widespread user reports of outages are evident in other countries at the time of Pakistan’s social media blackout. NetBlocks performance metrics from around the world show that Sunday’s disruption was localized to Pakistan:

International reachability metrics show impact by country over two days, with nation-scale disruption evident solely in Pakistan during the reported period

A closer examination of the specific time interval for Sunday’s disruption in Pakistan also shows no restrictions or disruptions in effect outside of Pakistan:

Additionally, timings show that the services were disrupted in the same time window in Pakistan, and restored at the same moment:

Findings are drawn from a core sample of 300 network performance measurements observed from 30 network/location pairings across Pakistan supplemented by a wider dataset of international metrics for comparative use.

Why were Twitter, Periscope and Zoom disrupted in Pakistan?

No explanation or legal order has been presented by authorities or network operators at the time of writing.

Pakistan has previously implemented similar restrictions during mass-protests and limits internet access each year during Ashura. However, no protests were held on Sunday and public manifestations are unlikely as Pakistan remains under partial lockdown in response to the COVID-19 pandemic.

Researchers note that the timing of restrictions as well as the set of platforms affected coincide with a “virtual conference” critical of Pakistani policy held via Zoom, shared on Twitter and reportedly streamed via Periscope on Sunday evening.

News report suggest the virtual event generated controversy in Pakistan, stoking tensions between Indian and Pakistani political activists. Nevertheless, a nation-scale social media blackout in response to a virtual event would be a notable development for Pakistan.

NetBlocks encourages network operators and governments to report disruptions and their legal basis, where available, in a transparent manner in keeping with international standards.

This investigation is conducted by NetBlocks and the Digital Rights Foundation.


Internet performance and service reachability are determined via NetBlocks web probe privacy-preserving analytics. Each measurement consists of latency round trip time, outage type and autonomous system number aggregated in real-time to assess service availability and latency in a given country. Network providers and locations enumerated as vantage point pairs. The root cause of a service outage may be additionally corroborated by means of traffic analysis and manual testing as detailed in the report.

originally published on @NETBLOCKS

May 18, 2020 - Comments Off on Digital Rights Foundation urges for accountability in Waziristan honour killings

Digital Rights Foundation urges for accountability in Waziristan honour killings

May 18, 2020

Digital Rights Foundation expresses its outrage regarding the cold-blooded murder of two teenage girls at the hands of their family member, killed in the name of misplaced and patriarchal notions of “honour”. The honour killing was prompted by a short mobile video of the young man that surfaced on social media. The video was leaked without the girls’ consent and contained private imagery.

Regrettably, killings in the name of so-called honour are not a new phenomenon in Pakistan and several parts of the world, technology-enabled violence is emerging as a tool for shaming women and controlling their autonomy. Videos and images of women are often weaponised to blackmail, exercise control and inflict violence on women, employing technology as another tool in service of the patriarchy. In Pakistan, the digital gender divide is among the largest in the world, as women are 37 per cent less likely than men to own a mobile phone device of their own. Furthermore, women’s access is often surveilled and controlled by patriarchal figures in their lives. This gap is particularly stark in areas such as Waziristan where mobile internet access has been denied due to a prolonged internet shutdown, resulting in women being deprived of access to resources and crucial information that can potentially save lives.

This is not the first time honour killings resulted from the leaking of women’s private information and images. In a society where women’s consent and their bodily autonomy is regularly violated and dismissed, technology often serves as a handmaiden of these patriarchal structures. Women accessing online spaces or using technology to express themselves or exercise pleasure have heartbreakingly been met with violence and censure. Qandeel Baloch subverted online spaces to express herself and her sexuality, only to be met with online violence and privacy violations which culminated in her murder at the hands of her brother. The 2011 Kohistan case, which saw the murder of three men and five young women due to a video in which they were dancing in their private home, took multiple investigations, intervention by the Supreme Court of Pakistan and nearly eight years to see justice. 

While a First Information Report (FIR) of the incident has been registered at Razmak police station in North Waziristan, we would urge the authorities to closely monitor the investigation and prosecution of the case given the heinous nature of the crime. Honour killings should not only be condemned across the board, but the action taken by the police and courts should reflect this. Too often, societal pressure, familial collusion and uneven application of the law have marred cases in the past. Since the Criminal Law (Amendment) (Offences in the name or pretext of Honour) Act, 2016, the law is clear regarding the limited ability of the family to pardon the perpetrator in cases of honour killings and the state must ensure that section 311 of the Pakistan Penal Code is implemented in its true spirit. In addition to ensuring justice against the honour killing, an investigation should also be launched into the leaking of the private and intimate video. These videos put women’s lives at risk and contribute to a culture where women’s bodies are consumed as objects for male pleasure. Women, through exploitative imagery, are dehumanised, blackmailed and often re-traumatised.

We also urge the state to take immediate and pre-emptive measures to ensure the safety of the other two individuals in the leaked clips. Particularly the security and privacy of the young woman must be ensured and should serve as a precedent for all future investigations dealing with leaked images and videos of women.

Unfortunately, honour killings are not a relic of outdated or fringe ideas, they are grounded in current notions of viewing women as familial and societal property, bearing the impossible burden of carrying the honour of the family, community and nation. In just the last month alone, there were six reported cases of honour killings only in Swat. Furthermore, it is important to state that digital rights such as privacy and protection from online hate speech should be universally enjoyed, however they are particularly important to ensure the safety of women and gender minorities in online spaces--for women and gender minorities, effective mechanisms ensuring the enforcement of these rights can be the difference between life and death.

May 15, 2020 - Comments Off on April 2020: Online Campaigns and Initiatives 

April 2020: Online Campaigns and Initiatives 

Joint Statement by Digital Rights Foundation and BoloBhi: The Digital Gap During the COVID-19 Pandemic is Exasperating Inequalities

DRF and BoloBhi released a statement regarding the impact of the digital gap during the COVID-19 pandemic and the exclusions that will arise in terms of class, gender, geographical location, ability, and digital literacy.

Read the full statement here:

Joint Statement by Digital Rights Foundation and BoloBhi: The Digital Gap During the COVID-19 Pandemic is Exasperating Inequalities

Girls in ICT Day 

DRF launched an online campaign for Girls in ICT Day on 23rd April to encourage more women to be part of the tech industry. The day emphasizes the need for women to be a part of the ICT sector and how women's access to technology is still limited and hindered. DRF asked women in tech about their experiences in tech and why it is important to keep online spaces safe and inclusive for women.

International Women’s Day: Media4Women 2020 Campaign

 DRF joined the global campaign with 48 partners from 21 countries committing to putting gender equality in the media on the local and international agenda. The global theme was Inclusive and Equal Portrayal of Women by the Media.

DRF’s campaign involved a design competition and quotes from network members on the problematic gender stereotypes portrayed by and in the media. The cash prize for the design competition was PKR 15,000, which was won by Amara Sikandar. Here’s her painting.  

About her design, she said, “Media plays an important role in promoting inclusivity and should put in all efforts to include their perspectives and talk about their rights as a step towards them having their lawful rights.”

Cyber Harassment Helpline 

The helpline’s toll-free number is finally operational. Thanks to the PTA, our number is operating remotely, helping our team to continue practicing social distancing while also assisting you all out too! You can now call us from 9 am till 5 pm, Monday to Friday, or email us on [email protected].

IWF Portal

Digital Rights Foundation (DRF) in collaboration with the Internet Watch Foundation (IWF) and the Global Fund to End Violence Against Children launched a portal to combat children’s online safety in Pakistan. The new portal allows internet users in Pakistan to anonymously report child sexual abuse material in three different languages – English, Urdu, and Pashto. The reports will then be assessed by trained IWF analysts in the UK.

The new portal can be found at

Ab Aur Nahin

In times of COVID19 domestic abuse is at an all-time high with women having nowhere to go and ask for help.  Aur Nahin is a confidential legal and counselor support service specifically designed for survivors of abuse. We provide a comprehensive directory of lawyers around the country to provide you with the support and assistance you need. You are not alone, and you do not need to fight alone.

Media Engagement

Spread of Disinformation has increased during lockdowns

During COVID19 disinformation is putting lives at risk especially when it is repeated and amplified by influential and political leaders, it puts true information at the risk of having an only marginal impact. Our Executive Director Nighat Dad  shares her thoughts about fake news in times of the pandemic.

Events and Sessions

Digital Security During The Pandemic

On 23rd April, DRF alongside our friends at ‘Bolo Bhi’ held an Instagram live session to address concerns following a rise in phishing attacks and sextortion emails. The session was moderated by Bolo Bhi’s Kashaf Rehman and our digital security expert and communications lead, Arslan Athar represented DRF and answered questions regarding digital safety during COVID 19.


May 5, 2020 - Comments Off on Digital Rights Foundation’s Legal Analysis of the 2020 Personal Data Protection Bill

Digital Rights Foundation’s Legal Analysis of the 2020 Personal Data Protection Bill

History of Data Protection Legislation in Pakistan

According to the UN, 107 countries across the world have enacted data protection and privacy legislation. In order to ensure the fundamental rights of its citizens and compliance with international human rights standards, Pakistan has also taken steps to enact a personal data protection law in Pakistan. Article 14 of the Constitution of Pakistan guarantees the Right to Privacy, however serious efforts to introduce a law were first taken in 2018 (though a draft Bill was put forward in 2005 but was deemed too weak) when the Ministry of Information Technology and Telecommunication (MOITT) introduced a draft Personal Data Protection Bill in July 2018 and invited comments from the public. The Bill was lauded as a good first step, however suffered from serious issues in terms of scope as it restricted the definition of personal data to “commercial transactions”, limiting its applicability to government-held data, and the proposed Data Protection Commission was not sufficiently independent in its functions and composition. 

A second iteration of the Bill was shared by the Ministry in October 2018, with slight improvements in terms of definitions but many of the same concerns remained especially when compared to international best practices such as the General Data Protection Regulation (GDPR). There was little headway by the MOIT since despite appeals from civil society and being taken up by bodies such as the Senate Standing Committee on Human Rights. The third draft of the Personal Data Protection Bill (referred henceforth as the “Bill”), was put forward by Ministry in April 2020.

Executive Summary

We appreciate the efforts by the MOITT in making data protection and privacy of citizens a priority. Furthermore, we welcome the consultative process adopted by the Ministry. However we hope that during a time when the entire world, including Pakistan, is under lockdown and reeling from the economic, social and public health implications of the COVID-19 pandemic, that such important legislation will not be passed hastily and without the opportunity for an inclusive and open consultative process.

The new 2020 Personal Data Protection Bill, while a better version in comparison to the drafts issued in 2018, still does not fully capture the data protection needs of people in Pakistan. The most prominent issue we see with the draft is the exemption-making and wide-ranging powers given to the Federal Government, in particular under Sections 31 and 38 which risk undermining the protections afforded under the Act. Government bodies collect and process vast amounts of personal data and the obligations in the Act must extend to them and the Government should not be able to introduce further exemptions without proper scrutiny and safeguards. Additionally, the independence of the Personal Data Protection Authority of Pakistan needs to be ensured, by limiting the powers of the Federal Government to appoint members and approve rules made by the Authority (Section 48).

The need for and reliance on technology has and will drastically increase during the COVID-19 pandemic and in a post-Coronavirus world where we will see a predominantly offline world transform into an online world. Access to online platforms of communication, healthcare, education and business is no longer a luxury. In the midst of all this, the need for protection of our personal data is essential more than ever.

Our primary recommendations to the Ministry are:
  1. Definitions of terms such as “Public Interest” and “Critical Personal Data” should be explicitly defined under the Act;
  2. The definition of “Sensitive Personal Data” should be expanded to include categories such as “membership of a trade union” and “philosophical and/or religion beliefs”;
  3. Implementation of the Act should be on a progressive basis to ensure a balance between rights protection and a grace period for data controllers to ensure compliance;
  4. Clearer language regarding scope and jurisdiction of the Act;
  5. Mandatory requirements for obtaining consent should be expanded to include information on intention to transfer of personal data to a third country and the level of protection provided, the existence profiling for targeted purpose, and the existence of automated decision-making;
  6. The Act should develop a higher consent standard for personal data of children and young adults below the age of majority;
  7. Clearer and minimum requirements for security measures for data controllers should be laid down in the Act;
  8. Data localisation measures introduced for cross-border personal data flows should be seriously revised in light of international best practices;
  9. Procedure for withdrawal of consent should be simplified to ensure that it is as easy for the data subject to withdraw consent as it is to give it;
  10. Rights of data subjects such as the right to data portability, right to information related to profiling and automated decision-making, and right to compensation should be explicitly included in the Act;
  11. Powers of the Federal Government to make exemptions under Section 31 be removed;
  12. Safeguards should be included to ensure independence of the Data Protection Authority;
  13. Powers of the Federal Government to issue policy directives under Section 38 should be removed.Find DRF’s detailed, section-by-section analysis of the Personal Data Protection Bill 2020 here.