PRIVACY UNDER ATTACK: WikiLeaks Reminds Us of the NSA/GCHQ Theft of Official Pakistani Citizen Data

On June 6th, The Intercept and other news outlets reported on a leaked National Security Agency report that analysed Russian military intelligence’s attempts to hack electoral systems days before the United States Presidential Election in 2016. In response to this news, WikiLeaks tweeted about “US + MI6” attempts to steal voter data, and linked to quotes made by Julian Assange, the organisation’s founder, in 2013 about this alleged data theft.

If yesterday's NSA report is accurate it is not unusual; US+MI6 set up a front to steal all of Pakistan's voters https://t.co/T0Gc6hyyHr pic.twitter.com/oERYoferNo
— WikiLeaks (@wikileaks) June 6, 2017

According to WikiLeaks and Assange, both the GCHQ and the NSA acquired access to the database of Pakistan’s National Database and Registration Authority (NADRA) to get hold of the identification records of Pakistani citizens, in order to be able to track anyone that they may suspect to be involved with terrorism. Though this revelation was initially shared four years ago, and published by Dawn on in 2011 as part of the overall Dawn/WikiLeaks partnership, the reminder by WikiLeaks has brought it back to public attention, at a time when concerns about privacy and global surveillance are as high as they have been since the end of the Cold War.

The popular website ProPakistani links to a transcript of a 2013 interview with Imran Khan, ex-cricketer and leader and founder of the populist Pakistan Tehreek-e-Insaf’s political party. In the interview, retrieved from the Internet Archives on Jan 14th 2013, Assange touches on the theft of voter data via a UK-based firm by the name of International Identity Service (IIS) in the UK, to serve as a consultant for NADRA. Details regarding IIS and the outsourcing project can be found here.

The portion of the interview in which Assange refers to IIS as a “front company” designed to facilitate the aforementioned voter data theft is as follows:

“Imran, we discovered a cable [09ISLAMABAD1642] in 2009 from the Islamabad Embassy. Prime Minister Gilani and Interior Minister Malik went into the embassy and offered to share NADRA – and NADRA is the national data and registration agency database. The system is currently connected through passport data but the Government of Pakistan is adding voice and facial recognition capability and has installed a pilot biometric system as the Chennai border crossing, where 30,000 to 35,000 people cross each day. This NADRA system, that is the voting record system for all voters in Pakistan, and a front company was set up in the United Kingdom – International Identity Services, which was hired as the consultants for NADRA to squirrel out the NADRA data for all of Pakistan. What do you think about that? Is that a…? It seems to me that that is a theft of some national treasure of Pakistan, the entire Pakistani database registry of its people.”

(Note: The link provided in the transcript no longer leads to the cable in question, so a direct link has been provided here, and a PDF of the diplomatic cable has been attached to this post as well.)

As indicated earlier, this diplomatic cable and many others were leaked in late 2010, and reported upon by Dawn and other news outlets. The information that it uncovered at the time not only continues to raise serious privacy concerns, but highlights a betrayal of the trust of Pakistani citizens, whether they live in Pakistan or overseas, and a blatant disregard for human rights and due process that the Government of Pakistan has yet to acknowledge. In order to set up a bank account, an internet connection, buy a SIM chip or perform any other public service or transaction, Pakistani citizens are required to hand over their personal biometric data to NADRA, with the belief that this agency will protect their personal information. Many do not mull over the consequences of handing over that data and trusting the system to their detriment.

According to the diplomatic cable from 2009, however, the then-Interior Minister Rehman Malik “offered to share NADRA-generated information on Pakistani citizens, within the constraints imposed by privacy concerns.” The willingness on the part of Pakistan’s ex-Prime Minister, Yusuf Raza Gillani, and Malik to go to the US Embassy in Islamabad and make the offer of sharing NADRA’s database makes this all the more perturbing.

Moreover, it makes citizens who work on the front lines, particularly journalists and human rights activists, especially vulnerable in this day and age, as they are unlawfully detained and harassed by government authorities, and forced to forego their basic constitutional rights and constantly live under surveillance. In May 2015, The Intercept reported on the US National Security Agency’s use of the mobile data of 55 million Pakistanis, to track and place Al Jazeera’s then Islamabad bureau chief on a watchlist back in 2012. The Government of Pakistan nor the US have as yet indicated how or why this information was passed on to the NSA, though the 2009 cable provides a possible suggestion, if only as speculation. This is not the first time any government official or agency has been targeted by international intelligence agencies, which goes to show how vulnerable security protocols and practices are at the national level, particularly when they are handed over to officials who are susceptible to misusing the personal data of citizens.

Here's a roundup of almost all the breaches in NADRA database to date and lack of accountability among officials [PDF].

Pakistani and international civil society organizations and human rights defenders have already raised concerns regarding punitive and draconian legislation, and the establishment of military courts, that have emerged in the country in recent years, with complete disregard of its citizens’ right to privacy. The diplomatic cable also provides a retroactively and additionally disturbing angle to the Prevention of Electronic Crimes Act - passed in August 2016 - which contains provisions that not only permit international government agency cooperation with regards to the data of Pakistani citizens, but also allow the Government of Pakistan to share data with partners even if they have not approached Pakistan themselves.

Through such measures, we as citizens are able, in real time, to see the Government of Pakistan embrace the expansion of surveillance powers and infrastructure to monitor its citizens and misuse technological protective measures, rather than improving the human rights situation in the country and meet their international law obligations. That the Government of Pakistan has not publicly acknowledged whatever part they may have played in the sharing of private citizen data reaffirms the need for strong and direct data protections and stringent transparency on the part of the state.