Computers, Privacy & Data Protection (CPDP) is a non-profit platform originally founded in 2007 by research groups from the Vrije Universiteit Brussel, the Université de Namur and Tilburg University. The platform was joined in the following years by the Institut National de Recherche en Informatique et en Automatique and the Fraunhofer Institut für System und Innovationsforschung and has now grown into a platform carried by 20 academic centers of excellence from the EU, the US and beyond.
As a world-leading multidisciplinary conference CPDP offers the cutting edge in legal, regulatory, academic and technological development in privacy and data protection. Within an atmosphere of independence and mutual respect, CPDP gathers academics, lawyers, practitioners, policy-makers, computer scientists and civil society from all over the world to exchange ideas and discuss the latest emerging issues and trends. This unique multidisciplinary formula has served to make CPDP one of the leading data protection and privacy conferences in Europe and around the world. The panels of CPDP2015 will focus on key issues that cover all current debates: the data protection reform in the EU: European and Global developments, mobility (mobile technologies, wearable technologies, border surveillance), EU-US developments concerning the regulation of government surveillance, e-health, love and lust in the digital age, internet governance and privacy, and much, much more.
Islamabad, November 14, 2014: Digital Rights Foundation organized country’s first National Conference on privacy rights and digital surveillance today in Islamabad. The focus of this national conference was to start a debate around the lack of legislation and laws pertaining to cyber space with a focus on privacy. During this conference, Waqas Mir, a lawyer from Lahore having expertise in constitutional laws and free speech, presented a comprehensive whitepaper on surveillance in Pakistan. This whitepaper took the audience and readers through the history and development of legislation around privacy and surveillance in the country with a focus on recently drafted Fair Trial Act 2013.
DRF in partnership with Privacy International and Freedom Network organized this event to bring together members from all stakeholders including lawyers, parliamentarians, journalists, civil society, and the public to create a serious and continuous debate around having a consistent approach between surveillance and privacy. Multiple panels and session talks were held discussing global and local perspectives of surveillance in the digital age. Panelists also talked about solutions that could be employed taking examples from other countries world over while going over the case studies where common citizens, journalists, feminists, and dissidents at large have been harassed and attacked.
Senator Afrasiab Khatak, former member of National Assembly Bushra Gohar, and Ben Wagner, international expert on export of surveillance technologies were also part of the panels among other distinguished speakers. The conference concluded by recommending public to use their Right to Information more assertively and frequently and by demanding government to ensure transparency and publish annual report on the number of warrants granted for surveillance, and the number of offences prevented by surveillance or interception of information.
The key points that were raised during this national conference on privacy and surveillance include:
Growing concerns over tools / mechanisms employed by government especially after FinFisher’s license expiry in 2013
Concerns shared by the journalism community over how surveillance has negatively impacted the standards of journalism in the country
Urgent need of legislation around digital security to safeguard citizens
Understanding of government’s need to employ legal surveillance in the face of serious terrorism threats, however, with strict definitions of ‘national security’ and ‘national threats’ while being proportionate to citizen’s privacy
The need to rethink the process of creating the laws putting protection before punishment and not the other way around
Palpable urgency felt to have a strong relationship between activists and political parties on privacy and surveillance concerns
National conference on surveillance this year tried to gear start the debate around privacy and surveillance in the country. However, it will be furthered by the support of stakeholders and will be held annually to create a strong network producing tangible results and putting forward suggestions for the government.
Contact: nighat@digitalrightsfoundation.pk
– End –
Digital Rights Foundation (DRF) is a research based advocacy organisation based in Pakistan focusing on ICTs to support human rights, democratic processes and better digital governance. DRF opposes any and all sorts of online censorship and violations of human rights both on ground and online. We firmly believe that freedom of speech and open access to online content is critically important for the development of socio-economy of the country. @digitalrightsPK
November 11, 2014 - Comments Off on “The State of Proactive Disclosure of Information in Khyber Pakhtunkhwa and Punjab Public Bodies” Research Report Released
The second quarterly of research report ‘The State of Proactive Disclosure of Information in Khyber Pakhtunkhwa and Punjab Public Bodies’ reaffirms our earlier finding that public bodies in both provinces are not complying with their respective right to information laws. Khyber Pakhtunkhwa and Punjab public bodies are required to proactively disclose categories of information mentioned in Sections 5 and 4 of Khyber Pakhtunkhwa Right to Information Act 2013 and Punjab Transparency and Right to Information Act 2013.
The broader aim of this research report, conducted by Digital Rights Foundation, a member organization of Coalition on Right to Information’, (CRTI) is to measure how public bodies have been using the web and making it easier for citizens in the processes of getting information and filing requests. Major aim of this effort is also to promote public bodies who are proactively sharing information with citizens on self-basis.
The current report indicates a serious lack of maintenance of websites by departments. In the process of doing research for the current report, many websites were found in the same state as they were during the previous quarter, in terms of both their conformation with RTI laws and updating their websites with regular news and information. Which shows that while the public bodies have adopted to the latest web standards and have created and somewhat maintained a web presence, there is a significant lack of tangible reforms adopted to implement key sections of the respective laws of the provinces. Specifically, the public bodies do not share information pertaining to public employees’ remuneration, benefits, and any other privileges in line with the provisions of their provincial right to information laws.
The coalition and DRF has decided to add the websites of information commissions of both the provinces in the next phase of this research report. Commissions are expected to be a role model for other governmental bodies when it comes to have a maintained websites sharing information proactively with citizens on self-basis along with outlining proper procedures with named contacts for citizens to ask queries.
Digital Rights Foundation urges Khyber Pakhtunkhwa Information Commission and Punjab Information Commission to ensure public bodies comply with the right to information laws and make available information specified for proactive disclosure under relevant provisions of provincial right to information laws. The websites of these aforementioned commissions will be included in the next quarterly report.
“Coalition of Right to Information seeks to promote an open information and communications policies at the federal, provincial and district levels across Pakistan. With various initiatives, the coalition of civil society organizations aims to promote citizen awareness and improve dialogue between the citizens and state.”
Digital Rights Foundation is a research based advocacy organisation based in Pakistan focusing on ICTs to support human rights, democratic processes and better digital governance. DRF opposes any and all sorts of online censorship and violations of human rights both on ground and online. We firmly believe that freedom of speech and open access to online content is critically important for the development of socio-economy of the country. www.digitalrightsfoundation.pk
November 10, 2014 - Comments Off on Inside FinFisher: examining the intrusive toolset
FinFisher, a company known for making and selling a wide range of spy software to world governments for large sums of money, was hacked in the first week of August this year. The anonymous hackers leaked a 40GB torrent including the entire FinFisher support portal with obfuscated information about the buyers, list of software they had purchased, duration of each license, and their communication with the support staff. The leak helped human rights activists around the world identify the buyers, hold their governments to account for the purchases, and question the necessity of such a measure. Digital Rights Foundation also released a report detailing the evidence of Pakistan’s purchase of three software from FinFisher.
The leak generated a lot of buzz and rightly so. But the coverage from mainstream media and human rights organizations was primarily limited to reporting the leak, identifying the buyers, and potential human rights implications. There hasn’t been an in-depth coverage of the scope and capabilities of the whole set of software FinFisher sells. This is what we intend to do in the current article.
Understanding FinFisher
FinFisher is not just a software. It’s a well-thought-out and sophisticated toolset, comprising of both software and hardware, built from the ground up to gain access to people's private data and communications. Well thought out in the sense that each tool compliments the others in breaking into someone’s communication and sophisticated in the way the tools are generally invisible to the person.
An overview of the FinFisher toolset; please click on the image to enlarge.
At the time of the leak, FinFisher had 12 products available on its website: ten hardware+software solutions to break into computers and mobiles, a repository of 0-day and 1-day exploits that can be used to infect the target systems, and a training program. Among these solutions, FinSpy is the jewel of the crown. It is a remote monitoring solution that is capable to basically let the buyer see everything someone does on their computer.
How Do They Break In
It is easier if they, or anyone they know, have access to the computer. FinFisher offers three solutions for this situation. Two of them (FinUSB Suite and FinFly USB) involve attaching a USB drive to the computer, it does not matter if the computer is shut down or logged in, password protected or not. Once the USB is attached, the system becomes compromised. Third one (FinFireWire) is a set of adapter cards (FireWire/1394, PCMCIA and Express Card) and associated cables that, when attached, give access to a running but password protected Mac, Windows, or Linux computer.
Four FinFisher solutions are designed for the situations when they don’t have physical access to someone’s computer.
FinFly Net consists of a small portable computer that is attached to the router of a hotel or airport or any other “friendly” place and a laptop. Once the FinFly Net computer is The management laptop can then see internet traffic being sent and received by the people attached to the network. It can also display a fake software upgrade notification to the target, which when installed, gives complete access to that computer. Since this solution sits between all internet traffic going to and from the people connected to the network, this solution is also capable to insert a software update (Adobe Flash, for example) notification on a legitimate website.
FinFly LAN can also attach spying software with legitimate files on-the-fly, while being in the same wired or wireless network. FinFly Web creates fake websites which make use of the loopholes in web browsers to instantly install FinSpy, the crown jewel in the FinFisher toolset.
FinFly ISP is a hardware solution deployed at an ISP to covertly install spy software to any computer in a city or country. This solution is able to “patch” any legitimate files being downloaded by people with a spying software. Like FinFlyNet, it can also issue fake upgrade notifications for popular software like iTunes. The computer becomes compromised as soon as the downloaded files are run or software upgrade is applied.
FinIntrusion Kit is an advanced toolkit that includes a customized Linux laptop with a host of adapters and antennas and can break WEP and WPA/WPA2 passphrases.
What Can They See
A lot. But let’s go through it step by step.
IN CASE OF PHYSICAL ACCESS
FinUSB toolkit can extracts login credentials from common programs like email clients, chat messengers, and remote desktop tools. It can also silently copy recently opened, created, or edited files from the computer as well as browsing history, chat logs, and wifi passwords.
FinFireWire, after bypassing the login or lock screen, can recover passwords from RAM and copy all files onto an external drive.
IN CASE OF CLOSE PROXIMITY LIKE AIRPORTS HOTELS
FinIntrusionKit, which only requires the target to be on the same network like airport or hotel, can capture usernames and passwords being entered on websites, in addition to any other internet traffic, even if it’s on HTTPS.
FinFly Net and FinFly LAN lead to the installation of FinSpy which then gives full access to all data and communications for a system.
IN CASE OF NO PHYSICAL ACCESS OR PROXIMITY
FinFisher provides FinFly ISP and FinFly Web to infect people who are not in close proximity. Once infected, full access to these computers will be granted.
A video detailing how FinFly ISP works
FinSpy: Jewel of the Crown
Marketed as a ‘remote monitoring solution,’ FinSpy is the multi-purpose spying software around which the whole company revolves. It gives opens a backdoor to the infected computer allowing for live access to all files and data. It also enables access to the mic and webcam installed on the computer for “live surveillance.” It can also save an audio or video recording of each Skype call and send it to the buyer. And it can, FinFisher flaunts, “bypass almost 40 regularly tested antivirus systems.”
FinSpy Control Center. Click on the image to enlarge. Note the area in red: Those are the actions that can be taken on an infected computer.
We have a saying in Punjabi to seek refuge from something terrible: May this not happen even to my enemy. I'll end this post at that.
September 15, 2014 - Comments Off on Week of Action: A World Without Mass Surveillance
Many of us, no matter where in the world we live, are a target of mass surveillance, one way or the other. Either by our own government or by the governments of other countries where our Internet communications reside or pass through, or by both. Is it really necessary to surveil everyone? How does the human right to privacy hold up? Shouldn’t this be public knowledge if blanket mass scale surveillance is being carried out on our communication?
Questions like these made Electronic Frontier Foundation (EFF) to lead a global effort to apply existing human rights laws in the context of this age of surveillance that we live in. The collective effort, comprising of “over a year of consultation among civil society, privacy and technology experts,” resulted in the publication of International Principles on the Application of Human Rights to Communications Surveillance. Called the 13 Principles for short, the document which lists a set of rules for the world governments to adhere to if they must engage in mass surveillance, was formally launched in September last year.
Today marks the beginning of a week dedicated to the anniversary of the publication of the principles. Digital Rights Foundation is also one of the signatories of the 13 Principles. As a signatory, we want to take this opportunity to share the principles with the broader public in Pakistan. Every day from today, Sep 15, till Friday, Sep 19, we will be speaking about the principles in the Pakistani context. The aim is nothing but to secure the privacy that you, us, and everyone deserves. You should follow the conversation on our Twitter and Facebook feeds, if you don’t already.
September 10, 2014 - Comments Off on Turkey with its 29 Tweeters Still Behind the Bars Makes IGF ’14 Quite an Ironic Event
As we close off the Internet Governance Forum 2014 here at Istanbul and as I leave for Lahore, I can’t help but feel that this year's IGF kept on with its tradition of being a "talk-house" since past few years, creating no tangible actions. Sponsored by the United Nations, IGF hosted some 3,000 government, corporate, and civil society leaders and representatives making it a perfect venue for talking about difficult challenges, moving forward and making decisions. The event is organized every year to help shape the future of the Internet, however, it feels as if this reunion every year is drifting away from the actual problems concerning the people of the Internet especially in the authoritarian countries.
IGF certainly retains its singular prestigious place for highlighting challenges in an open-ended consultative process, enabling civil society and individuals voice their perspectives and concerns during the conference. However, it was felt throughout the civil society community that government officials weren’t keen on engaging in the dialogue discussing serious concerns about unfortunate events that have happened in their respective countries.
Being hosted in Turkey, it was an important place to discuss internet governance where government officials could have set a precedent for digital governance elsewhere. Turkey’s prosecution of 29 Twitter users has been a global example for the repressive regimes. Government prosecuted these tweeters who are being tried in Izmir facing up to three years in jail for posting critical tweets during last year’s protests. This case was charged by the Turkish officials as the one to “incite the public to break the law”. It is this stark hypocritical stance of the government to host one of the most important internet governance events in the country all the while censoring and harming freedom of speech online domestically.
To talk about repressive regimes’ ruthless behavior towards human rights activists and the hush by the government officials at the IGF, a group of civil society members and individuals hosted another conference during the IGF week. Titled as Internet Ungovernance Forum, the conference was organized to demand a free, secure, and open internet with fundamental freedoms, openness and net neutrality. Proving to be a vivid example of the increasing lack of empathy on the IGF forum, this group of Turkish activists weren't allowed to attend the conference. Ungovernance Forum's stakeholders believed that due to the representation of various governments that “don’t deserve” representation at a forum like IGF, ungovernance forum is designed to talk about the most important issues, create a space to raise voices of civil society members and common people, and then solve these problems while working towards a path for action.
Participants at this year's IGF also felt an evident gender gap especially during the opening ceremony. Freedom House presented this statement about the lack of gender equality at IGF 2014:
The 2014 IGF included numerous workshops on topics of human rights, including freedom of expression, gender, privacy, and access. Yet the value of this enterprise is undermined when governments can use the IGF to promote themselves, but civil society groups are forbidden by the ad hominem principle from criticizing them. Likewise, gender equality cannot genuinely be discussed when the vast majority of individuals at high-level meetings, delivering speeches, and participating on workshop panels are men. Access also cannot be addressed when remote participation fails to adequately provide two-way discussion from those who cannot attend in person. The IGF should include these voices not only to promote multistakeholderism and inclusion, but also to improve the quality of discussion and the prospects for solutions.
Active participation of civil society members and individuals in the Ungovernance Forum shows sheer disappointment that was felt in the fraternity having attended the IGF in Turkey which failed to acknowledge its own domestic internet governance challenges. While we may dream of creating better future for Internet and its citizens, it is of the utmost importance to talk about the most pressing issues when it comes to online freedom of dissidents and common people. Failure of the host country by ignoring hard questions put up by the journalists only undermines the importance of freedom of speech online. Unless repressive regimes aren’t ready to talk about their internal issues and lack of empathy towards their own citizens, it is only but ironic to see such states having an incredible part in the future of the Internet. God forbid how oppressive and censored that future is to be.
Free access to the Internet is a fundamental human right.
Rebecca MacKinnon in her speech at TED, talks about how in the past, our sovereignty was determined by the boundaries set by nation-states. But today in an age of technological innovation, the new sovereigns are not the nation-states but rather the ones who control the world’s technology. And so companies like Facebook, Google, Microsoft and Apple can decide what we can and cannot do in the digital space.
The question is; how can we balance the need of security and law enforcement without compromising free speech? We can start by understanding that the whistleblowing by Wikileaks was not a crime, but a necessary curtain-raiser. If private data of the government needs to be protected, then so does the private data of every citizen. This is where we take back the Internet; this is where we realize that we cannot let the digital media be controlled the way the mass media has been.
Individuals should have free access to use and create anything on digital media, especially in developing countries like Pakistan where the traditional media is often either censored or tailored to suit the need of political and social mafias. In an age where digital media has allowed everyone to have a level-playing field, we must not let the referees favor any one side.
September 4, 2014 - Comments Off on DRF condemns the gang rape of two women in Faisalabad
In an age where a person’s hard-earned reputation can easily be destroyed with the click of a button, one doesn’t need to hire an assassin to do the job. This is what happened when the rape of a young girl was being filmed by the rapists and the film is threatened to be uploaded online if the girl tries to tell anyone. First you rob a woman’s soul, and then you take away her voice too. Digital Rights Foundation has been campaigning for the last few years to make women who suffer such abuse speak out against it and stand up against online sexual exploitation.
Women in Pakistan have also been susceptible to legal manipulation simply because of political inertia. Many of the laws designed during the time of President Zia-ul-Haq like the Zina Ordinance hugely favored the men, but have continued to be wrongly justified in the name of Islam ever since. A woman’s report of her rape in a police station is taken as her confession of adultery, and she is given the death sentence. But the man escapes free. There are hardly any legal remedies in Pakistan that women can subscribe to. They are not allowed to use their right to divorce in many courts even though they have been allowed to use it by their religion. Women are also not given much protection under statutory law and are rather victimized more often than not than being treated as the victim. Unfortunately, women suffer the same lack of protection online that they do offline.
With its latest campaign ‘Hamara Internet’, DRF aims to protect women against cyber abuses amongst its many other objectives. The Internet should not be a place where nothing is private anymore, but a place where an internet user can protect his privacy and yet have absolute freedom to enjoy the resources available due to an open web. With social networks like Facebook & Twitter and video sharing platforms like YouTube quickly turning any popular content viral, it needs to be ensured that such content does not make something public anything that promotes violence.
Recent digital security breaches have confirmed just how vulnerable the Internet is. With Facebook accounts routinely hacked in Pakistan, women and young girls are the most vulnerable internet users and often made to suffer from cyber abuse with their private pictures being photoshopped deceptively into erotic poses and sometimes even total nudity. Women, especially in a closed and patriarchal society like Pakistan, need to be aware how they can protect themselves against heinous cyber abuses.
Many people see restricting the access to the Internet as the only solution . They only need to ask themselves one question first; when their body gets dirty, do they go take a shower and wash their body or do they dig up their grave and bury themselves? We can’t criticize the medium for the fault of its users. This is what DRF aims to achieve with its campaign ‘Hamara Internet’ - ‘Our Internet’, The web Pakistani women want - an Internet for everyone to freely enjoy and take benefit of equally irrespective of whether they are men or women.
September 4, 2014 - Comments Off on Massive Uproar in Pakistan due to Instagram’s Ban
Instagram was banned in Pakistan for a short while on 29 August 2014.
For photographers, photojournalists and digital media marketers, whose bread and butter was Instagram, it appeared to be a nightmare. At first it appeared to be server error, but when Twitter users were confirmed by PTCL that the unbelievable really has happened, the online community burst into total fury.
While YouTube had a reason to be banned because of the controversial anti-Islamic film, the Pakistan Telecommunication Authority gave no reason why the Instagram ban was necessary.
Concerns over whether Facebook was going to be targeted next by the censorship police hit the social media community as they vexed their frustration online.
For some reason the PTA believes that banning the medium is the only way to stop a message from proliferating. What if some day you got to know that the television has been banned because of some controversial channels? What if some day you are told that the entire newspaper industry is banned because of one contentious article in a newspaper? Sounds ludicrous, doesn’t it?
Although Instagram was restored a few hours later, what really happened is still a mystery. Whatever was the case, the only question is; is Twitter, Facebook, Pinterest coming up next? Will this bombardment on social networks by the PTA ever stop?
August 22, 2014 - Comments Off on Pakistan is a FinFisher customer, leak confirms
In the first week of this month, someone hacked into the servers of FinFisher, the notorious surveillance software maker, which was reported to have two command and control servers inside Pakistan last year. The hackers got hold of whatever they could find on the server and leaked it as a torrent. The 40Gb torrent contains the entire FinFisher support portal including the correspondence between customers and the company staff. It also contains all the software that the company sells as well as the accompanying documentation and release material.
What is FinFisher?
FinFisher is a company that sells a host of surveillance and monitoring software to government departments. The primary software, FinSpy, is used to remotely access and control the computers or mobile phones belonging to the people being spied on. The company offers several methods to install FinSpy, which range from a simple USB that can infect a computer to directly attaching the trojan with legitimate files when they are being downloaded through installing a kit at the ISP. The whole FinFisher toolset is designed to give the people buying these software access to emails, web browsing history, and any other activity performed by the “targets.”
Is Pakistan a FinFisher customer?
Apparently, yes. A University of Toronto based research group called Citizen Lab released a report last year identifying two FinFisher command and control servers on the PTCL network. But this recent leak gives us a more complete and conclusive picture. The leaked support portal tells us that someone from Pakistan in fact licensed three software from FinFisher for a period of three years. The systems Citizen Lab identified were probably the computers hosting the FinSpy server program and were merely using a PTCL DSL connection. PTCL, the company, we think was not involved. If not PTCL, then who? It could be anyone but since FinFisher only sells these software to government agencies, it was most likely one of the many intelligence agencies operating within the Pakistani government.
In one of the “critical” support ticket that we have extracted from the FinFisher support portal, someone identifies their name (retracted in this article) and location (Pakistan) and complains that their problems are not being addressed through Skype (which we presume was the primary way FinFisher provided help to the customers). FinFisher database identifies the said customer with the username 0DF6972B and ID 32.
What was purchased?
After that clue, we looked further into the purchase history of Customer 32 and their correspondence with FinFisher staff and found out that they have licensed not one but three software from the spy software maker. The primary software, FinSpy, is used to target people who “change location, use encrypted and anonymous communication channels and reside in foreign countries.” After FinSpy is installed on a computer or a mobile phone, it can be—according to the product brochure—“remotely controlled and accessed as soon as it is connected to the internet/network.”
In addition to FinSpy, Customer 32 also purchased another software called FinIntrusionKit to hack into hotel, airport, and other wifi networks to catch “close-by WLAN devices and records traffic and passwords”, extract “user names and passwords (even for TLS/SSL encrypted sessions),” and “captures SSL encrypted data like webmail, video portals, online banking and more.” The third software is a tool to infect USB devices so that whoever plugs them becomes a target of surveillance.
How does Pakistan FinFish?
From the support tickets filed by Customer 32, we also get to know that whoever in Pakistan purchased FinFisher used it, for instance, to infect harmless MS office documents, particularly PowerPoint files and sent them to people they wanted to spy on. The simple act of opening the infected files led their computer being put into constant surveillance including emails, chats, and other activity.
Customer 32 also used FinFisher to covertly steal files from the “target” computers. All the files of those who were targeted were readily available but Customer 32 wanted more, as outlined in another support ticket: “the agent be able to select files to download even when the target is offline and whenever the target comes online, those selected files may be downloaded without the interaction required from user.”
While we know that FinFisher is deployed in Pakistan, some questions remain to be answered. As citizens of a democratic state, it is our right to know who is using these surveillance software in Pakistan, how much budget is being spent on these licenses, and what laws and regulations are being followed for deploying these software.
Update [Sep 15, 2014]: How much did it cost?
WikiLeaks today released a list of countries who bought software from FinFisher and the associated cost that was paid. The cost was calculated using a price list they found inside an excel file. Pakistan, as per the revealed price list, paid €432120 (or 57 million Pakistani rupees) for the three software that were purchased.
