All Posts in Focus Areas

September 21, 2015 - Comments Off on Standing Comm. Passes Draft of PECB, Unseen by Comm. Members

Standing Comm. Passes Draft of PECB, Unseen by Comm. Members

On September 17th 2015, the National Assembly's Standing Committee on Information Technology passed the final draft form of the Prevention of Electronic Crimes Bill, which will now be sent to the National Assembly for final approval.

Disturbingly, members of the committee were not shown the draft form of the bill before its passage. PPP MNAs Shazia Marri and Nauman Islam Sheikh, and PML-N MNA Awais Ahmad Khan Leghari, rightly objected, stressing that the draft bill could not be approved until they and the other members of the committee had read the finalised draft.

Capt Mohammad Safdar (Ret'd), Standing Committee chairman, overruled these objections, saying that as he had seen the draft, that would be sufficient grounds to pass the draft.

Final Draft of the Prevention of Electronic Crimes Bill, September 17th 2015.

See our previous and ongoing coverage of the cybercrimes bill, here: http://digitalrightsfoundation.pk/work/cyber-crime-bill/

August 18, 2015 - Comments Off on Digital Rights Foundation stance on privacy and data retention provisions in the 2015 Prevention of Electronic Crimes Bill

Digital Rights Foundation stance on privacy and data retention provisions in the 2015 Prevention of Electronic Crimes Bill

Digital Rights Foundation recognises that the government must protect its citizens, as is its duty, especially in turbulent times. Digital Rights Foundation also recognises, however, that the government must do so in a manner that also protects the right to privacy and the right to freedom of expression.

Legislation that effectively tackles cybercrime and terrorism is vital. What the Prevention of Electronic Crimes Bill does, however, is move beyond what is necessary, and instead violates the civil rights of citizens, in the name of security. The government has been very reluctant in allowing for public oversight in regards to the PEC Bill, and has made amendments without sufficient involvement with, or indeed alerting civil society stakeholders to, the amendment and process.

The Bill as it stands contains a number of provisions that run of the risk of being open to very broad interpretations that could lead to sweeping penalty measures that would in effect criminalise innocent online and offline behaviours. Civil society stakeholders have submitted a legal draft to the IT Standing Committee of the National Assembly, that seeks to address and amend said provisions in a manner that balances the need for security with the need to respect the civil liberties of Pakistani citizens.

What remains, however, is that while civil society stakeholders have provided invaluable legal input, there still remain areas of great concern for Digital Rights Foundation and our colleagues in civil society.

Of concern to Digital Rights Foundation in particular are continued mandatory retention of data, as well as the decision to continue with allowing the government to forward information to international partners, if so requested. There is a lack of a clear oversight regarding this international cooperation, and this is a matter that must be addressed, as it violated the right to privacy of Pakistani citizens.

It is our concern that the Bill as it stands does not protect citizens effectively, and does not protect their right to freedom of expression and their right to privacy. Thus, Digital Rights Foundation cannot support the Government of Pakistan's cybercrime legislation.

Privacy International & Digital Rights Foundation joint legal analysis of the PEC Bill

Article 19 & Digital Rights Foundation's Legal Analysis of the PEC Bill

July 24, 2015 - Comments Off on Unlawful Interception: Pakistan’s intelligence agencies, Hacking Team, & the abuse of communication surveillance powers

Unlawful Interception: Pakistan’s intelligence agencies, Hacking Team, & the abuse of communication surveillance powers

Earlier this week, Privacy International released their in-depth report on the state of surveillance in Pakistan, Tipping the scales: Security & surveillance in Pakistan. Available to the public, the report examines the exponential rate at which communication surveillance measures have been undertaken by the government of Pakistan defended as being necessary to combat internal and external threats to the nation. However, while it is the role of the state to protect its citizens from internal and external threats to their life and liberty, this echoes an all too common rationale used by foreign governments and intelligence agencies worldwide to justify ever increasing surveillance of their own citizens, and to limit or remove the legal rights of those same citizens to push back against the invasion of their privacy.

The “Global War on Terror” has seen law enforcement agencies worldwide request and in most instance receive millions in “anti-terrorism” funding, as well as broader powers with oft-generous leeways, to tackle terrorism as they see fit. Armed forces, intelligence agencies and law enforcement departments worldwide will direct such largesse towards the acquisition of and greater access to technologies that allow them to spy on their own citizens. Since September 11 2001, this had led to the rights of citizens abroad violated by their own governments, who will carry out surveillance without proper public oversight – if at all. Activists, journalists, politicians and other ordinary citizens with no link to terrorist groups whatsoever have found themselves under observation, and often without any legal recourse.

As a partner in this “War on Terror”, Pakistan is no different, with its military forces receiving generous levels of funding from the government as well as from its international allies, to tackle its own conflicts against armed militants. It has also given broad powers and authority to state agencies, to tackle what they argue is language and behaviour that is detrimental to the reputation and safety of Pakistan. Coupled with bans on encryption and forms of proxy software, what this has led to, according to Privacy International's report, has been an abuse of:

"...their (Pakistan's intelligence agencies) communication surveillance powers, including spying on opposition politicians and Supreme Court judges. Widespread internet monitoring and censorship has also been used to target journalists, lawyers and activists."

Privacy International's report also reveals that Pakistan's Inter-Service Intelligence Agency (ISI) wanted to expand their surveillance capabilities via the commission in 2013 of a:

"mass surveillance system to tap international under- sea cables at three cable landing sites in southern Pakistan. The “Targeted IP Monitoring System and COE [Common Operations Environments]” would allow Pakistan to collect and analyse a significant portion of communications travelling within and through the country at a centralized command centre. With a projected intake of an estimated 660 gigabytes per second, the system would amount to a significant expansion of Pakistan’s communications intelligence gathering capacities."

To create such a system to strengthen one's surveillance efforts, it has become de rigueur to reach out to the private sector for hardware and software surveillance solutions. A multi-billion dollar industry, commercial surveillance firms have found no shortage of potential clients in the wake of post-September 11th attacks attributed to terrorist organisations or lone wolves. The Privacy International report highlights how Pakistan's intelligence agencies and security forces, represented by partners in the Pakistani private sector, sought to purchase products and services to allow them to expand their surveillance abilities, to infiltrate the digital devices and computers of citizens, from international spyware firms.

Earlier this month one of these companies, the controversial Italian spyware manufacturer Hacking Team, was hacked. The firm's official twitter account was taken over on July 5, and links to over 400 GB worth of internal Hacking Team data were provided, which in turn were shared by WikiLeaks and others. This hack allows us to explore how Pakistani intelligence agencies purchase the technology and services they require for greater surveillance creep.

A controversial player in the commercial digital surveillance industry, Hacking Team has frequently asserted that it goes to great lengths to ensure that its software is not utilised to undermine human rights. The internal communications and invoices unearthed, however, strongly contradict the firm's claims. Communications with representatives indicate little concern made regarding misuse of HT's software packages to undermine human rights activities – they are, instead, reassured and informed that there will be no trouble in operating in particular regions. Hacking Team's core business centred around their Remote Control System (RCS) software suite, which allows customers to infiltrate the computer and mobile devices of targeted individuals and install backdoors, in turn allowing for undetectable monitoring at will. Hacking Team's RCS, also known as Galileo, allows customers to (according to their promotional material):

Keep an eye on all your targets and manage them remotely, all from a single screen. Be alerted in incoming relevant data and have meaningful events automatically highlighted.

Remote Control System: the hacking suite for governmental interception.

Right at your fingertips.”

If the modus operandi of Hacking Team and Galileo sounds familiar, it should: Finfisher, a surveillance software package released by Gamma International Ltd in 2007, was brought to the world's attention in August of last year, due to a 40 GB leak that exposed the company's internal communications and financial history, as well as the governments that purchased – or were interested in purchasing – Finfisher for domestic surveillance purposes. Finfisher, like Hacking Team's RCS/Galileo software suite, allowed customers to infiltrate the computer systems of targeted individuals, and install software undetected. Digital Rights Foundation has covered Finfisher and how it operates here.

Finfisher's "Remote Monitoring and Deployment Solutions" and Hacking Team's RCS have something else in common: both were of interest to Pakistani companies, working on behalf of domestic military intelligence and intelligence agency clients. An examination of Hacking Team's leaked internal data uncovered email communications between Hacking Team and Pakistani IT company representatives between 2011 and 2015. Also uncovered were internal communications, mostly in Italian, between members of Hacking Team regarding their thoughts on potential Pakistani partners, as well as sharing and discussing news articles pertaining to the security situation in Pakistan and South Asia. Unlike Finfisher, the data leaked does not appear to indicate that a successful purchase of RCS/Galileo was made by Pakistani buyers.

"You can compare them to MI5": Pakistan's Interest in Hacking Team's Tech

The extensive data leak reveals the manner in which Hacking Team communicates with representatives of potential clients in Pakistan. Sensitivity is requested by representatives in regards to the identities of their clients; preferential treatment; verification of identities by clients, visa invitation letters; VIP guest ticket requests; interest in specific software and service demonstrations, and internal discussions regarding client representatives are covered in the emails. Below are samples of the email communications between Hacking Team and potential customers:

January 18th 2011 marks the earliest recorded communication (as collected by Wikileaks and other sources) between Hacking Team and Pakistani client representatives. Marco Bettini, HT's International Sales Manager, is in communication with Zeeshan Zakaria, Chief Executive of Defence Solutions & Systems Ltd (DSS), a Lahore, Pakistan-based company. The email, part of a long response thread entitled “R: R: R: R: Demokit” in response to Mr. Zakaria's previous email that states that there will be “4 guests who will see the demo. We will require you to do the demo.” In the email Mr. Zakaria also says that he will “appreciate if you dont (sic) offer your prices or product to anyone else in Pakistan for the time being.” Mr. Bettini asks for the name of the guest “in order to require the badges for ISS admittance” and if he, Mr. Zakaria, will be attending as well. Hacking Team does not”give any exclusivity based on country”, says Bettini, but they can “block” other companies asking for “any activity or quotation for the same customer” if Mr. Zakaria can provide the name of the agencies he is working with.

(As ISS comes up quite often in Hacking Team emails, it should be explained at this point that ISS in the context of the emails is an abbreviation of “Intelligence Support Systems for Lawful Interception, Electronic Surveillance and Cyber Intelligence Gathering”. The website for the ISS describes it as thus:

ISS World Middle East is the world's largest gathering of Middle East Law Enforcement, Intelligence and Homeland Security Analysts as well as Telecom Operators responsible for Lawful Interception, Hi-Tech Electronic Investigations and Network Intelligence Gathering.”

In 2011, the ISS conference was held in Dubai from February 21-23, 2011. Among the conference's sponsors as of 2015? Hacking Team, Finfisher, and Gamma Group. Though a separate entity since October 1st 2013, Finfisher was established in 2007 as part of the Gamma Group.

The following day, an email from Ali Ahmed of Miran International – according to its website, a Karachi-based “company specialising in security, defence and telecommunications” - is forwarded by David Vincenzetti, Hacking Team's CEO, to rsales@hackingteam.it, concerning an inquiry “from one the premier Intelligence Agencies in Pakistan” in regards to “infecting of GSM handsets.” (sic). Unaware of the earlier communication to HT by DSS, Miran International is interested in partnering with the Italian firm in Pakistan for the project if the latter has not already found a partner in the country.

"K Block" refers to the HQ of the Intelligence Bureau, at the Secretariat in Islamabad, Pakistan. Image Via Wikileaks.

"K Block" refers to the HQ of the Intelligence Bureau, at the Secretariat in Islamabad, Pakistan. Image Via Wikileaks.

The following day Hacking Team contacts Mr. Zakaria of DSS, asking him to provide the names of his guests. He is also informed by HT that they “are already involved in other opportunities in Pakistan.” “To protect your job,” the email from Mr. Bettini continues, “please inform me as soon as you can the agencies and contacts you are working with.” (sic). Following this email, Mr. Ahmed of MI is sent anemail by Mostapha Maana, Hacking Team's account manager for the Middle East region, similar to the one sent by Mr. Vincenzetti, asking for the agency letter, to check if they are already “in contact” with the client in question. It bounces back, and is sent again on the 21st by Mr. Maana. Mr. Maana gets in touch with Mr. Zakaria of DSS , and knows that “ we have been trying to work together since 2008”. As before, Mr. Zakaria is asked for the names of his clients “in order to protect your job”. Mr. Zakaria responds that “at this stage I think we should not discuss the names of the customers as it is a little sensitive.” Mr. Maana then responds, saying that he needs to know the names of the clients “otherwise I cannot refuse to meet the other Pakistan company at the ISS. By the way, I already know the name of this company's customer.”

It is at this point that Mr. Zakaria identifies the customer/client as being the National Police Bureau, with names of the officers attending the conference being named in the email. He requests that VIP invitations be arranged for the officers as “they are very interested your product.”

Hacking Team outlines to how RCS/Galileo works to the representative for a potential client.

Hacking Team outlines to how RCS/Galileo works to the representative for a potential client. Image via Wikileaks.

We come back to Miran International, who, whilst requesting a Non Disclosure Agreement (NDA) have listed their clients: Pakistan's Intelligence Bureau (IB) and Inter-Services Intelligence (ISI). “You can compare them to MI5 and MI6” Mr. Ali Ahmed offers helpfully. According to the Miran representative, “they're the only 2 agencies in Pakistan allowed to use voice interception and location products like A5-1 gsm interception systems.” (sic) *. “ISI and IB are the top agencies in Pakistan with no budget issues” he continues, “allowed to purchase without the tendering process.”

(*An example of what they could be referring to, for a point of reference, could be this: http://www.cellularintercept.com/ecom-prodshow/gsm_intercept.html)

Miran International and Hacking Team continue to discuss potential cooperation until early 2015, when internal emails between members of Hacking Team appear to look upon Miran International, and its sister company Vision Metric with some concern, and there is no update after February 26th of this year, when David Vincenzetti appears to remark that it is “una perdita di tempo” - a waste of time.

Hacking Team's CEO appears to have become fed up with this potential deal, calling it "a waste of time."

Hacking Team's CEO appears to have become fed up with this potential deal, calling it "a waste of time." Image via Wikileaks.

The communications between Hacking Team and Miran International may have been fruitless from the former's perspective, but a perusal of the communications between the two unearths other details. We learn, for instance, Gamma Group's representative in Pakistan was “very active in Islamabad with ISI” (sic) (though unsuccessful), and that Gamma Group's Sales Director, Edgar Bucheli, was in touch with senior ISI officials.

Here the representative passes on the information that the Intelligence Bureau (IB) is interested. Image via Wikileaks

Here the representative passes on the information that the Intelligence Bureau (IB) is interested. Image via Wikileaks.

As for DSS, communications between them and Hacking Team continue until early 2014, and then stop, apparently due to a lack of success on the part of this company as well.

This does not stop Hacking Team from being approached by Pakistani companies, such as United International Technologies (UIT), which “has been in the Pakistan market for 35 years and is the Pakistan company representative for global defense and aerospace companies such as BAE Systems, Rockwell Collins, QinetiQ, Chemring Group and Poongsan among others.” UIT contacts Hacking Team via email on February 27th 2015, and until the 5th of March discuss NDAs and the “end users” or clients of UIT, “Pakistan Army Military Intelligence and/or ISI.” UIT informs them that they will be at the 2015 ISS conference in Dubai, from the 16th to the 18th of March. As of the 5th of March, UIT is “at a very preliminary stage.” Nothing else follows.

Hacking Team and its international partners discussing a new ISI head, as any work with the "current one is a waste of time.

Hacking Team and its international partners discussing a new ISI head, as any work with the "current one is a waste of time.

What is noticeable about communications between Hacking Team and the representatives of potential client is the plainly laid out request for software that provides the customer with the ability to infiltrate and monitor communication traffic. What is conspicuous by their absence are any concerns raised about human rights or other ethical considerations.

Here the representative clearly states what the client wants.

Here the representative clearly states what the client wants. Image via Wikileaks

The private companies mentioned in this post are just a few of the many that vie for contracts from the armed forces, the police forces and intelligence agencies of Pakistan, to offer the latest in software packages that ostensibly help protect the citizens of Pakistan. The reality is that the tools that are purchased on behalf of the forces and agencies mentioned are being chosen specifically because they are advertised as being able to bypass security measures that allow users privacy and a sense of safety, with next to nothing in terms of official restraint or public oversight.

To purchase and utilise such measures without clear lawful authority violates the rights of Pakistani citizens, as laid out in the International Covenant on Civil and Political Rights, to which Pakistan became a signatory in 2010. The representative from Miran International wrote in his email that ISI and IB have “no budget issues”. On the contrary, the money which pays for the supposed free rein of these agencies comes from the taxes paid by Pakistani citizens. With no public oversight, the taxes collected from citizens are being used to finance the purchase – or research the purchase of – equipment that violates their rights.

Privacy International's report, Tipping the scales: Security & surveillance in Pakistan, can be downloaded here.

Written by Adnan Chaudhri

May 29, 2015 - Comments Off on Internet.org & Facebook’s Illusion of Choice

Internet.org & Facebook’s Illusion of Choice

If you don't have Telenor, this is what you get.

 

On May 28th, Telenor Pakistan (a wholly-owned subsidiary of the Norwegian telecommunications Telenor Group) formally announced that it had partnered with Facebook on the latter's Internet.org initiative. According to Facebook and its partners, the objective of Internet.org is to provide selected internet services for free. At first blush, this comes across as a boon for citizens in the developing world, where data services can be expensive for many. Being able to access the internet without running up large bills, and without draining one's monthly data package allowance sounds ideal. By signing up to Internet.org, Telenor's mobile subscriber base in Pakistan – which at last counts comes close 35.2 million – will have access to a list of websites and internet services, which Techjuice has listed here. With Telenor as a start, more people in Pakistan will have greater access than ever before, and for next to nothing.

Beyond the altruistic sentiment, however, all is not well. Rather than giving people greater choice, in reality what Internet.org and its backers are offering is limited and leaves everyone worse off, down the road, creating and encouraging two-tier internet access that, in the long run, makes losers out of us all. Pakistani Tech activists and entrepreneurs have expressed their dismay Facebook and Telenor's launching of the initiative. Arzak Khan of Internet Policy Observatory Pakistan, for instance, expressed deep concern that an established operator like Telenor is joining Facebook's Internet.org initiative and launching what is a limited and insecure internet. The impact of such a move will stifle investment in infrastructure development and threaten freedom of expression, equality of opportunity, security, privacy and innovation."

We don't support Internet.org”, say activists such as Sana Saleem of Bolo Bhi. I believe that they are changing the way that people will access internet in the future for the next billion they are making internet insecure and  limiting their access by suggesting that only these few websites and apps are approved by Facebook, it is against the principle of Net Neutrality and it limits people’s access."

The belief that internet service providers should not discriminate between different forms of content, thus guaranteeing a level playing field for all websites, is one of the key guiding principles behind the preservation of a free and open internet. This belief, known as Net Neutrality, is what ensures that your access to Dawn.com is the same as your access to Express Tribune, or Project Gutenberg. By not favouring or blocking a particular website or service, people are able to access the internet with the freedom of choice, regardless of financial or social background. By offering a select number of websites and services for free solely to people that have subscribed to one of its partners, Facebook is acting in direct violation of the concept of Net Neutrality, by favouring some websites/services and denying access to others. Should Telenor Pakistan subscribers choose to visit websites or services that are not on the proscribed list, they will have to do so outside of Internet.org. What Internet.org offers is the opposite of Net Neutrality, and is known as Zero Rating, defined by Access Now as “the practice by service providers of offering their customers a specific set of services or applications that are free to use without a data plan, or that do not count against existing data caps.” The nature of zero rating has meant that it has been banned or restricted in countries such as Canada and the Netherlands. Nonetheless, this discriminatory practice has been received with open arms in Pakistan. To quote Ghaus Iftikhar Nakodari, Founder of Jumpshare:

The walled garden approach of making a select few websites available for free will hurt businesses who work so hard to compete in their market. If this trend takes off, I am afraid internet providers will start charging for access to batches of websites in future.”

A internet gateway such as Internet.org makes censorship by governments easier, with what Access Now call a “single centralised checkpoint” for information. Facebook itself has been targeted by and taken down by several governments for “allowing” politically sensitive content. Pakistanis that would use Internet.org to access websites and services that are sensitive in nature could find themselves blocked individually or en masse.

Facebook itself has a notoriously bad reputation in regards to the privacy of its users. Privacy settings have been changed in the past without informing users in advance, with private messages becoming public. Terms and conditions have also been modified in the past without warning. The nature of Facebook's business model, furthermore, is reliant on user data, which is in turn provided to third parties. It is quite likely that Internet.org will collect user data via services and IOS/Android apps. The lack of proper transparency in regards to how that data will be used by Internet.org and partnering companies should disturb many, due to the potential for surveillance without consent.

Surely Facebook is aware of the privacy concerns of many, and will strengthen security for the benefit of its users? Well, as Access Now and the Electronic Freedom Foundation have pointed, not really. Each points out that the current version of Internet.org does not permit HTTPS (HTTP Secure), SSL (Secure Sockets Layer) or TLS (Transport Layer Security) encryption protocols. If one is sending sensitive personal data – emails, credit card purchases etc – over the internet, these encryption protocols ensure the security and integrity of your web traffic, without the risk of being eavesdropped upon by government agencies or malicious hackers looking to steal your details. By not allowing these protocols, Internet.org users are at danger each time they access websites and services via Facebook's offering.

Internet.org is not without its supporters. There are those defend Facebook and its partners, saying that this opens up the internet to those that could not afford to access it in the past. As internet services become more crucial to our lives, access is indeed essential. Defenders of Internet.org also argue that once people have tried out Internet.org, they will be able to move onto the “proper” internet, having had a taste. The problem here is that should more telecoms providers move towards Internet.org and similar initiatives, it becomes more lucrative for telecoms and internet service providers offer zero rate internet. Should a Telenor subscriber choose to access a website or service not offered by Internet.org, they may be subject to the usual higher data package costs, thus discouraging them, depending on whether or not they can afford to be charged. And according to Asad Baig of Media Matters for Pakistan:

in such a scenario, when certain service providers in partnership with initiatives like Internet.org, provide access to certain websites 'free of charge', its very difficult to make consumers understand the implications regarding access. Such services are generally perceived as 'consumer friendly' and that's exactly what makes net-neutrality advocacy in Pakistan so difficult."

Rather than offering greater choices to people, Facebook and Internet.org not only put privacy, security and the freedom of expression of internet users at risk, and seeks to make access decisions for the users instead, penalising them should they choose otherwise. Saad Hamid of Invest2innovate provides an analogy:

Imagine going to any public park in Pakistan for 5 rupees and one day the fee is waived and you can go to certain parks for free. Seems awesome right? It does feel good today being a customer but what happens one day when the fee is introduced again - would you pay for it? This is exactly the concern with Internet.org - it's helpful to the user in the short term and it's highly damaging to businesses and startups who want to develop a tendency among users to pay for services.”

May 20, 2015 - Comments Off on Join The Global Feminist Hackathon, In Memory of Sabeen Mahmud

Join The Global Feminist Hackathon, In Memory of Sabeen Mahmud

10407642_900996653301137_7774784743798442630_n

Digital Rights Foundation and Hamara Internet are joining hands with WECREATE Center Pakistan, to participate in the first Global Feminist Hackathon being held on May 23rd 2015, in loving memory of Sabeen Mahmud. We dedicate this inaugural Global Feminist Hackathon to Sabeen and to all those who fight against injustice and discrimination around the world. As Sabeen once said, “I love and cherish that technology has the potential to change lives. We need to devote ourselves to making enabling tools and technologies accessible to more and more people.”

The session will address the current digital legal landscape in Pakistan, concerns with the proposed cyber crimes bill, and the sharing of digital tools and skills to make online spaces safe for women in Pakistan. If you are in Islamabad and want to join us, please contact us at info@digitalrightsfoundation.pk. We also encourage you to join and conduct your own activities dealing with gender and technology, privacy and surveillance, digital security, the hacking of gender roles in technology, or anything else related to technology and human rights.

Sabeen was a symbol of the kind of Pakistan that we want to leave for our children, an icon of free thought and progressive ideas. Let us take her vision forward.

Please share this information widely among your networks and register your activity at the following link by May 23rd: https://f3mhack.org/index.php/en/

May 14, 2015 - Comments Off on Spectrum Eyes: The NSA & Pakistani Metadata

Spectrum Eyes: The NSA & Pakistani Metadata

antenna-mast-605307_640

Last Friday, Digital Rights Foundation had learnt via The Intercept that Ahmad Muaffaq Zaidan, Al Jazeera's Islamabad Bureau chief made the list. The US government terrorist watch list, to be precise.

According to National Security Agency (NSA) documents leaked by whistleblower Edward Snowden, in 2012 the NSA indicated that it considered that Mr. Zaidan was a member of Al Qaeda and the Muslim Brotherhood. Mr. Zaidan has strongly denied that he has ever been a member of either organisation, and is backed by his employers and respected international journalists, such as CNN's security analyst Peter Bergen.

So how did a respected veteran journalist find himself placed on a terrorist watch list?

Metadata refers to location and data about communications, such as the callers, sender and recipient, location of communication devices and their unique identifiers, time and length of calls, and other data. Metadata is useful data: it can be analysed by intelligence officers and software in order to detect specific patterns and to establish detailed profiles on particular individuals and/or groups. In the wake of September 11th 2001, the United States government has actively pursued what it constitutes as threats to global security, on the basis of human intelligence and metadata.

Journalists are always told, whether in school or on the job, to go where the story is. To follow the trail. The nature of investigate journalism will often entail communications and physical interactions with people from criminal or terrorist organisations or backgrounds. Zaidan has travelled to and interviewed key figures in geopolitical hotspots, including Afghanistan and Pakistan, two countries that gained prominence post-9/11. Based upon the metadata that has been generated by his movements and communications, Mr. Zaidan found himself on a terrorist watch list and a US government database (TIDE - Terrorist Identities Datamart Environment, shared by US intelligence agencies). According to SKYNET, a problematically-named computer programme designed to analyse metadata, his movements were similar to that of couriers for high ranking Al Qaeda officials.

In Ahmad Zaidan's own words, “to assert that myself, or any journalist, has any affiliation with any group on account of their contact book, phone call logs, or sources is an absurd distortion of the truth and a complete violation of the profession of journalism.”

Though the NSA and the US government did not tell The Intercept as to how Mr. Zaidan came to be added to the TIDE government database, what is known from leaked documents highlights the grave dangers that the collection and interpretation of metadata hold in store for all of us.

One of the questions that SKYNET used as a basis, for instance, was “who has traveled from Peshawar to Faisalabad or Lahore (and back) in the past month? Who does the traveler call when he arrives?”. Behaviour patterns seen as 'suspect' were also looked at by SKYNET, including “incoming calls only,” “visits to airports,” and “overnight trips.”

What the NSA documents also reveal is that the information was collected from “major Pakistani telecoms providers” according to the Intercept report. According to the documents, 55 million Pakistani mobile phone records were fed into the SKYNET system, via its Pakistan dragnet, DEMONSPIT - “as an example” - one of which was “PROB” (sic) Zaidan, due to his frequent Peshawar-Lahore excursions. Others were also highlighted by the system, using similar criteria.

What arises: the collection of metadata has been actively pursued by government intelligence agencies as a way to capture potential terrorists. The belief is that by examining their movements before hand, persons of interest can be arrested or subdued before an attack takes place. The belief is also that metadata will tell us where the enemy can be found, and taken out. This collation of data has been the basis of drone attacks in Afghanistan, Pakistan, and Yemen, and is cited as being how Osama bin Laden's hideout in Abbotabad, Pakistan, had been located.

As with Mr. Zaidan, however, metadata does not automatically infer intent, and can ensnare innocent people, often with tragic consequences. Drone attacks in Pakistan, as of 24th November 2014, have resulted in the deaths of an estimated 1,147 people, according to a report released last year by the human rights organisation Reprieve (http://www.reprieve.org/uploads/2/6/3/3/26338131/2014_11_24_pub_you_never_die_twice_-_multiple_kills_in_the_us_drone_program.pdf)

As the former head of the NSA, General Michael Hayden once remarked, “we kill people based on metadata.” (http://justsecurity.org/10311/michael-hayden-kill-people-based-metadata/)

What does the Intercept report mean for Pakistani citizens? Simply this: a clear violation of the right of the individual to privacy has taken place. The documents in the report do not clarify the technical or legal means by which 55 million mobile phone records were obtained, and it is unlikely that those mobile phone records were the only examples forms surveillance sans oversight undertaken against Pakistani citizens. It is evident that in the name of global security, the rights of Pakistani citizens have been ignored. The context-free manner in which metadata is analysed ensures that the mobile phone calls, smartphone usage et al of Pakistanis will be kept on NSA servers and examined for “potential” persons of interest.

The current draft of the 2015 Prevention of Electronic Crimes Bill, as amended by the Standing IT Committee of the Pakistani National Assembly, would allow for Pakistani intelligence agencies to forward mobile phone and data records of Pakistani citizens, without consent necessary. A legal analysis undertaken by Privacy International and Digital Rights Foundation found that the the draft law does not call for regulation of “sharing of data among government entities” (https://www.privacyinternational.org/sites/default/files/Prevention-of-Electronic-Crimes-Bill-2015%20Legal%20Analysis_0.pdf). If the United States government highlights the digital activity of any Pakistani citizens on the basis of data already gathered, it will most likely follow that Pakistani intelligence agencies will be approached by their NSA counterparts to bring in the individuals, regardless of concrete evidence of wrongdoing.

The capture and storage of the telecommunications of Pakistani citizens – without consent – violates the right to privacy, and aims to criminalise behaviour out of context. To quote Geoffrey King, Internet Advocacy Coordinator for the Committee to Project Journalists, “Given a big enough pool of data, anyone can end up fitting a 'suspicious' pattern.”

Written by Adnan Chaudhri

April 21, 2015 - Comments Off on New Cybercrime Bill Threatens the Rights to Privacy and Free Expression in Pakistan

New Cybercrime Bill Threatens the Rights to Privacy and Free Expression in Pakistan

ARTICLE 19 and Digital Rights Foundation Pakistan have serious concerns about measures contained in Pakistan’s proposed Prevention of Electronic Crimes Bill (‘PEC Bill’). The Bill contains a number of provisions that, if implemented, would violate the rights to freedom of expression and privacy. We urge members of the Senate of Pakistan to reject the Bill and call on the Pakistani parliament to ensure that any new cybercrime legislation is fully compliant with international human rights standards.

In our joint legal analysis, ARTICLE 19 and Digital Rights Foundation Pakistan address the following concerns:

  1. Power to manage intelligence and issue directions for removal or blocking of access of any intelligence through any information system

  2. Overbroad offences against misuse of computers and lack of public interest defence

  3. Glorification of an offence and hate speech

  4. Overly broad cyber-terrorism offence

  5. Offences against dignity of natural persons

  6. Offences against modesty or a natural person and minor

  7. Cyberstalking

  8. Spoofing

  9. Criminalising the production, distribution and use of encryption tools

Read more information, including our recommendations, in the PDF below:

Pakistan Cyber Crime Joint Analysis

 

December 16, 2014 - Comments Off on KPK and Punjab Public Bodies Consistently Fail to Comply with RTI Laws

KPK and Punjab Public Bodies Consistently Fail to Comply with RTI Laws

Provincial governments of Punjab and Khyber Pakhtunkhwa (KPK) have failed to comply with their respective Right to Information (RTI) laws, as the year long research reports indicates.

Lahore, January 1, 2015:

Annual research report titled ‘The State of Proactive Disclosure of Information in Khyber Pakhtunkhwa and Punjab Public Bodies’ reaffirms earlier findings that public bodies in both the provinces have failed to comply with their own right to information laws. Khyber Pakhtunkhwa and Punjab public bodies are required to proactively disclose categories of information mentioned in Sections 5 and 4 of Khyber Pakhtunkhwa Right to Information Act 2013 and Punjab Transparency and Right to Information Act 2013,  respectively.

This report was an effort initiated by Coalition of Right to Information (CRTI) and Digital Rights Foundations with a broader aim to measure how public bodies have been using the web. With advancements of technologies, it has become crucial for public bodies to start using their web presence more effectively in order to promote good governance and reduce corruption. This research scaled if the government departments are keeping properly maintained websites and promoting citizens' feedback. However, the primary purpose of these quarterly reports was to measure against respective RTI laws if the bodies were complying with their own laws.

While civil society and citizens appreciate elected governments of Punjab and KPK for having passed their local RTI laws, it is disappointing to see the unwillingness of public bodies to comply with those regulations. What was even more surprising though was the discovery that Information Commission of Punjab and Information Department of KPK even lack a website of their own. If the information commissions are themselves not promoting RTI laws and lack web presence and / or conformity to RTI laws, how do they expect other departments to uphold those policies?

As pointed in our earlier quarterly reports, this final report of year 2014 also kept up with the finding of having no example where a department has disclosed information about recipients of concessions, permits or authorizations granted by the public bodies. Transparency will not witness any improvement if information commissions and local government do not promote their departments to proactively disclose financial information, concessions, and benefits their employees receive as it is an important way forward to good governance.

A lot has to be done by the KPK and Punjab Information Commissions to ensure that public bodies comply with the right to information laws,  present information in user-friendly way proactively, and promote raising awareness of citizens' right to information and their required feedback in governance.

Link to the report: Proactive Disclosure Report 

Contact: nighat@digitalrightsfoundation.pk

– End –

“Coalition of Right to Information seeks to promote an open information and communications policies at the federal, provincial and district levels across Pakistan. With various initiatives, the coalition of civil society organizations aims to promote citizen awareness and improve dialogue between the citizens and state.”

 

Digital Rights Foundation is a research based advocacy organisation based in Pakistan focusing on ICTs to support human rights, democratic processes and better digital governance. DRF opposes any and all sorts of online censorship and violations of human rights both on ground and online. We firmly believe that freedom of speech and open access to online content is critically important for the development of socio-economy of the country. www.digitalrightsfoundation.pk

 

December 4, 2014 - Comments Off on Freedom on the Net 2014 – Pakistan’s Scores Going from Bad to Worse

Freedom on the Net 2014 – Pakistan’s Scores Going from Bad to Worse

Freedom on the Net 2014 – Pakistan’s Falling Scores on Internet Freedom Ranking

Lahore, December 4, 2014: The latest Freedom on the Net report of Freedom House that is conducted in 60 countries around the world shows declining scores for Pakistan. Inclusion of online spaces as evidence in the draconian laws of Blasphemy while having no strong legal-cyber framework and implementation of technologies to censor political and social content remain the worrying highlights of this year's Net Freedom report.

FoTN 2014 report was meticulously researched by Digital Rights Foundation, Pakistan along with the research analysts of Freedom House. This report is an attempt to compile and assess the limits on content, violations of user rights in Pakistan, and overall Net Freedom in the country. Here are some of the highlights of Freedom on the Net 2014 report on Pakistan:

  • Four women were brutally killed for using mobile technology in rural areas of Pakistan
  • Citizen Lab researchers found Netsweeper technology automatically blocking political and social content on Pakistan’s largest ISP
  • In April 2014, a judge in Punjab sentenced a Christian couple to death for blasphemy in relation to a text message they deny sending
  • Lawyer Rashid Rehman was shot dead on May 7 after receiving threats for representing a professor jailed on charge of committing blasphemy on Facebook
  • Pakistan started offering faster mobile internet connectivity (limited to urban centers) in the form of 3G and 4G
  • YouTube has been blocked since September 2012 while officials jockey to systematize control over the platform
  • Authorities' newly blocked film details referencing Baloch independence and a gay community website
  • Pakistan Protection Ordinance 2013 (now an Act) categorized unspecified “internet offenses” as terrorism, with suspects subject to arbitrary detention

“Pervasive  and Increased government control on the Internet whether in form of censorship or with new surveillance tactics, is limiting freedom of expression and amplifying self censorship among the internet users in Pakistan. The dangerous trend of introducing draconian and repressive laws to limit the civil liberties in the online space is only an effort to block political dissent and diverse opinions," commented Nighat Dad, Director, Digital Rights Foundation. "Pakistani government should understand that increased Internet censorship and data surveillance can only turn this democratic state into a repressive regime.”

Sanja Kelly, Project Director for Freedom on the Net talking about how legal framework is being constructed at the expense of citizen privacy mentioned, “authoritarian and democratic leaders alike believe the internet is ripe for regulation and passed laws that strengthen official powers to police online content. The scramble to legislate comes at the expense of user rights, as lawmakers deliberately or misguidedly neglect privacy protections and judicial oversight.The situation is especially problematic in less democratic states where citizens have no avenues to challenge or appeal government’s actions”

Pakistan scored 69 points (on a list of 0 to 100, where 100 is worst), two points down from last year's ranking. It is concerning for the civil society and Internet users in the country to see an elected government not respecting citizen's privacy or access to the Internet. Pakistan is in dire need of strong, citizen-centric cyber laws that could protect users from online crimes and false witnesses.

To view full country report of Pakistan, please visit Freedom on the Net, 2014.

– End –

Digital Rights Foundation is a research based advocacy organisation based in Pakistan focusing on ICTs to support human rights, democratic processes and better digital governance. DRF opposes any and all sorts of online censorship and violations of human rights both on ground and online.  We firmly believe that freedom of speech and open access to online content is critically important for the development of socio-economy of the country. www.digitalrightsfoundation.pk

Join the talk on Twitter @digitalrightspk, follow the hashtag #FOTN14 or like us on Facebook!

November 14, 2014 - Comments Off on Press Release: 1st National Conference on Privacy Rights and Digital Surveillance in Pakistan

Press Release: 1st National Conference on Privacy Rights and Digital Surveillance in Pakistan

Islamabad, November 14, 2014: Digital Rights Foundation organized country’s first National Conference on privacy rights and digital surveillance today in Islamabad. The focus of this national conference was to start a debate around the lack of legislation and laws pertaining to cyber space with a focus on privacy. During this conference, Waqas Mir, a lawyer from Lahore having expertise in constitutional laws and free speech, presented a comprehensive whitepaper on surveillance in Pakistan. This whitepaper took the audience and readers through the history and development of legislation around privacy and surveillance in the country with a focus on recently drafted Fair Trial Act 2013.

DRF in partnership with Privacy International and Freedom Network organized this event to bring together members from all stakeholders including lawyers, parliamentarians, journalists, civil society, and the public to create a serious and continuous debate around having a consistent approach between surveillance and privacy. Multiple panels and session talks were held discussing global and local perspectives of surveillance in the digital age. Panelists also talked about solutions that could be employed taking examples from other countries world over while going over the case studies where common citizens, journalists, feminists, and dissidents at large have been harassed and attacked.

Senator Afrasiab Khatak, former member of National Assembly Bushra Gohar, and Ben Wagner, international expert on export of surveillance technologies were also part of the panels among other distinguished speakers. The conference concluded by recommending public to use their Right to Information more assertively and frequently and by demanding government to ensure transparency and publish annual report on the number of warrants granted for surveillance, and the number of offences prevented by surveillance or interception of information.

The key points that were raised during this national conference on privacy and surveillance include:

  • Growing concerns over tools / mechanisms employed by government especially after FinFisher’s license expiry in 2013
  • Concerns shared by the journalism community over how surveillance has negatively impacted the standards of journalism in the country
  • Urgent need of legislation around digital security to safeguard citizens
  • Understanding of government’s need to employ legal surveillance in the face of serious terrorism threats, however, with strict definitions of ‘national security’ and ‘national threats’ while being proportionate to citizen’s privacy
  • The need to rethink the process of creating the laws putting protection before punishment and not the other way around
  • Palpable urgency felt to have a strong relationship between activists and political parties on privacy and surveillance concerns

National conference on surveillance this year tried to gear start the debate around privacy and surveillance in the country. However, it will be furthered by the support of stakeholders and will be held annually to create a strong network producing tangible results and putting forward suggestions for the government.

Contact: nighat@digitalrightsfoundation.pk

– End – 

Digital Rights Foundation (DRF) is a research based advocacy organisation based in Pakistan focusing on ICTs to support human rights, democratic processes and better digital governance. DRF opposes any and all sorts of online censorship and violations of human rights both on ground and online. We firmly believe that freedom of speech and open access to online content is critically important for the development of socio-economy of the country. @digitalrightsPK