All Posts in Privacy
November 14, 2014 - Comments Off on Press Release: 1st National Conference on Privacy Rights and Digital Surveillance in Pakistan
Islamabad, November 14, 2014: Digital Rights Foundation organized country’s first National Conference on privacy rights and digital surveillance today in Islamabad. The focus of this national conference was to start a debate around the lack of legislation and laws pertaining to cyber space with a focus on privacy. During this conference, Waqas Mir, a lawyer from Lahore having expertise in constitutional laws and free speech, presented a comprehensive whitepaper on surveillance in Pakistan. This whitepaper took the audience and readers through the history and development of legislation around privacy and surveillance in the country with a focus on recently drafted Fair Trial Act 2013.
DRF in partnership with Privacy International and Freedom Network organized this event to bring together members from all stakeholders including lawyers, parliamentarians, journalists, civil society, and the public to create a serious and continuous debate around having a consistent approach between surveillance and privacy. Multiple panels and session talks were held discussing global and local perspectives of surveillance in the digital age. Panelists also talked about solutions that could be employed taking examples from other countries world over while going over the case studies where common citizens, journalists, feminists, and dissidents at large have been harassed and attacked.
Senator Afrasiab Khatak, former member of National Assembly Bushra Gohar, and Ben Wagner, international expert on export of surveillance technologies were also part of the panels among other distinguished speakers. The conference concluded by recommending public to use their Right to Information more assertively and frequently and by demanding government to ensure transparency and publish annual report on the number of warrants granted for surveillance, and the number of offences prevented by surveillance or interception of information.
The key points that were raised during this national conference on privacy and surveillance include:
- Growing concerns over tools / mechanisms employed by government especially after FinFisher’s license expiry in 2013
- Concerns shared by the journalism community over how surveillance has negatively impacted the standards of journalism in the country
- Urgent need of legislation around digital security to safeguard citizens
- Understanding of government’s need to employ legal surveillance in the face of serious terrorism threats, however, with strict definitions of ‘national security’ and ‘national threats’ while being proportionate to citizen’s privacy
- The need to rethink the process of creating the laws putting protection before punishment and not the other way around
- Palpable urgency felt to have a strong relationship between activists and political parties on privacy and surveillance concerns
National conference on surveillance this year tried to gear start the debate around privacy and surveillance in the country. However, it will be furthered by the support of stakeholders and will be held annually to create a strong network producing tangible results and putting forward suggestions for the government.
– End –
Digital Rights Foundation (DRF) is a research based advocacy organisation based in Pakistan focusing on ICTs to support human rights, democratic processes and better digital governance. DRF opposes any and all sorts of online censorship and violations of human rights both on ground and online. We firmly believe that freedom of speech and open access to online content is critically important for the development of socio-economy of the country. @digitalrightsPK
August 22, 2014 - Comments Off on Pakistan is a FinFisher customer, leak confirms
In the first week of this month, someone hacked into the servers of FinFisher, the notorious surveillance software maker, which was reported to have two command and control servers inside Pakistan last year. The hackers got hold of whatever they could find on the server and leaked it as a torrent. The 40Gb torrent contains the entire FinFisher support portal including the correspondence between customers and the company staff. It also contains all the software that the company sells as well as the accompanying documentation and release material.
What is FinFisher?
FinFisher is a company that sells a host of surveillance and monitoring software to government departments. The primary software, FinSpy, is used to remotely access and control the computers or mobile phones belonging to the people being spied on. The company offers several methods to install FinSpy, which range from a simple USB that can infect a computer to directly attaching the trojan with legitimate files when they are being downloaded through installing a kit at the ISP. The whole FinFisher toolset is designed to give the people buying these software access to emails, web browsing history, and any other activity performed by the “targets.”
Is Pakistan a FinFisher customer?
Apparently, yes. A University of Toronto based research group called Citizen Lab released a report last year identifying two FinFisher command and control servers on the PTCL network. But this recent leak gives us a more complete and conclusive picture. The leaked support portal tells us that someone from Pakistan in fact licensed three software from FinFisher for a period of three years. The systems Citizen Lab identified were probably the computers hosting the FinSpy server program and were merely using a PTCL DSL connection. PTCL, the company, we think was not involved. If not PTCL, then who? It could be anyone but since FinFisher only sells these software to government agencies, it was most likely one of the many intelligence agencies operating within the Pakistani government.
In one of the “critical” support ticket that we have extracted from the FinFisher support portal, someone identifies their name (retracted in this article) and location (Pakistan) and complains that their problems are not being addressed through Skype (which we presume was the primary way FinFisher provided help to the customers). FinFisher database identifies the said customer with the username 0DF6972B and ID 32.
What was purchased?
After that clue, we looked further into the purchase history of Customer 32 and their correspondence with FinFisher staff and found out that they have licensed not one but three software from the spy software maker. The primary software, FinSpy, is used to target people who “change location, use encrypted and anonymous communication channels and reside in foreign countries.” After FinSpy is installed on a computer or a mobile phone, it can be—according to the product brochure—“remotely controlled and accessed as soon as it is connected to the internet/network.”
In addition to FinSpy, Customer 32 also purchased another software called FinIntrusionKit to hack into hotel, airport, and other wifi networks to catch “close-by WLAN devices and records traffic and passwords”, extract “user names and passwords (even for TLS/SSL encrypted sessions),” and “captures SSL encrypted data like webmail, video portals, online banking and more.” The third software is a tool to infect USB devices so that whoever plugs them becomes a target of surveillance.
How does Pakistan FinFish?
From the support tickets filed by Customer 32, we also get to know that whoever in Pakistan purchased FinFisher used it, for instance, to infect harmless MS office documents, particularly PowerPoint files and sent them to people they wanted to spy on. The simple act of opening the infected files led their computer being put into constant surveillance including emails, chats, and other activity.
Customer 32 also used FinFisher to covertly steal files from the “target” computers. All the files of those who were targeted were readily available but Customer 32 wanted more, as outlined in another support ticket: “the agent be able to select files to download even when the target is offline and whenever the target comes online, those selected files may be downloaded without the interaction required from user.”
While we know that FinFisher is deployed in Pakistan, some questions remain to be answered. As citizens of a democratic state, it is our right to know who is using these surveillance software in Pakistan, how much budget is being spent on these licenses, and what laws and regulations are being followed for deploying these software.
Update [Sep 15, 2014]: How much did it cost?
WikiLeaks today released a list of countries who bought software from FinFisher and the associated cost that was paid. The cost was calculated using a price list they found inside an excel file. Pakistan, as per the revealed price list, paid €432120 (or 57 million Pakistani rupees) for the three software that were purchased.
From our earlier coverage:
» Global Coalition Of NGOs Call To Investigate & Disable FinFisher's Espionage Equipment in Pakistan
» FinFisher Commercializing Digital Spying – How You can be a Victim?
July 18, 2014 - Comments Off on UN Report Calls Mass Surveillance a Violation of Human Right to Privacy
In an important step towards establishing international consensus on the right to privacy in the technological age that we live in, United Nations High Commissioner for Human Rights on Wednesday issued a report calling bulk collection of private data and mass surveillance against the international law.
The report was prepared in response to the UN General Assembly resolution adopted during its 68th session in December 2013. The resolution, introduced by Brazil and Germany, specifically noted that the practices of bulk collection of private data and mass digital surveillance may be in violation of the Article 12 of Universal Declaration of Human Right and the Article 17 of the International Covenant on Civil and Political Rights:
"No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks."
The resolution had called upon all the UN member states "to respect and protect the right to privacy, including in the context of digital communication" and had requested the United Nations High Commissioner for Human Rights to submit a report to be considered by the General Assembly during the next session.
The very existence of a mass surveillance program constitute an interference with privacy, the High Commissioner notes, and asks the governments to make sure such actions are neither arbitrary nor unlawful.
The report employes clear language in condemning collection of private digital data and observes that the "collection and retention of communications data amounts to an interference with privacy" regardless of the excuse that the data might be used later.
It dismisses the idea that the collection of metadata about a communication, in contrast to the communication itself, is not a violation of privacy. The metadata, it says, "may give an insight into an individual’s behaviour, social relationships, private preferences and identity that go beyond even that conveyed by accessing the content of a private communication."
It also cautions that the companies who supply mass surveillance technology to states which are known to use the information in violation to human rights risk "being complicit in or otherwise involved with human rights abuses,"
Considering that Pakistan has been known to have deployed Netsweeper and Narus products, which have reportedly been used by other repressive regimes for censorship and surveillance, on its network, Digital Rights Foundation (DRF) welcomes the report and hopes that the government of Pakistan, as a member UN state, would pay attention to the observations made in the report.
July 8, 2014 - Comments Off on Pakistan responds to the NSA Surveillance of PPP
United States' National Security Agency (NSA) was granted permission to spy on six political parties, over a dozen global organizations, and all but four world governments, according to a secret Foreign Intelligence Surveillance Court (FISC) certification leaked by the NSA whistleblower Edward Snowden. The organizations NSA was authorized to spy on include United Nations and World Bank as well as Pakistan People's Party (PPP) and Bharatiya Janta Party (BJP).
The top-secret FISC certification, posted by Washington Post on their website on June 30th, 2014, and other related documents that the Post has not yet shared, allow the NSA to intercept not just the communication directly originating to or from the targets mentioned above, but also any communication about them. This, we imagine, can be a very broad spectrum.
In response to DRF Director Nighat Dad's tweet asking if any member of the Pakistan People's Party was willing to speak on the unlawful NSA activity, Sharmila Faruqi, former advisor to the Chief Minister of Sindh, said that the revelation was akin to "intruding our privacy and sovereign rights [and thus] highly condemnable." She added that this "should be agitated at the highest forum."
Speaking on the same matter, former PPP Interior Minister Rehman Malik revealed that during the PPP tenure in 2012, cabinet meetings were being spied on. "The secret recording signals were traced during a random security sweeping before the cabinet meeting and after that the recording signals were broke down before the cabinet meeting," he said. He feared that the cabinet meetings of the present government might also be under surveillance. He was, however, unaware of who might be behind the recording signals. He suggested the Prime Minister Nawaz Sharif take up the matter with the US President Barak Obama through a formal letter.
PPP later issued a statement highly critical of the practice calling it "grave, unwarranted and totally unacceptable interference in the internal affairs of a sovereign country." The statement, issued by the PPP spokesman Senator Farhatullah Babar, demanded an apology from the US for "spying on the political institutions of a sovereign country." It also asked the government to take up this matter at the diplomatic level and demand that such violation of international law doesn't happen again.
Pakistan’s Foreign Office (FO), later on Thursday, formally lodged a protest with the US over the surveillance of PPP, calling the practice a violation of the international law and demanding an end it. "Appropriate measures are being taken to protect our cyber communication from any attack or spying," FO spokesperson Tasneem Aslam said in her statement.
PPP has also lodged a formal protest with the United States through a letter to the Ambessador of United States in Pakistan, Mr. Richard G. Olson. The letter expresses grave disappointment over the matter. "The Party believes that it owes no explanation to any foreign agency," the letter said, "It therefore strongly resents and deplores the overbearing attitude of the NSA in assuming a right to interfere in other countries and their political parties. This attitude of a department of the US government towards a popular Pakistani political party will only increase distrust and suspicion already noticeably present in the people of Pakistan towards the government of the United States."
This post is first part of a series on the unlawful surveillance of Pakistan People's Party (PPP) by the NSA.
April 15, 2014 - Comments Off on An open letter to Senate of Pakistan regarding Pakistan Protection Ordinance 2014 "Pakistan’s new law: no free speech… and you’re a terrorist unless you can prove otherwise"
The recent uproar over the Pakistan Protection Ordinance 2014 has created quite a stir in the country’s digital media platforms, and rightly so. The Government of Pakistan has recently passed, what appears to be, the most draconian and regressive anti-terror law in the National Assembly. The Pakistan Protection Ordinance 2014 has already been signed by the President and will soon be presented - and most likely approved - by the Senate on April 20, 2014.
The proposed law clearly inhibits fundamental rights to freedom of speech, privacy and peaceful assembly on the Internet. In its current form, the law could be used to suppress peaceful political opposition and criticism of government policy online, on social media for instance. In its schedule of offences, the law also lists “crimes against computers including cyber crimes, internet offenses and other offenses related to information technology etc". Also, instances where a person who commits any crime mentioned in the scheduled offenses becomes a cognizable and non bailable offense.
Any person accused within the sphere of scheduled offences will be liable to face a charge on grounds of reasonable evidence against him/her, and will be assumed to be engaged in waging a war or insurrection against Pakistan, unless he/she establishes his/her non-involvement in the offence, which reverses the burden of proof and undermines the right to due process and fair trial. The scheduled offence shall be punishable with imprisonment, which may extend to 10 years, with fine and confiscation of property.
The provision regarding internet crimes is so vague that it can be abused against journalists, politicians, minorities, students, activists, political dissidents and groups who are using the internet for activities which would not in any way be counted and ascertained as terrorism. From a due process perspective, there doesn’t seem to be a very strong case for introducing cyber crimes in the PPO 2014, when a separate Electronic Cyber Crime bill is already being drafted. So, what is the true intent of introducing an additional or supplementary provisions with regard to “Internet Crimes”?
The state of open access to internet in our country is dismal. In the 2013 Freedom on the Net report, Pakistan’s Internet freedom status in 2012-13 was ‘Not Free.’ The introduction to the report states: Successive military and civilian governments have adopted various measures to control the internet in Pakistan, which they frame as necessary for combating terrorism. In Freedom of Press, Pakistan ranks 159 among 179 countries. In the planned Ordinance, provision related to warrant less raids is in violation of Article 14 of our Constitution.
With the Electronic Cyber Crime bill, Pakistan has the momentous opportunity to set the benchmark in South Asia and the Global South in right to free speech online. This right necessitates freedom from persecution for all citizens who use digital communications platforms to express opinions, dissent, or critique against the state. As Benjamin Franklin said, “Whoever would overthrow the liberty of a nation must begin by subduing the freeness of speech.”
In an era where individuals, non-governmental organizations and international institutions rely on the multiplier effect of social media and digital news outlets to highlight issues of injustice and human rights violations, it doesn’t augur well for the country’s freedom of speech and human rights index to even consider this Ordinance.
Digital Rights foundation demands and calls on the senators to protect the rights to freedom of speech and privacy in accordance with Pakistan's obligations under international conventions, remove the clause of cyber crimes from Pakistan Protection Ordinance 2014 and revise the law with the consultation of relevant stake holders.
- End -
Digital Rights Foundation is a research based advocacy organisation based in Pakistan focusing on ICTs to support human rights, democratic processes and better digital governance. DRF opposes any and all sorts of online censorship and violations of human rights both on ground and online. We firmly believe that freedom of speech and open access to online content is critically important for the development of socio-economy of the country. www.digitalrightsfoundation.pk
December 9, 2013 - Comments Off on DRF Research Report: Net Privacy in South Asia
In May 2013, 29 year old Edward Snowden, former CIA employee and technical contractor to the NSA, disclosed thousands of top-secret documents to the Guardian and Washington Post newspapers. These documents carried sensitive information about United States’ Internet surveillance programs such as PRISM, XKeyscore, Tempora, along with details of the interception of U.S. and European telephone metadata. In the U.S. political history, it is perhaps the most significant political leak since Daniel Ellsberg’s “Pentagon Papers” in 1971.
Pakistan – digital dictatorship in the guise of a democracy:
Not surprisingly during the same month, here in Pakistan, the government was found to be using FinFisher – one of the most sophisticated surveillance software suite available in the commercial market. The data shown in Citizen Lab’s analysis “For the eyes only” reported that Pakistan Telecommunication Company Ltd (PTCL) owns the network where FinFisher server was found in the country. Gamma International UK’s FinFisher suite is an IT intrusion and remote monitoring system whose principal market is state-operated surveillance. Read more
November 13, 2013 - Comments Off on Summary of Cyber Security Awareness Seminar, Lahore University of Management Sciences (LUMS)
The second Cyber Security Awareness Seminar was held at LUMS in collaboration with the Cyber Security Task Force and the Pakistan Information Security Association (PISA) on November 5th, 2013. The primary goal of this seminar was to highlight the increasing threats of Cyber Crimes and Cyber Terrorism.
The seminar saw the participation of LUMS students and faculty members; civil judges and research fellows at the Lahore High Court; the Additional Advocate General; various members of the business community and civil society representatives including Digital Rights Foundation, Pakistan.
The session was inaugurated with an introduction by Mr Ammar Jaffri, the Chairman Cyber Security Task Force. He went on to describe the audience about the threat perception in cyber space and mentioned about the counter measures taken up by the Cyber Security Task Force.
Following Mr. Jaffri was Barrister Zahid Jameel, Head of the Legal Committee for Drafting the Cyber Security Bill 2013. He discussed legal issues and challenges faced with regards to cyber security and the impediments faced by him and his committee while introducing the Cyber Security Bill 2013.
Dr Ashraf Masood, Dean NUST MCS, briefly explained about the cyber security policy adopted in Pakistan. He was then followed up by Mr. Shahid Hassan, Deputy Director of the FIA, who narrated his experience of the special cyber security training he had received in India.
The session was continued by Mr. Tariq Sheikh, Manager Customer Support and Training at LUMS, who brought forth the challenges and issues faced at LUMS in terms of cyber security. Seminar was concluded by a session from Mr. Tahir Chaudhry, Head Cyber Security Awareness Campaign who brought forth cyber issues faced by students and the general public. He provided some valuable tips on how to secure personal information online.
Finally, a summation followed all these presentations with closing remarks given by Professor Abid Hussain Imam, Assistant Professor at Shaikh Ahmad Hassan School of Law, who then opened the Q & A session.
Session summary by Muhammad Farooq - volunteer, Digital Rights Foundation
September 22, 2013 - Comments Off on Call for Participation: Digital Security Workshop in Lahore
Digital Rights Foundation is pleased to announce a day long digital security training being organized in partnership with Shirkat Gah and Bolobhi. Journalists, bloggers, writers, human rights defenders and students in Lahore are invited to apply for this workshop. The training sessions will be conducted on Thursday, September 26, 2013.
This workshop aims at equipping the participants with the skills and techniques necessary for staying safe online. One of the purposes of this training is to enable the participants carry out similar workshops within their organizations and share the experience gained through their networks.
If you meet the eligibility criteria and would like to participate in this training, please submit a statement of interest along with a brief bio outlining your work to nighat@
Further information regarding the event will be shared with the selected participants. The applicants must send their applications by September 24th, 2013. Late submissions will not be considered.
June 11, 2013 - Comments Off on Pakistan: Civil Society Condemns NSA Surveillance & Data Collection
We the undersigned strongly condemn the collection and surveillance of Pakistani citizens’ online communications and activities by the Government of the United States of America under its National Security Agency’s (NSA) Prism Programme. Reports about the programme reveal that the NSA has been involved in large scale surveillance of citizens – both at home and abroad. In terms of data gathering from other countries, Pakistan ranks second on the list of countries from where the most amount of digital data has been collected, following only Iran.
In the past years, the Government of Pakistan has cooperated extensively with the US Government on many counts – from joint operations to alleged information sharing. However, the recent leaks reveal that this is no targeted surveillance but blanket surveillance of citizens at the whims of the US security agency.
NSA’s mass surveillance cannot be justified under national security. The Prism programme has violated the fundamental rights of citizens in Pakistan and abroad.
We call upon the Prime Minister, the Ministry of Interior, Ministry of Foreign Affairs and Ministry of Information and Technology to demand full disclosure from the US Government over this issue and protect our constitutional rights of privacy, freedom of expression and freedom of speech. The State of Pakistan must respond to this breach of rights immediately and demand an end to blanket surveillance.
[If you want to sign the statement please leave your or your organization's name in the comment section]