May 28, 2018 - Comments Off on DRF condemns yet another breach of NADRA database and demands strong data protection legislation
The National Database and Registration Authority (NADRA) of Pakistan held the record for being the largest database of citizens’ biometric information the world over, until recently overtaken by India with its Aadhaar card programme. Such stature meant that it enjoys control over a mass amount of information, the kind whose confidentiality is crucial to every person it belongs to, and was duty-bound to protect from prying eyes and predators. Instead, as demonstrated in an infographic available on the Digital Rights Foundation’s (DRF) website, there have been a staggering number of instances of mismanagement of personal data that can be traced back to the Authority, the most recent of which is a reported breach into Punjab Information Technology Board (PITB) that has resulted in the loss of a critical amount of confidential data, access to which was granted by NADRA and which is being sold over the internet for as low as Rs.100 (equivalent to almost $1). This hit, which is as recent as May 2018 is yet another forced intrusion into our private lives at the hands of hackers, however the reason our personal data has been so easily plucked is the abysmal state of affairs is our data protection policies, or lack thereof.
At the time of publication, Pakistan does not have any data privacy legislation enacted. This is a precarious condition given the monumental amount of data that flows through the internet -- through the applications we install and use, and allow our internet service providers (ISPs) and applications themselves to use -- and is stored on the servers. As per a report published by DRF titled ‘Privacy and Data Protection Policies of Telecom Companies in Pakistan’, the measures in place by telecommunication companies to protect our data leaves a lot to be desired and little to no redress is available if any untoward situation arises.
The incident that we are reporting is unfortunately not the first of its kind and is indicative of the fact that cyber security is not a priority of our government institutions, as can be elicited from the following instances;
- In 2002, NADRA chairman Saleem Ahmed Moeen admitted that about 300,000 NICs that were issued by NADRA carried errors.
- In 2011, NADRA employees were accused of preparing fake identification cards for employees of Bahria Town housing authority.
Instances of data sharing, apart from the accounts of unprofessional behaviour by NADRA officials, are also being quoted, for example, the sharing of data with a private company awarded the contract for issuance of National Smart Card Foreigner Identity Pakistan (NICOP) and Pakistan Origin Card (POC) in the UK and Europe. What is worrisome here is just the basic notion of our data being shared with private companies and multiple government departments, as the greater the spread and avenues of access to NADRA’s database, the higher the chances of a leak or misuse of the information. Also in the news in 2014 was the Coordination Director of Chairman NADRA for leaking out all the messages of the government and strategy of NADRA to PTI and the media. Just these cases in themselves are illustrative enough to show the negligence present across the board at an institution as crucial as NADRA. A top-to-bottom revision of how the Authority operates, its standard operating procedures (SOPs), security and confidentiality-ensuring methods needs to be undertaken.
Further proof of the gravity of the situation is embodied in the recent spate of data breaches that have occurred at NADRA and PITB in the past year. This most recent development occurred in May of 2018, when NADRA handed over access to citizens’ data to the PITB for digitization and has resulted in the aforementioned data being pawned online and on social media platforms for chump change.
As per details available via ProPakistani : ‘… the data breach occurred when NADRA gave access of its servers to Punjab Information Technology Board (PITB), which wanted to digitize citizens’ data by linking CNICs with every other department, including but not limited to education, health, police and land registry.’
Just nine months ago another catastrophe was reported by ProPakistani when PITB’s technical settings allowed for anyone with basic computer navigation skills to access the Computerised National Identity Card (CNIC) numbers, photographic copies of the front and backs of CNI cards and scanned copies of educational degrees amongst other data, on an unregistered scale. It was written off as a technical glitch that was later fixed, however this intrusion into the privacy of civilians brings attention to the vulnerability of national database carriers in protecting sensitive and private information.
According to a source that has worked extensively with NADRA, the official position is that no NADRA database was breached, but that it was in fact the access provided to PITB and its team that resulted in any data leak that may have occurred. They added that NADRA extends its database to banks and telecommunication companies on a need basis, the inference being that no leaks or breaches have occurred on those occasions. The source also expressed concern over the lack of data protection laws in place and when asked if there was any redress available for those civilians whose data had been made public, responded in the negative but pitched that the process of ‘de-identification’ should be introduced wherein on the basis of a breach an individual can request NADRA to de-identify them and allot them a new national identification number and card. It was also highlighted that during the previous general elections, NADRA provided the Election Commission of Pakistan (ECP) with printed voter lists, which complete with CNIC number, name, address and photos was a breach of security of the voters, in itself.
Our data is being accessed by authorised personnel of several government departments, however we have seen that this authority that they have been entrusted with is being misused to sell user data to citizens through WhatsApp and Facebook groups and Twitter accounts. Accountability is a key aim that should be implemented by the government as such worrisome breaches cannot go unnoticed and require a prompt response. Another key aim would be to question is, why access to such sensitive information is provided so nonchalantly where seemingly everyone attached to a certain institution or department can gain access. Special focus should also be fixated on the Punjab Safe Cities Authority (PSCA) and its projects which employ surveillance as one of its methods to be able to improve the law and order situation in Punjab’s biggest cities through the use of technology. The potential for misuse or problematic leaks here is substantial and is only exacerbated by the lack of data protection legislation in the country. Likewise, access to the data collected by PCSA and security of the servers employed by them is crucial given that it is potentially putting people at risk while they are constantly surveilled. The importance of transparency in these processes cannot be stressed enough given the delicate nature of the whole setup. The public, the people whose very data is at stake here, have a right to know not only how their data is collected, stored and used but also when it is compromised. It is essential that this information be relayed through official channels so that its veracity is not doubted, as much of the information and messages being forwarded on social media platforms cannot be trusted. Ownership must be taken by the state institutions and resultantly, accountability must be demonstrated for the people to see.
The need of the hour, as expressed by DRF time and time again, is to enact a comprehensive and effective data protection law that will serve the purpose of protecting the society’s best interests and one that not only chalks out how to best safeguard our data but also polices the institutions that have access to it.
Author: Zainab Durrani