State of surveillance…Mian Sami ud-Din
Imagine you are walking in a park on a bright sunny morning. As you sit down on a bench, three police officers walk towards you and stand at a distance. They simply stand there, looking at you, observing your every move. They then follow you home, stand outside, and watch you through the windows.
Perturbed by this unwarranted behaviour, you approach them and ask them why you are being monitored this way. The response is that they are simply keeping watch. There was a robbery in the neighbourhood two days ago, and the police officers have been told to observe every single person in the neighbourhood. It is in the interest of public safety, you are told.
What are the limits to our right to privacy? And what are the legitimate interests to which the right to privacy may be subject?
The relationship between the competing rights of privacy and public security has always been a rocky one. As a nation we have always felt insecure. Given our history of terrorist attacks, robberies, rape and child abuse, perhaps that is for good reason. Why should we not be extra vigilant to protect our safety and security?
The answer lies in the dangers of disproportionate use of power and the slippery slope on which it stands.
The disproportionate use of state power for perceived national security and criminal threats is a part of our nations history. Coercive laws have been a primary tool to legitimize control and suppression of fundamental rights. Moreover, rather than simply reacting to a threat, let alone an actual attack, those in power have always preferred prevention. It is simply a more effective way of control. And so, we fall down the rabbit hole of surveillance.
Surveillance is a common method to gather evidence for law-enforcement purposes. It is also increasingly used to pre-empt perceived threats as opposed to investigating crimes already committed. Surveillance does not only entail monitoring through visual observation but also includes collecting data by intercepting communications or gaining access to private information. In the age of Big Data, surveillance has turned from targeted surveillance to mass surveillance. In this regard, ready access to data is key for government authorities.
In the age of technology, the type of information which may be included in such data is our personal identity information (name, age, email, employment / education history, relationship status, religious views, political views, health data, and interests); location (where you live, places you like to go); messages and calls; social media interactions (what we post, content we consume); device information; and financial information (bank account, credit or debit card number etc.).
Government surveillance is not a new concept in Pakistan. It dates back to the Telegraph Act, 1885 which empowered the colonial government to intercept messages of persons and classes of persons in the interest of public safety or during emergencies. This was replaced with the Pakistan Telecommunication (Re-organisation) Act, 1996 which allows the government to intercept calls and messages in the interest of national security or apprehension of an offence. In order to enable such interception, the PTA has always required its licensees (telecom companies and internet service providers) to make their networks lawful-interception complaint.
In 2010, the PTA made the Monitoring and Reconciliation of Telephony Traffic Regulations to combat grey traffic. Such regulations allowed for real-time monitoring and recording of network traffic. The PTA has in recent years claimed that these regulations also ban the use of VPNs, which are used by internet users to ensure their privacy and safety from hackers online. Hence, these regulations do not allow for encryption of data and allows surveillance of patterns of communication through internet traffic analysis.
In 2013, the Investigation for Fair Trial Act was enacted to allow government agencies to intercept all forms of communication and carry out surveillance, with a court warrant. This Act enables designated agencies to execute the warrant by serving it on service providers, but also allows agencies to carry out the interception or surveillance themselves where this is possible, without serving the warrant on anyone.
The Prevention of Electronic Crimes Act, 2016 (Peca) was enacted to counter electronic crimes and to provide for online censorship of what the PTA considered harmful. But Peca is more than just about censorship and prosecuting online offences. It allows for acquisition of data, retention of traffic data, search and seizure, disclosure of content data, and real-time collection and recording of data.
In the same vein, the Removal and Blocking of Unlawful Online Content Rules, 2021 made under Peca was designed to exercise even more control over social media companies and access data of Pakistani users. While these rules were meant to regulate the exercise of the PTAs censorship powers, they went a step beyond and empowered PTA or investigation agencies to direct social media companies to provide agencies with any information or data they want without placing any condition or safeguards on when this can be requested. The rules also required social media companies to appoint officers based in Pakistan to ensure compliance with the law. Clearly the design was to exact physical control and pressure to access online user data. But there are gaps in all of the above laws.
The Fair Trial Act and PECA presume that: (1) government, or its agencies can physically exercise power and control over service providers to extract data; or (2) in the case of the Fair Trial Act, agencies have the technological means to carry out surveillance by themselves. But what happens where this is not possible?
Social media companies encrypt most private data and normally, governments do not have the technological means to access it. Such data is also stored on servers in data centres abroad. As per a US International Trade Commission report, as of January 2021 there were almost 8000 data centres globally.
Despite the many laws we have, our government cannot get access to user data stored abroad without social media companies voluntarily complying with requests for data. How do you carry out mass surveillance when you do not have ready access to data? Now, the government has found its answer under the garb of the Personal Data Protection Bill and the requirement of data localization.
Data localization is used to refer to the requirement that data be stored and/or processed within the country where the data has originated. The latest bill places limits on the transfer of personal data outside of Pakistan. In respect of critical personal data, the bill makes it mandatory for such data to be processed only in Pakistan.
Critical personal data is defined as any private data retained by a public service provider in Pakistan as well as that identified by a regulator or the national commission established under the bill. In other words, it includes anything and everything the government acting through these bodies may decide. The bill also adds to the existing laws enabling access to citizens personal data by requiring data processors and controllers to provide such data with the government on grounds of public order and national security and allows the national commission to exercise search and seizure powers.
Data localization allows governments to assert jurisdiction over that data as well as service providers controlling the data. The intention is to facilitate crackdowns on free speech, privacy, and other fundamental rights under the garb of protection and security of data. The measure also stems from the overarching idea of data sovereignty, the concept that data originating in a country should be subject to the laws of that country. However, the problem is that this concept assumes that such data belongs to the state and not to the citizen.
Other than concerns relating to economic and commercial interests, lack of infrastructure, and cyber security risks, the data localization requirement clearly brings full circle the governments desire to have ready access to personal data for the purpose of mass surveillance. In a 2015 report titled Tipping the scales: Security & Surveillance in Pakistan, Privacy International raised alarm bells on the prevalence of the practice and technological capacity of the government and intelligence agencies in conducting mass surveillance. One cannot help but conclude that the creeping enlargement of legislative power is just a means to give legal cover to the practice of mass surveillance already prevalent.
Under international human rights law, it is clear that mass surveillance is considered disproportionate and arbitrary by its nature and violates the right to privacy. This has been held by the European Court of Human Rights in cases such as Zakharov v Russia and Szabo v Hungary. Similarly, the European Court of Justice in Schrems v Data Protection Commissioner found that legislation allowing government authorities to enjoy access on a generalised basis to communications was a violation as well. Clearly, all of the laws of Pakistan on government access to data would not pass muster.
Mass surveillance is very real in Pakistan. The data localization requirement is another step to further it. Surveillance by its nature involves the reduction of privacy. The danger lies in our inability to gauge its effect on our personal freedoms. The question is whether we are willing to cede further autonomy and allow this new reality. If mass surveillance means the state does not trust us, why should we put our blind trust in the state?
Courtesy The News