October 21, 2019

A privacy nightmare: rogue website publicises mobile subscribers & CNIC data in Pakistan

Image Courtesy: privacyrights.org

The website claims to host a national database of mobile phone numbers, the personal data of subscribers, and the Computerised National Identify Card numbers, complete with the physical addresses, for the “use of peoples in India, Pakistan, and Afghanistan”.

A seemingly rogue website, with no apparent details of ownership available, is currently providing a ‘search’ service into the national database of mobile subscribers, and the national identity card (CNIC) holders in Pakistan. The website seems to have a functional database of subscribers and CNIC holders complete with their current and permanent addresses, date of birth, and more.

A closer inspection of the website reveals that the accuracy rate of the data provided is above 90%. 9 out 10 queries returned with multiple layers of subscribers’ data, along with information on various mobile phone numbers, and other key information.

“We tried entering multiple queries to test the accuracy of the database, most of them from our team members. It worked 9 out of 10 times. The queries returned with actual, verifiable data most times, regardless of their location of registration or network”, says Sarah Zafar, the communications lead of Media Matters for Democracy (MMFD).

The website also provides a ‘search service’ to lookup the national identity card numbers. Test queries with real CNIC number returned with real and verifiable personal data of citizens, including but not limited to current and permanent addresses.

“This is nothing short of a privacy nightmare”, says Sadaf Khan, the director of MMFD. “Acquiring somebody’s personal information is as simple as a click of a button, and yet I am sure there will be no repercussions. Unfortunately, data protection and privacy is perhaps not a priority of our government it seems”.

A ‘WhoIs’ lookup query on the website reveals that it is being operated from Punjab and that it was launched in 2019 with web-hosting paid for till 2020.  The website also runs ads from Ad Sense and seems to be making revenue through automated web-ads.

In the recent past, there have been multiple reports of similar data breaches and instances of subscribers data being sold online. It’s important to mention here that Pakistan currently doesn’t have a data privacy and protection law, and while the federal government claims to be working on it, there is currently no indication of the draft being presented in the Parliament for discussion any time soon.

*The story has been updated to remove URL of the website to prevent access or misuse of sensitive information stored on it.

Written by

Asad Baig is an Islamabad-based journalist. He is the founder and the executive director of Media Matters for Democracy and the editor of Digital Rights Monitor. He tweets at @asadbeyg

No comments

leave a comment