A visibly illicit website, offering personal information of mobile subscribers and CNIC holders in Pakistan, was found advertised on a leading news publication last month.
The website was noticed by a member of Media Matters for Democracy (MMfD)’s team in the Urdu section of a major news publication and was later tested independently by Digital Rights Monitor (DRM). It was accessible only through a VPN (virtual private network), which is an encrypted connection primarily used to browse the internet undetected and gain access to blocked websites. The website’s amateurish layout, suggestive of a hasty creation and lack of sound development resources, instantly marks it out as a privacy horror.
The URL, which has been withheld in this report to prevent unnecessary access and malicious use of sensitive information, hosts a variety of personal information, including the Computerised National Identity Card (CNIC) details and phone numbers of consumers registered with the Pakistan Telecommunication Authority (PTA). The exposed information, which wary internet users may find alarmingly intrusive, can be fetched with a single click.
The website claims to hold a database of phone numbers from across the country and provides a variety of critical information of a SIM card or CNIC holder, including their current or permanent residential address. During multiple inquiries conducted by DRM, the website fetched the actual owners of the mobile numbers and their service providers, albeit with some spelling errors.
Most of the searches conducted by DRM and other members of MMfD’s team retrieved accurate information, including CNIC numbers and residential addresses. A few mobile numbers, however, were not entertained by the website, which it says it is “not eligible to search”. In these cases, the user was advised to contact a “support person” to get the required information from the “head office”. No further inquiry was made in this regard until the publication of this report.
Multiple queries were carried out on the website from various locations, including Karachi and Islamabad. Both the SIM card and CNIC-related searches predominantly provided accurate and verifiable information of the subjects that were investigated.
Ironically, the website, which blatantly publicises personally identifiable information, claims to serve as a platform to prevent the increase in “illegal activities” through misuse of SIM cards. The information is provided “free of cost” and additional services such as a “live tracker tool” are also among its primary highlights. The tracker, however, only fetched the general information associated with a given SIM card when tested by DRM.
While websites publicising mobile subscription and CNIC information are not an anomaly in Pakistan, their repeated emergence points to the persisting challenge that critical information of citizens will remain public on the internet. Despite the government’s actions, such rogue platforms continue to emerge under one URL or the other.
But what warrants serious attention here is the advertisement of such a menacing platform on a news website. Since a number of news outlets in Pakistan opt for Google’s ad services for the monetisation of their web content, what set of controls can they implement to effectively monitor the ads displayed on their websites?
“You can report abusive ads to Google but you do not get too much control over the ads that are shown,” Gibran Ashraf, former editor at SAMAA TV (Digital), told DRM. “The other control you have through AdSense is that you can turn off the ads served by Google to show the ads you want — i.e., the ones you have directly from a client.”
Ashraf highlighted that Google is just one of the many ad networks globally, but it is among the largest. In Pakistan, however, newsrooms often have to choose from limited options, while there are additional services available with varying capabilities and payouts, he added.
A number of unauthorised platforms holding critical data on a vast number of mobile users have been reported on in the past, with some online groups reportedly going to the extent of selling personal information from the “coveted” National Database and Registration Authority (NADRA). Instances of private mobile data being sold on online platforms and in closed social media groups have also been reported.
Hija Kamran, a digital rights advocate and editor at GenderIt.org with the Association for Progressive Communications (APC), in a statement to DRM, ascribed the continuing privacy breaches to the lack of adequate protocols at both federal and private levels.
“These websites are not a blessing that many on social media think they are,” Kamran said. “In fact, they point towards a worrying trend of lack of privacy protocols at various government and private bodies level. This is not the first time, and certainly not the last time we’re seeing over 200 million Pakistani citizens’ data being misused.”
She questioned the role of state regulators in protecting the privacy of citizens’ critical information.
“It’s unclear where the NADRA data was acquired from, but it is certain that the onus of any implications on citizens’ safety as a result of this mishandled data must fall on the government regulators who collect, process and store citizens’ intricate information.”
Kamran raised concerns about the potential weaponisation of personal data by malicious actors, especially in the case of women and individuals from vulnerable groups. She also pointed out that lack of understanding around gender-based violence, both online and in physical spaces, worsens the situation for victims and survivors of violence in the country.
“The need is for the government to focus on passing a rights-respecting data protection legislation that has been in the works since 2018 and has gone through multiple phases of revision,” Kamran added. “Until we have a data protection law that priorities people’s safety over political interests, these incidents of privacy violation will continue to happen.”
The promotion of explicitly malicious platforms, which may lead to blackmail and harm due to the violation of data privacy, also raises questions about the transparency mechanisms in place for the ads published by Big Tech platforms. Google, in particular, has faced critical scrutiny for reportedly profiting from disinformation and other various forms of harmful content. The situation is particularly concerning for non-English language web pages, as leading tech platforms have long been accused of neglecting and being unwilling to address the cultural, political, and social nuances specific to each market for financial gains.
