Image courtesy: Senate of Pakistan
In a briefing to the standing committee of the senate on information technology and communication the Federal Investigation Agency (FIA) revealed that their cyber-crime wing has arrested mobile phone importers, tour guide operators and FIA officials posted at airports in relation with a massive data leak of passport details to register new cell phones being brought into the country. There are around 54 thousand complaints in relation to cell phones being falsely registered on the leaked data. There are also 24 cases foreign passports’ data being stolen.
The data leaks became apparent in May this year after a government policy on cell phone taxation was introduced. The policy allowed for one cell phone to be registered free of tax on the passport number of someone travelling back to Pakistan from an international destination. The policy has since been revoked and according to the FIA, this has prevented further leaks.
People were alerted to their data being leaked when they tried to register their own devices on their numbers only to find out that a device, they did not own had already been registered with their passport details on the PTA website. This is when they started reporting the misuse of their data to the PTA.
According to Yasser Latif, a lawyer of the High Court, “There are two laws they [FIA] can plausibly act under. One would of course be PECA i.e if the data was stolen from an information system which would be likely in this case. The second law they may act under is the Passport Act which under 6(h) makes it a crime to traffic passports which is ostensibly what is being done here.”
The need for a data protection law has become even more apparent, with similar sensitive data leaks from government databases such as Nadra’s data and pictures from safe city.
While PECA, creates a framework for investigation of such crimes, there are no guidelines for government departments and agencies or private corporations on how this very sensitive data needs to be stored, used and shared.
In this specific case Yasser says, “If there was a data protection law, it may be able to further penalise and make it a clearer offence to traffic such data for whatever purposes because PECA deals with offences against the integrity of the information system for the most part. Passport Act is almost 50 years old and would require a purposive interpretation to be used in this scenario.”
Sadaf Khan, the programs director at Media Matters for Democracy (MMfD) says, “The need for a legal framework that outlines an essential data security framework and allows citizens respite in case their data is stolen or leaked through public or private data bases is essential and urgent.”
According to news reports, the data from the passports was leaked before the individuals reached mobile phone registration counters located within the airport. This makes it important to introduce laws that protect and create accountability on how data is shared. Sadaf points to a draft bill already on the website of the Ministry of Information Technology and Telecom (MoITT) that should aim to do exactly this but falls short in key areas.
She says, “It gives exemptions to government bodies that make it ineffective. Government bodies hold the most massive amounts of data, including biometric and identity data and in past there have been reported incidents of this data being leaked and sold. If the law doesn’t extend to these entities, its effectiveness would be fairly limited and the public still won’t have any legal remedy when leaks & sale of data from public databases occurs or continues.”