The state bytes back: Internet surveillance in Pakistan

Updated 23 May, 2017 10:36am

Farhatullah Babar measures every word he speaks. His caution, partially at least, results from the burden of being the long-standing spokesperson for Asif Ali Zardari who attracts negative attention like no other political figure has in recent times. Some part of Babar’s restraint has its origin in his stint in the parliament, mostly as an opposition senator. Yet, there is another hazy but very real reason why he seems to weigh his sentences before he utters them: he fears someone maybe listening in on him. “The state agencies continue to invade privacy,” he says.

Sitting in a usable part of an otherwise crumbling old building in Islamabad, Babar looks like a character from a Hollywood detective thriller. “The scope of surveillance has increased recently,” he says, as lights flicker in the empty halls around him which once housed the offices of the Urdu daily Musawat, published by the Pakistan Peoples Party (PPP) in the 1970s. “Many people feel their phones are being intercepted,” he says in his signature low husky voice.

One of his colleagues in the senate, Saleem Mandviwalla who, like Babar, belongs to the PPP, is on record as having complained about such interception. At a meeting of a senate committee in January this year, Mandviwalla waived official documents to claim the federal government had authorised the tapping of his phone and interception of his personal data.

Illustration by Aan Abbas
Illustration by Aan Abbas

Aftab Sultan, the head of the Intelligence Bureau (IB), was present in the meeting but he denied any knowledge of the authorisation. He said no official working under him could intercept any communication without first bringing it to his knowledge. He also said that only the prime minister could approve such interception and, that too, if the source of communication was a terrorist. No one really believed him.

Intelligence agencies in Pakistan have hardly managed to stay away from communications exchanged among citizens. In the 1990s, monitoring and interception of these communications was so pervasive that governments rose and fell as a result of them. Even though the political climate has changed since then, intelligence agencies continue to tap phones and other means of communication used by politicians, human rights activists, journalists and government officials, among others. A report released by Privacy International, an advocacy group based in the United Kingdom, claimed earlier this year that various intelligence agencies were tapping thousands of phones in Pakistan.

If anything, says Babar, the state’s capacity for surveillance has grown over time. “The rapid growth of technology has increased the ability of intelligence agencies to intrude private space,” he says. “The bigger the technological advances are, the greater the invasion of privacy is.”

The Privacy International report is based on extensive research and hundreds of interviews about the prevalence of surveillance in Pakistan’s cyberspace. Titled as Tipping the Scales: Surveillance and Security in Pakistan, the report makes some startling revelations.

Since 2005, it says, different intelligence agencies have acquired surveillance technology from top technology companies in the world. These companies include France-based phone manufacturer Alcatel, communications giant Ericsson, Chinese equipment manufacturer Huawei and cyber security providers SS8 and Utimaco. Based on such equipment purchases, the report claims, the surveillance capacity of the Inter-Services Intelligence (ISI) – Pakistan’s globally renowned military-run secret agency – has outgrown the legal and regulatory mechanisms available both locally and internationally.

Some of the information presented in the report is based on 400 gigabytes of digital documents hacked from the computer network of Hacking Team, an Italian firm that specialises in Remote Control System, a spying software. The hacked information was originally released by WikiLeaks on July 8, 2015, and carried extensive details of correspondence between the Hacking Team and multiple contractors working on the behalf of different Pakistani law enforcement and intelligence agencies including the ISI, the Federal Investigation Agency (FIA), the ministry of defence and the Sindh Police.

Some of this correspondence appears to have started in 2009, but the earliest hacked email comes from 2011 and the last one was exchanged in May 2015, as reported by Jahanzaib Haque and Atika Rehman in the daily Dawn and in late July. “Aside from allowing access to photos, emails, chat conversations, social media accounts and passwords, the software [that Pakistani entities were trying to procure from the Hacking Team] can tap phone and Skype calls, take photographs using the infected device’s camera and switch on a device’s microphone — all without the user’s knowledge, and without affecting a device’s battery life,” the two wrote.

The irony is that the intelligence agencies were willing to share virtual space with their nemesis in order to be able to suppress the freedom of expression and the right to privacy of Pakistan’s own citizens. In February 2014, the Hacking Team staff conducted a webinar in which both India’s Research and Analysis Wing (RAW) and Pakistan’s IB participated.

Photo by White Star
Photo by White Star

There have been other reports making similar claims about the presence of interception devices and surveillance software in Pakistan’s cyberspace. An organisation working on freedom of expression and digital rights, Bytes for All, filed a complaint at the Lahore High Court in 2013 against the Pakistan Telecommunications Authority (PTA), citing a long list of websites and digital platforms being monitored, and also censored, by the state authorities. A final judgment on the complaint, commonly known as the YouTube Case, is still pending at the Supreme Court.

In February 2014, Bolo Bhi, a Karachi-based advocacy and research group working on digital rights, filed a request for information under the right to information law. The request was prompted by a report released on April 30, 2013 by the Citizen Lab, a laboratory based at the University of Toronto, Canada, which focuses on “the intersection of Information and Communication Technologies (ICTs), human rights, and global security.” The laboratory claimed to have detected the presence of FinFisher Command and Control Servers in Pakistan. Sold around the world by the UK-based Gamma Group, these servers operate digital spy softwares to conduct mass surveillance. In May 2014, the PTA, which regulates domestic Internet and telecommunications services, said in its response to Bolo Bhi’s request for information that it had no knowledge of the presence of these servers.

The authors of the report did not know who had set up and was operating these servers. It could be Pakistani intelligence agencies or the secret agencies of other states.

Perhaps the most disturbing disclosure in this regard came from Edward Snowden, the American defence consultant who removed the lid off surveillance and monitoring activities carried out by the secret agencies of the US and the United Kingdom within their own countries as well as abroad. A news report published in the daily Guardian based on documents made public by Snowden, said the British e-spy agency, General Communications Headquarters (GCHQ), had acquired the ability to not only access “almost any user of the Internet” inside the entire country of Pakistan, but also “to re-route selective traffic across international links towards GCHQ’s passive collection systems.”

Such intrusive surveillance could not have been possible without the participation, or at least silent cooperation, of the Pakistani authorities, Privacy International reports. Pakistan is known to have signed an agreement with the United States on sharing signal intelligence and, under this arrangement, Pakistan has become one of the largest receivers of funds from America’s National Security Agency (NSA) to improve its spying and surveillance capacities under the signal intelligence agreement. The agreement guarantees that the relationship between the two countries is a “long-term one” involving “higher degrees of trust” and “greater levels of cooperation”.

According to Privacy International, Pakistan receives “technical solutions (for example, hardware or software) and/or access to related technology” in return for its “willingness to do something politically risky,” such as surveillance and interception of personal and institutional communications.

The WikiLeaks papers show that a large part of this sharing of signal intelligence was allowing the NSA and the GCHQ to monitor and intercept the internal and external communications of many senior politicians and leaders of major political parties in Pakistan, including the PPP. “It was quite worrying,” says Babar, while talking about his party’s reaction when the extent of the surveillance by the Americans and the British first became public.

“We always knew that the [Pakistani] security agencies tapped our telephone lines,” he says. That the American and British agencies can also access phone records, retrieve email messages and can even activate hidden cameras within Pakistan points out that they “are as heavily involved here as our own agencies.”

The Privacy International report also suggests domestic agencies have been doing their level best to stay ahead of their foreign counterparts. The group reports that for at least two years the ISI has been looking for software and equipment that could easily dwarf all previous mechanisms to monitor, intercept and divert digital telecommunications.

“In June 2013, the Inter-Services Intelligence (ISI), Pakistan’s best known intelligence agency, sought to develop a mass surveillance system by directly tapping the main fibre optic cables entering Pakistan that carried most of the nation’s network communication data,” says the Privacy International report. The agency sought proposals for a “Targeted IP Monitoring System and COE [Common Operations Environments]” that could capture and store approximately 660 gigabits of Internet Protocol (IP) traffic per second. “ This system would make available virtually all of the nation’s domestic and international communications data for scrutiny, the most significant expansion of the government’s capacity to conduct mass surveillance to date,” the report adds.

“What the ISI wanted to build … was a complete surveillance system that would capture mobile communications data, including Wi-Fi, all broadband Internet traffic, and any data transmitted over 3G,” says the report. The interception under the proposed system was to be “seamless” and “not be detectable or visible to the subscriber”.

Imagine someone looking into every email you send or receive, or every phone call or text message you exchange, or every website you visit — and add the fact that you don’t even know that your communications are being watched. Hair-raising stuff, indeed.

The Privacy International acknowledges that “only a handful of governments have managed to capture all communications of their citizens” but, according to Dr Richard Tynan, a technologist working with the group, in many states, including Pakistan, “interception and storage technology is being enhanced all the time.” Once enhanced capability for monitoring and intercepting Internet communications become available to the governments seeking them, he warns, it will be “a very dangerous development.” If and when these states have the required mechanisms in place, says Tynan, “many citizens may have to assume their communications are ending up in some monitoring centres because they pass along tapped links.”

Illustration by Safwan Subzwari
Illustration by Safwan Subzwari

Though the ISI has specified in its request for the proposals that the system it is seeking should be “capable of monitoring 1,000 to 5,000 concurrent targets,” it would only require additional desks and more computers to increase the number of targets to be monitored. In its second phase, the Privacy International report says, the system would need to capture “all international Internet Protocol (IP) traffic at present,” from three landing sites for international fibre optic cables and from two satellite data aggregation sites. The ISI, according to the report, has also sought to collect subscriber information from 60 Internet and broadband service providers. “Comparing this subscriber data with IP addresses would allow the intelligence service to accurately identify users accessing Internet sites,” the report says.

It is not possible to confirm if the ISI has got what it wanted. Investigations carried out by the Herald suggest the only states capable of putting together financial and technological resources for creating a mass surveillance system similar to the one sought by the ISI are the highly developed ones, such as China and the US. It is also clear that the required system could be built only by a company with a very sophisticated level of technological expertise. Since no Pakistani company seems to have the required level of expertise, engaging a foreign firm which can get a security clearance for the purpose also seems like a time-consuming exercise. Such questions related to costs and capacity, therefore, suggest that the agency may still be some way away from getting what it has been seeking.

Even if the ISI does not yet have the technological and financial resources to access all the data flowing through Pakistan’s cyberspace, it has the unqualified blessing of the law to tap into personal communications of any individual or institution, as and when it wants. The state’s ability to monitor and intercept private communications is, indeed, built into the regulatory regime. The undertaking that all Internet service providers give when they apply to the PTA for a licence makes it mandatory for them that they” shall meet the requirements of authorised security agencies for legal interception of calls and messages.”

The service providers in Pakistan are widely known to have complied with official requests for access to their data since the 1990s. Only in recent months, both the ISI and its civilian counterpart, IB, are known to have received access to Internet data operated by various service providers.

Illustration by Safwan Subzwari
Illustration by Safwan Subzwari

Like many things good or bad prevalent in today’s Pakistan, interception of private communication has its origin in the British colonial rule in the Indian subcontinent. Historically, such interception was done by the Special Branch of the police, the Criminal Investigation Agency and the IB, but it was largely restricted – even well after the British had left – to physical surveillance and monitoring through informants.

The first extraordinary instance of what was then known as wiretapping, was an authorisation by then prime minister Zulfikar Ali Bhutto for the setting up of a special cell within the IB to monitor the senior officials of the armed forces after the dismissal of Gul Hassan Khan as army chief and Rahim Khan as air force chief in 1972. The cell was led by one Colonel Mukhtar and was called Mukhtar Force after him (not to be mixed with a Shia welfare organisation of almost the same name). Its staff consisted entirely of retired military officers.

Dr Hamid Hussain, an independent researcher based in New York who has studied the working of intelligence agencies in Pakistan, says the cell was shut down after Bhutto was removed in a military coup in 1977. Mukhtar was sacked and all records at the cell were seized by the coup makers.

Bhutto was also the first, and so far the only, prime minister to have ordered the ISI to tap the phones of his political opponents after protests broke out against his government in the first half of 1977. He would be the last civilian ruler to exercise direct control over the ISI.

Following General Ziaul Haq’s military coup, the role and the capacity of the military’s intelligence agencies increased, as they closely collaborated with the US during the anti-Soviet war in Afghanistan. The Americans provided generous technical assistance to improve the surveillance capacity of Pakistani intelligence agencies, particularly the ISI.

It was also during the 1980s that Amjad Alvi, a self-taught techie in Lahore, started importing computer hardware to assemble some of the first computer networks in Pakistan. He was also one of the first Internet service providers in the country. In 1985, his company imported its first modem, and in 1987 started an electronic bulletin board service to transmit brief messages across a small network of computers linked to each other through dial-in modems. “This service was like a blog or a chat room,” says Alvi, only on a very limited scale.

All this was taking place without any government knowledge of it, adds Alvi who also has the dubious distinction of developing the Brain Virus in 1985: one of the first softwares to disrupt hundreds of thousands of individual and networked computers around the globe. “The state has never been able to grasp how cyberspace works, he says and then narrates how some intelligence officials came to see him, after they had received information that he had devised a system to send and receive documents through electronic communication. The officials were curious to know how a telephone could transfer and receive data, he says. “They also wanted to ensure that I did not use the technology without security clearance.”

Alvi did not have trouble in obtaining the clearance. “Since I am a patriot, they cleared me instantly.”

Encounters with Alvi helped intelligence operatives understand the new beast on the block. “We worked on raising the government’s awareness about how the cyber world functions,” he says. That could very well be the beginning of the end of the freedom of computer-based communication in Pakistan, as Alvi and those sharing his network knew it to be.

A harsh surveillance
Create your own infographics

By the 1990s, post-Zia politics had factionalised along civil-military lines on the one hand and along party lines on the other. This factionalism was also reflected in the working of intelligence agencies. While the ISI was tapping the phones of politicians, especially those belonging to the PPP, the IB was mainly active in counter-intelligence to minimise the political impacts of the ISI’s operations. This was the era of what came to be called Operation Midnight Jackal; in a secret operation an IB operative recorded and leaked secret conversations about an army-supported move to remove Benazir Bhutto as the prime minister of Pakistan through a no-trust vote in the National Assembly.

Masood Sharif Khattak was one of the central characters in the operation. Trained in intelligence operations during his brief stint in the army, which he left as a major, due to medical reasons, he joined the IB in 1989 under Benazir Bhutto’s orders. The reason for his induction was to strengthen the civilian intelligence agency as a counterweight to the military-controlled ISI. “It is our political history which did not allow the IB to grow,” Khattak tells the Herald in an interview.

When he became the agency’s director general under another PPP government between 1993 and 1996, he initiated a major move to recruit more people and acquire new technology for the agency. He claims to have acquired the first computers for it. “[The IB] was not the way it should have been when I took over,” he says.

With more power came controversy.

By the latter half of 1996, the Khattak-led IB was being accused of widespread phone tapping. Enjoying blanket permission from the government for surveillance, his spooks were alleged to have tapped the phone conversations of the Chief Justice of Pakistan Sajjad Ali Shah, Chief Justice of the Sindh High Court, Nasir Aslam Zahid, and many other judges serving at the Supreme Court as well as the high courts of Sindh and Punjab. They are also reported to have intercepted and recorded phone conversations of many important politicians, including Nawaz Sharif and Maulana Fazlur Rehman.

The allegations became a part of a case that Benazir Bhutto filed against the dismissal of her government by then President Farooq Leghari. In more ways than one, the judgement in the case set very strict limits on what, when and who the intelligence agencies could monitor, and what they could never do under any circumstances. “The Constitution in clear terms guarantees that the dignity of man and subject to law, the privacy of home, shall be inviolable and further that no person shall be deprived of life or liberty save in accordance with the law,” read the verdict. “Home in literal sense will mean a place of abode — a place where a person enjoys personal freedom and feels secure ... the term ‘home’ connotes meaning of privacy, security and non-interference by outsiders which a person enjoys,” it added in an attempt to set the limits within which a person has the inviolable protection of constitutionally guaranteed freedoms.

The verdict linked the “inviolability of privacy” with the “dignity of man.” It said, “If a man is to preserve his dignity, if he is to live with honour and reputation, his privacy, whether in home or outside the home has to be saved from invasion and protected from illegal intrusion.” The authors of the judgement also declared that phone-tapping or eavesdropping by intelligence agencies “interferes with the right of free speech and expression.”

The judges finally directed the government that “in future whenever any telephone is required to be tapped, taped, intruded or eavesdropping exercise is to be carried on, it should be done with the prior permission of the Supreme Court or by a Commission constituted by the Supreme Court which shall examine each case on its merits.”

Khattak recalls a judge asking him during proceedings in the case as to what national interest was served by tapping the phones of senior judges. “I responded by saying that as an intelligence chief I have the right to know what is happening if two pillars of the state are on a collision course, because that collision brings about instability in the country.”

This was not the first time in Pakistan that someone was citing national interest to defend what the court would ultimately declare as a “reprehensible, immoral, illegal and unconstitutional act.” Nor was it the last.

Photo by White Star
Photo by White Star

In 1996, the federal government enacted the Pakistan Telecommunication (Re-Organisation) Act which under the rubric of national interest gave extensive powers to intelligence agencies to wiretap calls and intercept messages. Section 54 of the act states that “the Federal Government may authorise any person or persons to intercept calls and messages or to trace calls through any telecommunication system.” The only condition set by the law was that this would be done “in the interest of national security or in the apprehension of any offence.” It does not require a legal expert to point out that “interest” and “apprehension” are both such vague words that they can be interpreted differently by different people or by the same people in different circumstances.

A year later, parliament passed the Anti-terrorism Act (ATA) which gave the law enforcement and security agencies the power to search and enter premises without a warrant. In a landmark judgement, the Lahore High Court struck down many parts of the ATA as unconstitutional, but it “upheld these powers by citing the global community’s experience with terrorism,” according to Lahore-based lawyer Waqqas Mir, who has recently authored a research paper on laws infringing upon privacy and freedom of speech and association. “The court held that increased powers intruding upon privacy were necessary to counterterrorism.” While hearing appeals against the Lahore Court’s judgment, the Supreme Court also upheld this view. “The right [to privacy] was not absolute and could be curtailed to counterterrorism,” ruled the apex court.

Mir says the courts have tackled questions of privacy and protection of personal information and data in a number of cases since the 1990s with varying interpretations but “the law has not always kept pace with technology.” Rapid changes in technology have always surpassed the parameters set in each of these verdicts.

To cite just one example, the introduction of +92 as Pakistan’s international direct dialing code made it easier to tap or intercept calls. As compared to the old switchboard-based manual system which required physical intervention by the intelligence operatives and required time to listen in on phone conversations, the new digital system could route any calls through surveillance apparatus at the flick of a button on a computer keyboard.

Instead of providing legal protection to the citizens against these technology-enabled threats to their privacy, the government has allowed the intelligence agencies to continue their surveillance without let or hindrance. In February 2001, this impunity culminated into another scandal. A British newspaper, Sunday Times, shocked everyone in Pakistan by printing the transcripts of phone conversations between Nawaz Sharif and two judges who had convicted Benazir Bhutto and her husband, Zardari, during Sharif’s second tenure as prime minister between 1997 and 1999.

“… [T]he publication of the transcripts… has once again brought into focus the role of intelligence agencies in Pakistan. Clearly, the agencies continue to tap telephones and use other methods to eavesdrop with wild abandon,” wrote Mubashir Zaidi in a report published in the March 2001 issue of the Herald.

Illustration by Safwan Subzwari
Illustration by Safwan Subzwari

He also reported the Attorney General of Pakistan at the time, Aziz A Munshi, claimed soon after Sharif’s ouster from power in 1999 that his government, “had tapped the telephones of judges of the superior courts.” Zaidi cited a 75-page list of telephone numbers that Munshi had presented before the Supreme Court, claiming that, besides the judges, Sharif had authorised the tapping of phone conversations of many other people including politicians, journalists and government functionaries.

Zaidi cited his own investigations to report that , “at least 10 intelligence agencies and departments…[continue to] indulge in telephone tapping.” He, therefore, concluded: “Whatever the fallout of the tapes scandal may be, it is unlikely to end large-scale telephone tapping.”

The state was to prove him right as it continued to expand the surveillance capabilities of its intelligence agencies throughout the 2000s. It was during this decade that the cyber section of the ISI was formed. The government is also said to have acquired some monitoring and interception equipment from China and North Korea at some stage but the biggest fillip came from an unexpected quarter. In the post 9/11 world, the US once again needed Pakistan’s cooperation in tackling al-Qaeda and the Taliban, and Washington and London became willing providers of technical assistance and modern equipment to Pakistani intelligence and security agencies.

In order to monitor and intercept communications between militants belonging to al-Qaeda and the Taliban, the American NSA set up a number of listening posts within Pakistan where surveillance operations were jointly carried out by the Americans and officials of the ISI, says independent researcher Hussain. Most of this cooperation only ended following the raid that killed al-Qaeda chief Osama bin Laden in 2011, he adds.

The civilian intelligence agency, the IB, has also continued to expand apace in the meanwhile. The incumbent government has removed the ban on recruitments and its operations are being expanded and equipment being upgraded, according to a 2014 news report released by the Online news agency. The news report also said that billions of rupees were being spent on purchasing surveillance equipment from German company Utimaco in order to improve the IB’s capacity to “keep an eye on other domestic agencies as well as terrorist activities.” The equipment is reported to have the ability to monitor and intercept calls and text messages made through such Internet-based platforms as Gmail, Viber and Blackberry.

Aware of the security risks involved in purchasing sensitive surveillance equipment from foreign manufacturers, the authorities have been also investing considerable amount of money and effort to build indigenous research and development capabilities. An Islamabad-based private company, Center for Advanced Research in Engineering, has collaborated with the National Radio Telecommunications Corporation, a government institution that manufactures telecommunication and electronic equipment, to develop network surveillance and encryption tools, according to Privacy International.

Similarly, the National University of Science and Technology (NUST), which works in close collaboration with the military, engaged a renowned computer scientist, Dr Syed Ali Khayyam, to set up the Wireless and Secure Networks (WiSNet) Research Lab at the School of Electrical Engineering and Computer Science in Islamabad. One of the main functions of this lab is to produce software and equipment that can secure Pakistani security and intelligence agencies against cyber attacks from outside.

“Our mobile and fixed line cyber infrastructure is extremely vulnerable to attacks,” Khayyam tells the Herald in an interview from California, where he works for an American company called PLUMgrid after having left NUST sometime ago. Foreign intelligence agencies, as well as individual hackers, can monitor the data traffic on this infrastructure. They also may have the ability to steal and destroy this data, he says. “A national cyber catastrophe is just a disaster waiting to happen,” he adds.

Create your own infographics

Sceptics have been pointing out similar weaknesses in Pakistan’s information technology and cyber infrastructure to dismiss the claims that the state has the capacity to carry out surveillance and communication interception at a mass scale. They point out that technology is changing so quickly that the state’s attempts at exploiting it to keep an eye on its own citizens will always remain fruitless — or at best only partially fruitful.

A leading computer scientist with vast experience of working with the government deems most official claims about surveillance and communication interception as empty boats. “Sometimes officials claim to have decrypted data packets that even NSA cannot decrypt. They must have created a new science,” he says, laughing.

He explains how technology companies that run information and communication services are using computer programs which are much harder to tap into than their earlier versions. The battle for access to data packets, he says, has entered a new phase where companies are protecting their products and services with encrypted programs, which ensure privacy and can only allow data to be accessed with the consent of the companies handling them.

In the famous Memo Case, circa 2011, for instance, Pakistan was able to access the Blackberry messaging data of Husain Haqqani, accused of having sent emails to American officials inviting them to interfere into Pakistan’s internal political affairs. After creating headlines for months, the case died a slow death when RIM, the Canadian company operating Blackberry phones, refused to share his messages with the Pakistani government.

Independent researchers Khayyam, Sheharbano Khattak, Mobin Javed, Zartash Afzal Uzmi and Vern Paxson, working at different American and Pakistani universities, have conducted surveys and studied six Pakistani networks providing Internet services over a two-year period, between 2011 and 2013, to gauge the financial impact of the government’s attempts at censoring the Internet. They came up with a report, A Look at the Consequences of Internet Censorship Through an ISP Lens, published in 2014 by the Association for Computing Machinery, a New York-based industry group.

With additional information:

Create your own infographics

Their report cites the case of Pakistan’s ban on YouTube to highlight how technological changes are making censorship by the government increasingly difficult, if not entirely impossible. Since that ban was first put in place in 2008, the biggest search engine in the world, Google, has changed its infrastructure, making websites like YouTube harder to block, the report says.

Similar technological limitations faced by the state came to the surface during its effort to block Internet sites deemed against national security interest or containing pornographic and blasphemous contents. The viewers shifted elsewhere. “YouTube blocking caused a major shift … indicating that users resorted to circumvention mechanisms to continue their access,” the report reads.

The researchers, indeed, found the shift to be “well underway already on the day that the government imposed censorship, indicating that a portion of users can very rapidly adapt to the introduction of new blocking mechanisms.” They also observed a sudden increase (40 per cent to 80 per cent) in the traffic volume of other video hosting websites. Many other users simply switched to proxy servers.

“After spending a large sum of money on censorship technology, was the government even successful in censoring the banned content?” asks Khayyam, one of the authors of the report. “Users will always find ways to circumvent censorship technologies.”

What is true for censorship also seems valid for surveillance, the two, after all, have a symbiotic relationship when it comes to the Internet. “These two often go hand in hand,” says Tynan of Privacy International. “To censor something, you need to first observe it and then make a decision about whether to allow it or not,” he says. Surveillance, therefore, is the first step in the process of censorship, he adds.

The changes in technology by the companies are often prompted due to the efforts by states world over to control, censor and monitor the flow of information in the cyberspace. The Pakistani government’s urge for censorship has, thus, increased its challenges as far as its attempts at Internet surveillance and detection of cybercrime are concerned. “On the technology front, there are many challenges over what you can enforce and what you cannot,” says Uzmi, a professor at the Lahore University of Management Sciences and one of the authors of A Look at the Consequences of Internet Censorship Through an ISP Lens.

There, indeed, is no end in sight for the technological revolution perpetually unfolding itself at a breakneck speed. New circumvention techniques will keep coming out, making censorship, monitoring, surveillance and interception of Internet communication increasingly harder. “It is a moving target,” says Uzmi.

Illustrations by Safwan Subzwari
Illustrations by Safwan Subzwari

Where governments are feeling frustrated by changes in technology, they are trying to make up by promulgating laws that give them blanket access to any digital communications — or at least those which move within their own jurisdictions. Two recent Pakistani pieces of legislations, one already in force and the other at an advanced stage of enactment, together have the potential to give the security and intelligence agencies sweeping powers to monitor and intercept digital communications like never before. The laws will have an added advantage for intelligence operatives: they will be able to do with the full backing of the law what they have been failing to do through the deployment of discreet software and stealth equipment.

The first of the two laws, the Fair Trial Act, was passed by the parliament in 2013. Its critics say it provides carte blanche to law enforcement agencies to monitor and record digital communications for the apparent purpose of prosecuting terrorism suspects. “[The act] drastically amends the law on digital surveillance and interception [and] allows state actors new powers as well as procedures for collection and admissibility of [digital] evidence,” says Mir in a 2014 commentary entitled Digital Surveillance Laws in Pakistan, commissioned by the Digital Rights Foundation, an advocacy group. “[The law] places a disproportionate focus on intelligence gathering with a scant regard for privacy of citizens,” he adds.

Through the Fair Trial Act, the federal government has acquired unqualified power to authorise “any … form of surveillance or interception.” The law also makes it impossible for the service providers to deny the government access to their data. A service provider will have to pay a fine of up to 10 million rupees if it fails to comply with a request for access to data made under a warrant for surveillance authorised by the act.

According to Mir, one of the biggest problems with the Fair Trial Act is that it “does not provide any way for the citizen to know that [their] privacy is being intruded upon. The citizen also has “no way of knowing the extent to which privacy is being intruded upon.”

The other major problem concerns the confidentiality of the data monitored and stored for the purposes of interrogation and prosecution. “Although the law does punish unauthorised use or disclosure of information collected under a warrant … there is no provision in the law for the information to be destroyed after a particular period of time. Therefore, technically, the information can be retained by the intelligence agencies or police for as long as they please. This does not augur well [in] a country that has a less than flattering record when it comes to the rule of law, free speech and freedom of association,” writes Mir.

Similar concerns have been raised by Privacy International about a clause in the law that states: “Where nature of surveillance or interception is such that it is not necessary to serve the warrant on anyone, then the same shall not be served and its issuance shall be sufficient basis to collect evidence.” This effectively means that a citizen will never know that a warrant has been issued for surveillance of his or her digital and electronic communications.

“Increasingly, the goal of many states, such as Pakistan, has been to capture all domestic phones and Internet traffic, across the nation’s network,” the group comments while discussing the likely impact of the clause.

Org carrying out internet surveillance in Pakistan

Create your own infographics

The second piece of legislation has had a chequered history as far as its approval and implementation are concerned. Practically, it is a successor to the Electronic Transactions Ordinance issued in 2002 by the military government of Pervez Musharraf. This ordinance, according to a news report published in the daily Express Tribune, was the first law that provided a “solid foundation for legal sanctity and protection for e-commerce locally and globally.”

The first law to succeed the Electronic Transactions Ordinance was the Prevention of Electronic Crimes Ordinance, issued in 2007 also by the Musharraf regime. Since its promulgation, two successive governments and parliaments have struggled to transform it into a legislature-approved act. Multiple drafts have been produced, circulated and discussed, with none of them becoming acceptable to legislators of different ideological persuasions as well as the representatives of the information technology industry and groups working on digital rights. In the long drawn-out process of discussions about the contents of the proposed law, its original movers have turned into its detractors and vice versa.

Zahid Jamil, a Karachi-based senior lawyer who has been involved in drafting at least one version of the proposed law, complains that mismanagement and incompetence have derailed any meaningful legislation to succeed the 2007 ordinance. Since 2014, he has been pushing for a consensus on the new law but wrangling among stakeholders seems to have frustrated his efforts as well as initiatives by many others working for the same cause.

Way back in 2008 when the PPP came back into power, its government thought it fit to replace the Prevention of Electronic Crimes Ordinance with another law on the grounds that the ordinance was promulgated by a dictator and included draconian provisions infringing upon the rights of citizens. The ordinance was seen to have given sweeping powers to the state in acquiring communication data from service providers by stating that the “Federal Government may require a licensed service provider, within its existing or required technical capability, to collect or record through the application of technical means or to cooperate and assist any law enforcement or intelligence agency in the collection or recording of … data, in real-time.” In the same manner, the federal government enjoyed unlimited power under the ordinance to make service providers keep the surveillance and interception of data secret.

When the proposed law was first introduced in the National Assembly, Pakistan Muslim League-Nawaz (PMLN), then sitting on the opposition benches, decided to oppose it. Anusha Rahman and Marvi Memon, both representing the PMLN in the National Assembly’s standing committee on information technology, dismissed the government’s draft as just a watered-down version of the 2007 ordinance that it was aiming to replace. Their opposition was so vehement that, in August 2009, then Prime Minister Yousuf Raza Gilani withdrew the government draft.

Rahman and Memon then proposed an alternative draft by the name of Cyber Crime Act 2009. Newspaper reports suggest the two legislators had drafted the law with extensive input from the information technology and telecommunication industries, as well as digital rights groups. The draft was sent to a select parliamentary committee supposed to be chaired by Sherry Rehman, then federal information minister and later Pakistan’s ambassador to the US. The committee, however, could not meet even once before the 2013 general election was held.

After the PMLN formed the federal government following its victory in the last election, there were expectations that Rahman and Memon would expedite the passage of the law, especially since the former has also become state minister for information technology. Yet the draft continued to sit inside official files for over a year, without making even an inch of progress.

Representatives of information technology and telecommunication industries and activists working on digital rights, were so frustrated by the delay that in 2013 they decided to get together and come up with a draft of their own. Several meetings subsequently took place where representatives of the two government departments, FIA and PTA, held detailed discussions with activists and representatives of the two industries. A draft soon emerged.

Through hectic efforts made over months spearheaded by Jamal, the stakeholder-proposed law was then reconciled with the one proposed by Rahman and Memon, to create a consensus draft. But when the federal cabinet perused the consensus draft, it recommended a few amendments. The digital rights activists were not pleased as they saw these amendments infringing upon the freedom of expression and privacy. “The government got scared when it found out that people were using the Internet not only for doing business but also to engage in politics and to voice political opinions,” says Jehan Ara, the head of the Pakistan Software Houses Association (Pasha) when asked by the Herald about the amendments made by the cabinet. “The government’s gut reaction is to try to control the Internet,” she adds.

Rahman, nevertheless, put the draft, as amended by the federal cabinet, in front of the National Assembly’s standing committee on information technology. The activists, however, were able to convey their concerns to the committee through a member of the National Assembly from Karachi. It was due to these concerns that the standing committee decided to form a subcommittee to revise the draft one more time.

There were many subsequent changes to the composition of the subcommittee in order to minimise changes in the government-sponsored draft. In August 2015, the subcommittee met and finally approved its passage. The activists and industry representatives were furious; they were not even invited to the meeting where the approval was given.

The opposition members of the subcommittee were also mightily displeased. Two of the committee’s original members, Shazia Marri of the PPP and Mushahid Hussain of Pakistan Muslim League–Quaid-e-Azam, protested that they were kept out of the proceedings where approval for the passage of the draft was given. “I feel that it’s extremely important to combat terrorism and to track those who use cyberspace to commit acts of terrorism, but it’s also crucial to safeguard the civil liberties and rights of the people, as enshrined in the Constitution of Pakistan,” Marri wrote in a letter of protest to the chairman of the standing committee.

Some other issues pertaining to privacy and freedom of expression also emerged in the meanwhile.

In April 2015, the government took the stance that the draft has to be in line with the National Action Plan against extremism and terrorism. Amina Sohail, a lawyer working with the government, was subsequently assigned the task to redraft the bill. Her draft not only included multiple new offences, it also removed many procedural checks and balances sought by the information technology and telecommunication industries. One of its sections provided that the service providers were required to “retain [their] traffic data for a minimum period of one year or such period as the [government] may notify from time to time and provide that data to the investigation agency or the authorised officer whenever so required.” Such comprehensive powers to control and invade the Internet were not provided for, in any of the earlier drafts.

It is highly likely that the government will disregard the opposition to the draft and will try to have it passed as early as possible. Barrister Zafarullah Khan, special assistant to Prime Minister Sharif, has already indicated the government’s intention to table the bill in the National Assembly in the coming weeks. And the government may not face any problem in its passage from the National Assembly where the ruling party has more than the required majority. The passage from the senate will be a different matter since the opposition parties still have the majority there.

Considering that the PPP has already vowed to oppose the bill in its current shape, there is little chance that the draft will become a law any time soon.

Photo by White Star
Photo by White Star

Babar will again be in the limelight when the draft lands in the Senate. “We have told the government not to bulldoze the law through parliament. Let the law take another year if that is needed to take the input of all stakeholders into account,” he tells the Herald. The law, he says, will define the future shape of the relationship between the state and its citizens and, therefore, there should be a public debate on it. “The most important thing is that citizens’ privacy is not invaded.”

Babar, however, believes that the problems related to privacy will not be addressed merely by forming a flawless law on cybercrimes. The issue, indeed, is rooted in the debate over the activities of the intelligence agencies with regard to surveillance and censorship.

He narrates some disturbing incidents about how intelligence and security agencies remain stubbornly unwilling to let their functioning come under any parliamentary or legal purview. As the head of a subcommittee of the upper house on the right to information, has been working for two years on a draft law that envisions that the state must voluntarily make maximum disclosure about its activities, with very few and strictly defined exemptions, as opposed to the right to information legislation which requires citizens to actively seek any information. The debate on the draft has been delayed due to an unexpected roadblock. “When we were drafting the law, we wrote a letter to all stakeholders. We thought the ministry of defense and the military establishment were the most important stakeholders since they are the ones who seem the most reluctant to part with information,” says Babar. “They sent us a letter which said that this was a sensitive matter and, therefore, we should seek a No-Objection Certificate from the military authorities before proceeding on it.”

A similar situation developed in the senate in 2013 when an opposition senator sought a copy of the law under which the ISI operates. The government’s response to the request was straightforward and categorical: “This is a secret and sensitive matter and cannot be brought before parliament.”

That the military establishment is not answerable to parliament, the top law-making body in the country, is the reason behind the unquestioned and unshared power the security and intelligence agencies have over any issue that is even remotely linked to national security. To address the problem, Babar says, he has always suggested that, “the intelligence agencies should be brought under parliament’s oversight.”

To do so, the senate’s human rights committee approved a draft bill in 2013. Titled as Inter-Services Intelligence Agency (Functions, Powers and Regulation) Act of 2012, it aims at regulating the functioning of the country’s premier, and most controversial, intelligence agency. The 19-page draft envisages parliamentary and government oversight over the ISI, in particular, and other agencies in general; it recommends accountability and checks to stop the secret agencies from enforcing disappearances and victimising political opponents of the military establishment as well as the government of the day.

Babar’s PPP – as well as the ruling PMLN – are reluctant to back the draft for the simple reason that both the parties do not want to antagonise the military establishment. But many of his colleagues in the senate, including its chairman Raza Rabbani and members like Haji Adeel and Bushra Gohar of the Awami National Party and Mandviwalla of the PPP are convinced, like him, that the growing surveillance and interceptions of digital communication are linked to the accountability of intelligence and security agencies — or, more precisely, the lack thereof.

After all, if someone has the power to look into people’s personal communications, and have the surety to do so with impunity, why wouldn’t they?

This was originally published in Herald's December 2015 issue. To read more, subscribe to Herald in print.