There was a time when linking to a national identity card and a passport was the most popular and accessible means to have private data stored in one place. And as NADRA came into being, much of this, as well as data on child registration certificates or family registration certificates was computerized and added to a central storage.
According to Privacy International, any data which can be used to identify an individual directly or indirectly can be termed personal data. A more comprehensive definition is that provided by the European Union’s General Data Protection Regulation (GDPR), which came into effect in April 2016.
Personal data subjects are identifiable if they can be directly or indirectly identified, especially by reference to an identifier such as a name, an identification number, location data, an online digital app like Chinese TikTok or Indian MX TAKATAK which expresses the physical, physiological, genetic, mental, commercial, cultural or social identity of these natural persons. As Pakistanis continue to use apps like these, the fear is that since governments often have strange level of control on apps running in their countries, they might try to use information gathered on the citizens of other countries for nefarious purposes.
As digital transformations take over government processes, almost each and every one of us has a digital footprint — whether we notice it or not. Take, for example, the information entered into your Android phone. These details include your name, telephone number, addresses, etc. In a way, we voluntarily hand over personal data with some degree of confidence that our details will not be used or abused.
But things do not always pan out that way.
A bigger moment of reckoning arrived recently when the FIA announced that the data of millions of customers from “almost all” banks operating in the country was stolen and allegedly dumped on the ‘dark web’ — a collection of websites that exist on an encrypted network and cannot be found by using traditional search engines or visited by using traditional browsers. It was the biggest data breach to hit the banking industry in the country. According to the FIA, an international company named Group-IB, which was working in Pakistan to prevent cyberattacks had discovered the payment details of 177,878 plastic cards from Pakistani and other international banks.
None of the companies or organizations that had data leaks had to face any repercussions or even tough questions about putting sensitive user data at risk. There remains a lot of obscurity about whether proper mechanisms are in place to prevent such incidents in the future and, for that matter, details about the nature of attacks and what is done to address them.
In the absence of any legislation on data protection, a common citizen has no way to legally ask questions from the government departments and private companies as to how and why their data is being held, retained, processed, and shared.
The first real debate about privacy and data protection after the telco and digital boom in Pakistan started in 2012 when the Pakistan Telecommunication Authority (PTA) ordered telecom companies to terminate late-night call packages and reportedly used transcripts of a private phone conversation between two people as the justification for its decision in court.
Civil society and even individuals meted out severe criticism to the authority, which is responsible for the establishment, operation, and maintenance of telecommunications in Pakistan. Experts questioned if the PTA had any authority to intercept private phone calls between common citizens, much less present them in court as evidence. And would PTA even have any means to ensure there is no citizen data exploitation across borders through digital applications if it cannot even control local illegal data usage?!
Today, there are virtual profiles of each one of us on the internet, accessible to anyone, made using data that we may or may not have agreed to be shared. How? Through digital apps which we use – be it MX Takatak which is an Indian App similar to TikTok. It can trace out an entire profile of you by looking at the places you frequent, your home, your family, your culture, and your psychographics.
Notice how an ad flashes of a product or service on Facebook soon after you talk about said product or something similar with your friend. The world’s most valuable resource is data. Attempts to hack and dump this valuable resource have increased more than ever globally and even nationally.
While some government departments such as Nadra and PITB have data protection clauses in the laws governing these bodies, Pakistan has no all-encompassing legislation that would cover the Pakistani citizens’ data. Prevention of Electronic Crimes Act (Peca) shouldn’t have been passed in the first place in 2016 without a data protection law in place. In the absence of a law, citizens remain vulnerable to having their personal and private data used against them, even if there is nothing criminal about it.
Especially if it is being used on the dark web through Indian spyware on Indian digital applications. Pakistan has seen a significant uptick in cybercrime, including online abuse, online banking fraud, ATM skimming, impersonation, hacking, etc., in the last decade.
Many of these cyber crimes involve accessing a user’s data through some means. Media outlets reported dozens of cases in which fake bank accounts were set up in a person’s name, who was oblivious to this, with money being dumped in the accounts. One case included that of a bank account opened in a dead person’s name – the speculation was, where did that data come from?
Up until now, the only prognosis is that officials are still struggling to come to terms with how technology is being misused and abused. The danger in Pakistan, due to the absence of laws and regulations, is that law enforcement routinely crosses the line between surveillance and safety, although they are not one thing. And in such situations, common citizens shall always be vulnerable.The government of Pakistan recently passed a new set of regulations that critics say will give the government more control over how Pakistanis can use social media.
The “Citizens Protection (Against Online Harm) Rules, 2020” oblige social media platforms like Facebook, Twitter, and Google to block or remove posts that are considered objectionable by the government. The government can also acquire data and information from the companies.
However, how far can the government go in controlling the citizens from downloading digital applications which very well could be Trojanized?
Officials maintain that the regulations will help them monitor and mitigate online content that has to do with “terrorism, spying, extremism, hate speech, fake news, incitement to violence and national security.” Social media companies like TIKTOK Pakistan will also be required to set up a physical presence in the country (which they have) and appoint a contact person who will report to a “National Coordinator” at Pakistan’s Ministry of Information and Telecommunications. However, this means that MX Takatak will soon be banned along with similar apps like Snack Video, etc.
Surprisingly the laws were reportedly approved by the government without public consultation and enacted behind closed doors. A joint statement from various Pakistani civil society actors said that the new social media laws “point towards the centralization of power to exercise strict controls over digital and online narratives.” Even though the statement is a paradox in itself because, in order to control citizens’ private data, such restrictions are required to be implemented.
“The policy itself is dictatorial and unresponsive to the global digital environment,” said the statement from the Media Matters for Democracy initiative. “We believe that rather than protecting citizens from online harm, these rules stand to create significant harm by isolating Pakistani citizens from the global Internet.”
Many Pakistani civil society activists fear that restrictions on social media companies may lead to strained relations between the platforms and the government of Pakistan at a time when the vital digital economy of the country is beginning to take off.
However, with all this advantage comes a lot of risks. And since most of these apps are used by young people, they are generally less concerned about taking these risks. This raises the question, do we completely shift the onus to PTA for not being vigilant? A small cluster of Trojanized versions of Android apps has been discovered recently, mainly marketed to people who live in Pakistan. Someone has modified these otherwise legitimate apps (clean versions are available for download on the Google Play Store) to add malicious features that seem completely focused on covert surveillance and espionage.
The modified apps look identical to their legitimate counterparts, and even perform their normal functions, but are designed to, initially, profile the phone, and then download a payload in the form of an Android Dalvik executable (DEX) file. The DEX payload contains most of the malicious features, which include the ability to covertly exfiltrate sensitive data like the user’s contact list and the full contents of SMS messages. The app then sends this information to one of a small number of command-and-control websites hosted on servers located in the sub-continent.
The selection of apps is highly peculiar, as they are neither the most popular, nor particularly unique apps like MX Takatak. There’s no indication that the publishers of the original apps are aware that these Trojanized versions even exist.
What was also found was modified versions of a Muslim prayer-clock app called Pakistan Salat Time; an app used to price-compare mobile phone plans called Mobile Packages Pakistan; a utility that can check a phone’s SIM card for validity called Registered SIMs Checker, and a maliciously modified version of the original app published by TPL Insurance, a company that describes itself as “the first insurance company in Pakistan to sell general insurance products directly to the consumer.”
One anomalous app I could find no specific benign analog of called itself Pakistan Chat. This app appears to leverage the API of an otherwise legitimate chat service called ChatGum, and connects to a ChatGum server, but also conducts covert surveillance and exfiltration of data from the user’s phone.
The apps all feature, as their primary set of functions, code that appears to be focused on espionage and covert data exfiltration: When run, the apps initially send the device’s unique IMEI identifier and timestamp along with a username and password combination, to a command-and-control (C2) server by means of an HTTP POST request to the server.
Now consider the incessant usage of digital applications like MX Takatak. “Short-form videos are so easy to make, and users love it, as it is so easy to consume,” said a Pakistani MX Takatak user, who had been using TikTok for communicating with followers and had roughly 200k followers on the Chinese app. “So, honestly, I felt very relieved when MX Takatak came out and I found it can be a good replacement of TikTok,” she said.
MX Takatak, is now regarded as a leader among Indian short video-sharing apps. According to Indian media journalists, the short video-sharing app market, in terms of the average number of monthly active users, grew ninefold from 20 million in 2016 to 180 million in the first six months of 2020 with continued and rapid growth to date.
This outpaced the growth of social media, whose monthly active users increased from 200 million to 300 million in the same period, and YouTube, which is used mainly to share long-form videos and whose monthly active users increased from 150 million to 325 million.
In June, MX Takatak’s monthly active users reached 167 million, indicating the Indian app was almost identical in size to the whole short video-sharing market. Therefore the sudden exit of TikTok created a huge ready-to-be-filled vacant space in the rapidly growing short video-sharing market, and domestic start-ups would not miss that opportunity opening right in front of them, in the subcontinent.
Several start-ups launched short video-sharing apps within a month of the TikTok ban, and three out of the four most popular apps today — Josh, MX TakaTak, and Moj — were among those new entrants who were all heavily downloaded by Pakistani youth – knowing the repercussions or maybe not?!
These new digital applications indicate that Indian apps if combined, have somehow acquired a user base comparable in size to TikTok before it was banned. It is estimated that Pakistanis spent a total of 165 billion minutes on short video-sharing apps during the peak of the pandemic, of which TikTok accounted for 85-90%. In October 2020, the time spent on sharing short videos totaled 80 billion minutes.
Some people find the quality of content on Indian alternatives unsatisfactory compared to TikTok and are resisting to migrate, but neither TikTok nor MX Takatak is the safe route of entertainment.
It is projected that the level of monthly time spent on short video apps will increase fourfold to 400 billion to 450 billion minutes by 2025. What can PTA do then? How can this volcanic eruption be curtailed?! How can the private data of each citizen be ensured to remain private?!
All these major Indian start-ups that are leading in the space have investors with strong global names. Tencent Holdings is behind MX Player, which operates MX TakaTak, and Moj is backed by Twitter and Shunwei Capital of China.
Interestingly, ByteDance made its first investment in India in 2016 in a strategy to add content-source partners for its TikTok operation in India. Now that TikTok has been banned and MX Takatak has been launched, the investment has turned into an indirect contingency channel to profit from the growth of the Indian short-video market. The effect of which is being absorbed by Pakistani youth as well.
All of these players are raising funds to accelerate the growth and MX Takatak is reportedly in the process of new fundraising. So how can Pakistan stop it from affecting its citizens? Allowing TikTok to officially open their HQ in Pakistan and in return ban all Indian digital applications – which is now a reality.
These Indian apps have English-language interfaces, which have paved the way for tapping markets outside India. Depending on the U.S. government’s treatment of TikTok and on the international community’s stances on China’s aggression and oppression on many fronts — including the East China Sea, the South China Sea, Hong Kong, Tibet, and Xinjiang, in addition to the India-China borders — there may be huge opportunities in the subcontinent and around the world for these digital applications to replace TikTok – which will directly and adversely affect our country.
The investment race among these Indian post-TikTok players looks bound to heat up further with such potential global opportunities in our line of sight and this wave of uncertain misuse of Pakistani citizen’s data will become difficult for PTA to control if not acted upon soon.