The world is digital. Are you at risk?

When you buy a phone, you do not just buy a chattel for communication. Sure, it doubles as a camera, calendar, and clock (and those are just some of the Cs), but also as a handy little block in which your digital footprint is safely tucked away. Well, tucked away at least, the safe part you may want mull over. 

Profit is a serious magazine covering a beat so underreported in Pakistan that the responsibility on our shoulders is twofold. So it goes without saying, this publication is the last place you would expect to find senseless drivel about constantly progressing generations of warfare, hysteria surrounding cloud computing, and advice to tape up the webcam on your laptop. 

Despite what all the memes have told you there is no FBI agent assigned to you peering into your life through your devices. What has happened, however, is that we all currently live in a world where data is currency, and every single person is a small, constantly buzzing mine of data.      

And your phone is a convenient little slip of a block that contains your digital footprint. It can tell a person what you like, where you shop, where you live, where you travel, where you work, and the deepest most embarrassing questions that you can only ask Google. Again, this is not to say someone is after you, too many people already believe this vain lie about themselves. But this is to warn you that if anyone did want to try and bug you through your phone and ruin your life, it could possibly be a cakewalk. 

The Economist recently advertised a digital billboard that read “Alexa’s listening. Say something intelligent”. The tongue in cheek joke warning of dystopia shows that developed and developing nations of the world are still coming to terms with laws and regulations on how to govern the unseen, unpredictable, and possibly unknown implications that Artificial Intelligence and other forms of technology might have on human lives. And as you may have guessed already, Pakistan is even farther behind. 

There are several facets to the technology issue and therefore several aspects of law making need to be kept in consideration. Broadly, however, the contentions may be divided into three categories: personal data protection, corporate security and risks of doing business, and government data protection and strategic frameworks for protection against cyber attacks.

As of now, Pakistan has a draft bill in the shape of the  “Personal Data Protection Bill 2018 (PDPB)” proposed by the Ministry of Information Technology and Telecommunication (MoITT) in July 2018. It is yet to be debated, voted on, and formulated into an enforceable law. Unfortunately, this will not be a debate about whether this crude bill even comprehensively covers all necessary areas, or is just an attempt to provide more blind power to the powers that be to aid their censorship.

As far as cyber crimes against citizens is concerned, Pakistan’s elite investigation agency – FIA has no access to the data of alleged cyber criminals since Pakistan is yet to sign the Mutual Legal Assistance Treaty, more commonly known as the MLAT, with the United States, or even the cyber crime clause of the Budapest Convention for that matter. 

On corporate and governmental levels, we have the National Information Technology Board NITB playing its part along with a private company, Trillium Information Security Systems, to come up with appropriate technical capabilities as well as a regulatory framework necessitated by the onset of technology. However, in practical terms there is little to be seen, except token anger from the parliamentary committee directed towards the Interior Ministry for creating hurdles in signing of MLAT. The science and technology ministry, at the same time, seems to be too busy with the monumental task of building IT parks and hoping to send Pakistanis into space.

What is more worrisome than all of this combined, however, is the utter indifference from the general population, and even among the computer literate diasporas. This article is written in an attempt to rectify this final problem, with hopes of this urgency reaching the authorities and leading to at least some sort of groundwork towards ensuring security and privacy of Pakistani citizens.

The state of the situation

Pakistan is yet to have a comprehensive cyber security law. We are not even signatories to MLAT which helps authorities to send requests about social media content blocking or removal. While the responsibility of these laws rests with Ministry of Information Technology & Telecom (MoIT), Ministry of Interior (MoI), as well as the Federal Investigation Agency (FIA), if the latest session of IT standing committee of National Assembly’s held on January 22 is considered, there is still no progress whatsoever on the cyber security, signing international covenants, or simply providing necessary security to the denizens of Pakistan.

What Pakistan does have is the Prevention of Electronic Crimes Act (2016). The act outlines cyber crimes like cyberstalking, online harassment and forms of cyberterrorism, while also giving PTA the power to block or remove access to such information. However, when it comes to implementation of the said laws, PTA and FIA both explain that their hands are tied because without MLAT and Budapest convention, they do not have the direct power to communicate or convince social media platforms to remove a post, block an account, or give any information about the ownership of such accounts. FIA representatives have said on record during parliamentary committee meetings that in the absence of social media, short of users using their real name and sharing their contact details, the authority has no capability to track them down.

Meanwhile, we along with the rest of the world are inching closer and closer to the threats and inevitable dangers of technology without regulations. As a nation we are far more excited about 5G starting in Pakistan, and not nearly concerned enough about the repercussions that such technology, along with the overarching role of Artificial Intelligence is going to have on our lives in absence of proper legal and technical controls.

The National Incubation Center (NIC) Islamabad hosted a conference on Cyber Security with officials from National Information technology Board, Ministry of Information Technology & Telecom, and Trillium Information Security System in attendance. This was one effort to sensitize people on the myriad number of issues that we face as a country, and as individuals. Profit decided to document the discussion in layman’s terms, and also consult some more Pakistani and foreign experts on the newer forms of technology and do a series of stories on the invisible and mammoth hazard looming over us. 

“All state of the art tech is useless without security. I have worked with several governments and spending on security has increased by many folds in the last five years. The US alone spends more than $20 billion on cyber security” said Shabahat Ali Shah, the CEO of NITB.

Cyber security is not limited to technology. It also involved the mechanisms of how access is granted to different stakeholders for usage of any particular technology. He said that it is a misconception even with some governments that installing an antivirus does the entire job of securing sensitive data. “Pakistan’s cyber security ranking on GCI is 84 and I would not be surprised if we deteriorate to 100. We need laws and regulations” he said. “The hackers are smart people. They don’t have an epiphany to intrude. They do as much research [to hack you] as you do [to protect yourself].”

Trillium CEO Mahir Mohsin Sheikh took the stage next to say that advanced targeted attacks are inevitable and they are always successful. 100 percent security is impossible. These attacks are not only effective but also cost-effective. According to the chief executive of Pakistan’s oldest information security company no amount can be said to be enough for cyber security. Of course, he would want things to sound this bleak, but for once it may even be the truth. The only thing for sure, is that fighting back in some way or the other is necessary. 

The problem is that cyber warfare changes the dynamics of international hostilities. More importantly, you do not have to be the state to wage this kind of war – cyber terrorism exists. No two countries need to be at war to conduct cyber attacks, yet they remain one of the key security risks. According to the latest annual report of the World Economic Forum, 36 countries mentioned cyber attacks among the top 3 risks of doing business. 18 of them mentioned it as the top risk factor. 

Cyber security experts explain the cycle through 4 stages: Threats leading to Attacks which lead to Breaches which in turn lead to catastrophic Incidents. This also means that a defensive strategy is required at each of these steps. That translates into Prediction of threats, Prevention of attacks, Responding to breaches, and finally Detecting the eventual fallout. Legislation formed for cyber security, therefore, needs to include methods and ability to analyze threats and mitigate risks, analyze incidents and mitigate consequences, and finally discover the incidents, track its immediate source and understand its nature for future.

Why should you be concerned?

On October 27, 2018, Bank Islami reported an online breach of their system in which the bank lost Rs 2.6 million. In November of the same year, the stolen data went on sale on the black market. 

On February 22, 2019 Moscow-based threat intelligence firm Group-IB reported spotting the sale of nearly 70,000 Pakistani identity cards on the cybercrime marketplace called Joker’s Stash, worth approximately $3.5 million at the time. 

In June 2019, PTA reported the identity theft of nearly 45,000 Pakistani international travelers for the purpose of registering imported mobile phones on DRIBS to avoid payment of customs duty. 

In December 2019, it was reported that biometric machines available with the myriad of retailers for SIM card registrations were faulty and were potentially leaking data.

You ID card floating around somewhere not concerning enough? How about the things in your phone you would not want anyone to see. Consider the leaked videos of celebrities and politicians over social media, hacking of social media accounts of public officials, and blackmailing through such videos. If this is still not enough to worry, then perhaps a look at international scenarios might clear the picture.

In January 2014, in South Korea data from 100 million credit cards was stolen along with 20 million bank accounts. In 2017, a marketing analytics firm, Alteryx, left an unsecured database online that publicly exposed sensitive information for about 123 million U.S. households. 

In 2015, a dating site was attacked where pseudonyms, birth dates, postal codes, and IP addresses of 4 million accounts were made public. In early 2018, Facebook-Cambridge Analytica data scandal revealed that the said company had harvested the personal data of millions of people’s Facebook profiles without their consent and used it for political advertising purposes. 

More recently, the Mueller Report outlined investigations into allegations of Russian interference into the US elections, through social media campaigns and hacking into email accounts owned by volunteers and employees of the losing candidate of 2016 US Presidential elections.

The fact of the matter remains that our lives are changing and becoming increasingly dependent on technology. If you have an air conditioner in your bedroom that you can control through your mobile phone, chances are that anyone with the required skill set will be able to control your AC with your mobile phone as well.

What do the experts say?

The technological world is being run by two countries: a hardware producer – United States of America and a software producer – China. The rest of the globe is just consumers. Put in a crude way, the globe is undergoing a technological colonization of sorts. Information security is now an inevitable part of national security. From atomic codes to national databases, and from the switch of a television to the adjustment of a thermostat, everything around a modern human is engulfed in technology, and therefore is under a very real threat of being hacked and overpowered.

Pakistan is building IT parks, while the rest of the world has already moved on to “Smart cities”. From water supply to banks, and from the stock market to self-driving cars, the world is increasingly moving towards artificial intelligence. There will be no need for bombs anymore. A simple code, overtaking a GPS controlled car can crash it into a crowd of people, stock markets can be hacked, water supply can be stopped, and internet services can be disrupted. The possibilities of chaos and therefore international technological warfare are endless.

An entire regulatory infrastructure is the need of the hour, including a written and enforceable law, bodies and regulators to oversee the implementation of the said law, and governing and judicial bodies to carry out punishments for the violations of the same law. In the absence of a single tier, this chain will render everything useless and the sense of security deficient. Last decade and a half has completely altered life as we know it, so who is to say what will happen in the next decade?

On an individual level, how many of us feel proud when we find an android cable of an off market brand at one-fifth of the price of a branded cable? A quick conversation with a technical expert sitting in MoIT will tell you how these off-brand cables now come with a potential tracker secretly saving a copy of all data you transfer through it. Similarly, how many of us have turned auto updates off on our mobile phones because it consumes too much of our data packages? That is playing right into the hands of those wishing to steal photos, videos, audio messages, and even finger prints of our mobile phones in the absence of the updated protective cover on our smartphones.

While there is only so much an ordinary citizen can do to protect their privacy and digital security in the absence of governmental steps, they are not absolved of the responsibility to keep an eye out for all these dangers hiding in plain sight. On the government side, for starters we can implement the “General Data Protection Regulation (GDPR),” which has been passed and enacted by the European Union and its member states. It lays down what are believed to be the strongest data protection rules yet.

According to a document of recommendations submitted to the parliament by a not-for-profit organization, Media Matters for Democracy, following their set of rules may also be of help until we come around to building a complete infrastructure and working mechanism of controlling and defending against this new and unknown technological takeover.

The Personal Data Protection Bill 2018 should ensure that all its provisions are interpreted in line with the General Data Protection Regulation (GDPR). In addition to this, a specific requirement should be present for the corporations through which they must be obliged to draw up their privacy policy according to the rules laid down in GDPR.

The data collected by government entities i.e such as the data collected by NADRA, is most at risk of being misused as this data falls within the purview of ‘sensitive personal data’. The scope of the bill should be extended to government-controlled, collected and processed data, ensuring protection and legal liabilities for data held by the government entities as much as for commercial entities. There should be a time limit on the retention of data collected on the subjects. The addition of a provision that puts a time-frame of data retention would restrict data controllers from retaining data for indefinite periods. It is our belief that the time frame of data retention should vary for data controllers according to the nature of their activities and the purpose for which the data is being retained in the first place.

All sections of the Personal Data Protection Bill 2018 should have civil liabilities instead of criminal liabilities in order to (a) avoid overlaps with other laws such as the Prevention of Electronic Crimes Act (PECA) 2016, and (b) ensure implementation of the law is warranted on the basis of executable fines as criminal liability would create loopholes in applicability of identified fines.

There are many laws and regulations to mull. But when our entire lives are at stake, all we really can do is try.