Online Tax Profiling: Legal Experts Term It Unconstitutional, In Violation of Right To Privacy

KARACHI: Pakistan’s new tax profiling system has raised widespread fears of data security breaches, with citizens saying sensitive data uploaded on the portal may be misused and legal experts calling it unconstitutional and in violation of the fundamental right to privacy.

The two online portals, unveiled on Friday by the Federal Board of Revenue, hold information regarding the bank accounts, properties, travel history, and other data of at least 53 million Pakistanis, collected from Pakistan’s primary citizenry database, the National Database and Registration Authority (NADRA), Arab News (Pakistan) said in a report.

Salam Sufi, former DG of Strategic Reforms Unit, had criticised the idea on the very day the initiative was launched.

This is the most obnoxious and childish attempt at transparency. You are violating privacy of millions of citizens with this feebly concieved and easily manipulated data access. https://t.co/m7MqxknkdF

— Salman Sufi (@SalmanSufi7) June 21, 2019

A citizen Assad Ahmad, marketing consultant by profession, is one of the perturbed citizens who are worried about the security issues. He complained about week security and said he obtained his data without giving a phone number registered in his name and answering simple questions about family.

Just checked it out. Security is too weak. Should require payment by a card in the name of the payer – as email verification possible if mobile not in taxpayer name. Just got my data without giving a phone number registered in my name and answering simple questions about fam.

— Assad Ahmad (@assadahmad) June 21, 2019

“When over 100 million Pakistani citizens were disclosing their private data to NADRA, the understanding was that NADRA would use it only for issuing them an identity card, and not betray them to the tax-man,” Umer Gilani, a lawyer who campaigns for the protection of privacy, told Arab News.

“NADRA’s decision to merge its database with FBR’s database is unconstitutional. It violates the fundamental right to privacy guaranteed by Article 14 of Pakistan’s Constitution,” he said, adding that Pakistan’s courts had consistently ruled that the right to privacy extended to the privacy of people’s data.

“The concerns are that in the absence of data privacy laws, the data the government is collecting through different sources… where will it be utilised and who is authorized to use it?” Umair Javed, a professor of politics at Lahore University of Management Sciences (LUMS), said.

A draft law for personal data protection is pending legislation since October last year, while the government has launched a huge online portal packed full of accessible citizen data with effectively no data privacy laws in place.

“In case of any security lapse, (there) would be dire consequences,” Badar Khushnood, vice-chairman of the award-winning Pakistan Software Houses Association for IT and ITES ([email protected]), said.

“The law should have been passed before launching the system for the clarity of data privacy,” he said.

Similarly, Dr Ikram ul Haq, a legal and taxation expert, said, “Security review by independent agencies renowned for awarding certifications is missing… There is no guarantee that data would not be misused or abused by the staff with access to it.”

Fears of a massive data leak are not unwarranted. In 2018, a cyber-security services provider, the Pakistan Computer Emergency Response Team (PakCERT), reported 1,340 cases of website defacement and hacker attacks on Pakistani web domains (.pk).

“The .pk domain was attacked all over the world where it is being hosted or operated. The data only shows that websites were attacked and not necessarily reflect that the inside of the organizations’ systems were attacked,” Qazi Mohammad Misbahuddin Ahmed, CEO of PakCERT told Arab News.

There are additional concerns including that it might not take a sophisticated software hacker to break into the system, and that anybody with access to another person’s identity card could get hold of the information by paying an Rs 500 fee.